Avoiding Pandemic Paranoia

Posted on 1, Dec | Posted by Billy Gordon Green, Jr. M.Ed., CPP, CHS

sick personTwice during the past decade and a half, the specter of pandemic has been a cause for prudent worry in the public health sector, among business continuity planners, and certainly within the security community. Security professionals would not be tasked with reducing the impact upon the public or generally with providing for the continuity of operation for a large corporation, campus, or agency.

The security manager and planner would, however, be responsible for planning and implementing contingency security operations in the face of epidemic conditions or pandemic threat. The mission and role of the security department is ancillary to the direct mission of most all organizations. As such, the security planner is concerned with the effect that widespread disease would have on the ability of the security organization to fulfill its mission of protecting the personnel and assets of the parent organization.

The effects of a pandemic or epidemic upon an organization and subsequently on the security group depend on the business and mission of the larger entity. For instance, a healthcare facility such as a hospital would be impacted exponentially. Not only would the organization’s internal casualties make it harder to deliver services, the external client/customer system would be greatly expanded as the illness spreads through the population and they seek help from the healthcare provider. In the same way – although to a lesser degree – health care suppliers would see demand for products and equipment increase dramatically while they too were trying to cope with increased activity with a workforce affected by the disease.

The demand for security services in the chaotic conditions a pandemic or severe epidemic could create within the healthcare delivery system would be substantial. The threat would also be significantly increased as valuable and perhaps limited medical treatment and drugs become potential targets for crime or lead to possible breakdowns in public order in the clamor to receive lifesaving medical help. This may sound a little like a doomsday movie script, but security professionals and law enforcement authorities are fully aware that civilized society is held together by the thinnest of threads, and under the right conditions, they may fray or break completely.

Faced with all this, the security manager must respond with the necessary services and infrastructure to safeguard the parent organization, no matter what the business. As with planning for catastrophic emergencies, which a pandemic certainly is, there must be preparation to stand alone by predicting the impacts on the security organization and planning realistically to meet those needs in a contingency manner, with fewer people and little infrastructural support because those agencies and companies will be affected too.

It is not the security organization’s job to maintain business continuity or deliver services to the client or customer. It will be security’s job to protect those who will be trying to do so, while facing the same impediments. It will require a contingency plan that rebalances the integrated security formula toward non-human assets. It also will require an accurate assessment of the intensity and duration of the pandemic or epidemic.

All past pandemics have involved Influenza A viruses. These viruses that cause influenza are much more easily spread among larger groups in the population because of the nature of transmission as aerosols and the respiratory characteristic of the disease. Whether or not other viral and bacterial disease can become that virulent when confronted with modern medicine and public health practices remains to be seen. The experience with Ebola has suggested that while it is contagious, it may not have the capacity to spread like influenza has in the past. Time will tell. There are historical data and scenarios that can be examined and studied to identify and gauge the effects of widespread disease on healthcare, service, and production organizations. We can learn from history, hopefully so we do not have to repeat it. Security professionals do not treat disease, but we can study the effects it may have of the organizations and the population in order to prepare as best we can to provide the envelope around our organizations so that they can continue to function during the crisis.

As with any threats, the prudent security professional should research the threat and be familiar with the potential for such a threat developing. Historically, the development of pandemic or severe epidemic disease has a run up period during which it becomes apparent that a problem is looming. It does not have the sudden onset of catastrophic weather or a terrorist attack. Forethought and modest advance planning in advance will provide the foundation for more precise preparation and decisive response should the problem intensify.

The following sources can be used to better understand and prepare for this kind of emergency.

About Pandemics from Flu.gov – http://www.flu.gov/pandemic/about/
Pandemic Influenza from CIDRAP – http://www.cidrap.umn.edu/infectious-disease-topics/pandemic-influenza
Guidance on Preparing Workplaces for an Influenza Pandemic from OSHA – https://www.osha.gov/Publications/influenza_pandemic.html

Always prepare for the worst and hope for the best.

Continue reading

Managing Global Integration of Systems

Posted on 1, Nov | Posted by Kevin M. McQuade, CPP

global integrationDuring the last several years, we have seen many companies expanding within their own organization or through mergers and acquisitions. Growth of any kind challenges the expansion of systems utilized within the company or organization, such as network infrastructure, payroll systems, and other technology. One area that is always a challenge is the security systems that protect the organization. Card access and digital video systems manufactured today are designed so that they can grow exponentially as the company grows. The question is how to implement and oversee the installations of these systems at a regional, national, or global level.

There are security integration companies today that through their own expansions and mergers have a national or global footprint that can be utilized to assist an organization with the implementation of their security systems. What happens if the current system or systems being used by an organization are not supported by a large national or global integration company? The task becomes a lot tougher to assure that the same quality equipment and installation practices used in one facility are used throughout an entire organization.

One way to accomplish smooth security integration would be to assign an existing employee as a project manager. This individual should already be familiar with the security program. His or her tasks would be to:

  • find qualifying integration companies in each location where a new or upgrade installation might take place,
  • prepare design and standardization documents, coordinate with the IT department and other trades that would be involved,
  • attend coordination meetings (via conference call or in person),
  • perform installation reviews during the installation,
  • follow up on the record documentation once the project has been completed,
  • become familiar with and address any issues specific to the site including local codes, state regulations, or country requirements, and
  • perform their current duties.

Since most companies seem to be running as lean as possible, there probably is not a single person available that would be able to handle this. If this is the case, then what is the next option?

There are security integration companies that can offer some of these services through a network of companies on a regional or a national level, but not necessarily on a global level. This places a lot of responsibilities on the security integrator. What happens if the relationship between the security integration company and the organization takes a turn for the worse? What happens if the account manager leaves the security integrator? What happens if the security integrator is purchased by another company or changes their business model? You’re back to square one.

Another option would be to hire a company that understands security and security programs. What we have seen work well is organizations that can partner with a company that can handle all system integration at multiple sites. This company – which would not provide installation or service of any security equipment – would be product agnostic but knowledgeable on the organization’s systems. In addition, they would have the capability of providing a team of professionals that would divide and conquer all of the associated tasks and provide a Project Manager as a direct line of communication with the Security Director Of course there is a cost associated with this, however if the implementation of a large multi-regional new installation or upgrade does not go well, there is the potential that the costs and internal manpower to coordinate and correct any deficiencies could exceed the dollars spent to bring a company like this on board as part of the team.

If a large-scale security installation or upgrade is in the future for your organization, begin the planning early, assess exactly how the plan will be implemented, and designate who will do the work to assure that all goes smoothly.

Continue reading

The SaVE Component of the Clery Act

Posted on 1, Sep | Posted by Christine L. Peterson, CPP, ISP

Are You Ready for October 1, 2014?

college studentsAccording to the CDC, on average, 1 in 5 women (18.3%) and 1 in 71 men (1.4%) reported experiencing rape at some time in their lives. In a study of undergraduate women, 19% said that they experienced an attempted or completed sexual assault since entering college (Source: http://www.cdc.gov/violenceprevention/pdf/sv-datasheet-a.pdf). The victimization of college students is not new, and this article will not address whether the problem is getting better or worse. The issue is that dating violence, domestic violence, sexual assault (including rape but not limited to rape), and stalking are crimes. Beginning October 1, 2014, colleges and universities are required to meet new requirements of the Jeanne Clery Act. The Campus Sexual Violence Elimination Act (SaVE) component of the Clery Act will require institutions of higher learning to compile statistics for incidents of dating violence, domestic violence, sexual assault, and stalking. In addition there are policies, procedures, training, and other programs that pertain to these incidents that must be included in an annual security report (ASR).

In this article we will provide the requirements of the Clery Act, the SaVE component, and Title IX requirements as they currently exist and hopefully provide college compliance personnel with information that they can utilize to meet the current requirements. The purpose of this article is to address administrators who are the key to an institution’s ability to meet the requirements of the Clery Act and its SaVE component.

The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Jeanne Clery Disclosure of Campus Security Policy and Crime Statistics Act, 20 U.S.C.§ 1092(f)(2011)) is a federal statute requiring colleges and universities participating in federal financial aid programs to maintain and disclose campus crime statistics and security information. It is a requirement of the entire institution, not a requirement limited to the security department. This is an important distinction and one that too many college and university administrators fail to recognize and embrace. Until administrators recognize this distinction and put in place top-down responsibility and accountability for Clery Act compliance, institutions will be at risk.

A single event could lead to a full scale investigation by the U.S. Department of Education (ED), applicable civil fines of up to $35,000 per violation, and potential loss of federal student financial aid programs. This is in addition to the potential damage to the reputation and brand of the school, potential lawsuits by victims and others, and a drop in applications. Yet we find that many colleges and universities are still confused by the requirements, especially as they relate to Clery geography and the identification and training of Campus Security Authorities (CSAs). Most institutions are making at least a basic attempt to meet the requirements but do not have the resources or training to understand or implement a program at anything greater than a cursory level. With the additional requirements under SaVE, this is only expected to get worse before it gets better. In addition victims, legislators, and the President have made sexual violence on campuses a priority by sharing their experiences, creating task forces, and designing legislation. This will put more pressure on institutions to address the issues on a campus-by-campus basis and may lead to substantially greater penalties.

On March 7, 2013, President Obama signed the Violence Against Women Reauthorization Act of 2013 (VAWA) (Pub. Law 113-4), which, among other provisions, amended section 485(f) of the Higher Education Act (HEA), otherwise known as the Clery Act. The Clery Act requires institutions of higher education to comply with certain campus safety-related and security-related requirements. Notably, VAWA amended the Clery Act to require institutions to compile statistics for incidents of dating violence, domestic violence, sexual assault, and stalking and to include certain policies, procedures, and programs pertaining to these incidents in their annual security reports. It is intended to increase transparency about sexual violence on campuses, guarantee victims enhanced rights, provide for standards in institutional conduct proceedings, and provide the campus community a broader awareness and prevention educational programs (Source: https://www.federalregister.gov/articles/2014/06/20/2014-14384/violence-against-women-act).

The law is not in its final form as of the creation of this article. However, institutions are required to implement and have in place the required policy disclosures and programs related to SaVE no later than October 1, 2014. The collection of campus crime statistics as they relate to SaVE is currently in effect beginning with the 2014-2015 reporting period. Failure to collect and report statistics for domestic violence, dating violence, and stalking (as defined by VAWA) can result in civil penalties of up to $35,000 per violation for substantial misrepresentations of the number, location, or nature of crimes required to be reported, or for violation of any other safety or security-related provision of the HEA. In addition, violations can lead to the limitation or suspension of federal student aid eligibility or the loss of eligibility to participate in federal student aid programs.

A summary of the current proposed regulations as they are published in the Federal Register on June 27, 2014, is as follows:

  • Require institutions to maintain statistics about the number of incidents of dating violence, domestic violence, sexual assault, and stalking that meet the proposed definitions of those terms.
  • Revise the definition of “rape” to reflect the Federal Bureau of Investigation’s recently updated definition in the UCR Summary Reporting System, which encompasses the several categories of sexual assault that are used in the UCR National Incident-Based Reporting System.
  • Revise the categories of bias for the purposes of Clery Act hate crime reporting to add gender identity and to separate ethnicity and national origin into independent categories.
  • Require institutions to provide and describe in their annual security reports primary prevention and awareness programs to incoming students and new employees. These programs must include: A statement that the institution prohibits the crimes of dating violence, domestic violence, sexual assault, and stalking; the definition of these terms in the applicable jurisdiction; the definition of consent, in reference to sexual activity, in the applicable jurisdiction; a description of safe and positive options for bystander intervention; information on risk reduction; and information on the institution’s policies and procedures after a sex offense occurs;
  • Require institutions to provide and describe in their annual security reports ongoing prevention and awareness campaigns for students and employees. These campaigns must include the same information as in the institution’s primary prevention and awareness program;
  • Define the terms “awareness programs,” “bystander intervention,” “ongoing prevention and awareness campaigns,” “primary prevention programs,” and “risk reduction.”
  • Require institutions to describe each type of disciplinary proceeding used by the institution; the steps, anticipated timelines, and decision-making process for each type of disciplinary proceeding; and how the institution determines which type of proceeding to use based on the circumstances of an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to list all of the possible sanctions that the institution may impose following the results of any institutional disciplinary proceedings for an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to describe the range of protective measures that the institution may offer following an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to provide for a prompt, fair, and impartial disciplinary proceeding in which (1) officials are appropriately trained and do not have a conflict of interest or bias for or against the accuser or the accused; (2) the accuser and the accused have equal opportunities to have others present, including an advisor of their choice; (3) the accuser and the accused receive simultaneous notification, in writing, of the result of the proceeding and any available appeal procedures; (4) the proceeding is completed in a reasonably prompt timeframe; (5) the accuser and the accused are given timely notice of meetings at which one or the other or both may be present; and (6) the accuser, the accused, and appropriate officials are given timely access to information that will be used after the fact-finding investigation but during informal and formal disciplinary meetings and hearings.
  • Define the terms “proceeding” and “result.”
  • Specify that compliance with these provisions does not constitute a violation of section 444 of the General Education Provisions Act (20 U.S.C. 1232g), commonly known as the Family Educational Rights and Privacy Act of 1974 (FERPA).

The proposed regulations would (Source: https://www.federalregister.gov/articles/2014/06/20/2014-14384/violence-against-women-act):

  • Add and define the terms “Clery Geography,” “dating violence,” “domestic violence,” “Federal Bureau of Investigation’s (FBI) Uniform Crime Reporting (UCR) program (FBI’s UCR program),” “hate crime,” “Hierarchy Rule,” “programs to prevent dating violence, domestic violence, sexual assault, and stalking,” “sexual assault,” and “stalking.”
  • Require institutions to address in their annual security reports their current policies concerning campus law enforcement, including the jurisdiction of security personnel, as well as any agreements, such as written memoranda of understanding between the institution and police agencies, for the investigation of alleged criminal offenses.
  • Require institutions to address in their annual security reports their policies to encourage accurate and prompt reporting of all crimes to the campus police and the appropriate police agencies when the victim of a crime elects to or is unable to make such a report.
  • Require institutions to provide written information to victims about the procedures that one should follow if a crime of dating violence, domestic violence, sexual assault, or stalking has occurred, including written information about the preservation of evidence, how and who to report offenses to, victim’s options for support by local law enforcement and campus authorities and victim’s rights and the institution’s responsibilities regarding order of protection or similar orders issued by a court or institution.
  • Require institutions to address in their annual security reports how the institution will complete publicly available recordkeeping requirements, including Clery Act reporting and disclosures, without the inclusion of identifying information about the victim;
  • Require institutions to address in their annual security reports how the institution will maintain as confidential any accommodations or protective measures provided to the victim, to the extent that maintaining such confidentiality would not impair the ability of the institution to provide the accommodations or protective measures.
  • Require institutions to specify in their annual security reports that they will provide written notification to students and employees about existing counseling, health, mental health, victim advocacy, legal assistance, visa and immigration assistance, and other services available for victims both within the institution and in the community.
  • Require institutions to specify in their annual security reports that they will provide written notification to victims about options for, and available assistance in, changing academic, living, transportation, and working situations and clarify that the institution must make these accommodations if the victim requests them and if they are reasonably available, regardless of whether the victim chooses to report the crime to campus police or local law enforcement.
  • Require institutions to specify in their annual security reports that, when a student or employee reports to the institution that the student or employee has been a victim of dating violence, domestic violence, sexual assault, or stalking, whether the offense occurred on or off campus, the institution will provide the student or employee a written explanation of the student’s or employee’s rights and options.
  • Require institutions to maintain statistics about the number of incidents of dating violence, domestic violence, sexual assault, and stalking that meet the proposed definitions of those terms.
  • Revise the definition of “rape” to reflect the FBI’s recently updated definition in the UCR Summary Reporting System, which encompasses several categories of sexual assault that are used in the UCR National Incident-Based Reporting System.
  • Revise and update the definitions of “sex offenses,” “fondling,” “incest,” and “statutory rape” in Appendix A to subpart D of part 668 to reflect the FBI’s updated definitions.
  • Emphasize that institutions must, for the purposes of Clery Act reporting, include in their crime statistics all crimes reported to a campus security authority.
  • Clarify that an institution may not withhold, or subsequently remove, a reported crime from its crime statistics based on a decision by a court, coroner, jury, prosecutor, or other similar non-campus official.
  • Specify that Clery Act reporting does not require initiating an investigation or disclosing identifying information about the victim.
  • Revise the categories of bias for the purposes of Clery Act hate crime reporting to add gender identity and to separate ethnicity and national origin into independent categories.
  • Specify how institutions should record reports of stalking, including how to record reports in which the stalking included activities in more than one calendar year or in more than one location within the institution’s Clery Act-reportable areas, and how to determine when to report a new crime of stalking involving the same victim and perpetrator.
  • Create an exception to the requirements of the Hierarchy Rule in the UCR Reporting Handbook for situations in which an individual is a victim of a sex offense and a murder during the same incident so that the incident will be included in both categories.
  • Clarify that an institution must withhold as confidential the names and other identifying information of victims when providing timely warnings.
  • Implement the requirements pertaining to an institution’s educational programs to promote the awareness of dating violence, domestic violence, sexual assault, and stalking by requiring specific information about awareness campaigns, programs, policies and procedures, and definitions be included in the annual security report that they publish annually.
  • Implement requirements pertaining to an institution’s procedures for campus disciplinary action in cases of alleged dating violence, domestic violence, sexual assault, or stalking.
  • Prohibit retaliation by an institution or an officer, employee, or agent of an institution against any individual for exercising their rights or responsibilities under any provision under the Clery Act.

Legislation is written as a response to a problem that is not being addressed appropriately. Assigning roles and responsibilities for compliance is the first step, but an effective program will require a comprehensive and coordinated effort that includes people, processes and technology – as does any security program. Training and gap analysis will be an on-going requirement to the development of a compliant program and a safer campus for all students and employees.

On the surface the new requirements under SaVE look onerous, but just as in the case of the earlier version of the Clery Act, there are specific components that support each other and begin with the policy statements. The 2013 amendment is expected to raise the level of response and prevention of sexual violence in institutions of higher learning by raising awareness, increasing transparency, and providing for accountability. The framework of the new requirements provide for victim’s rights, conduct proceedings, and education programs and have the support of bipartisan legislation and victims who are currently working to increase the current penalties for non-compliance.

In today’s environment the consensus is that the threat of lost funding and imposition of $35,000 fines per violation are not driving compliance. Legislators now explore the possibility of imposing new penalties including fines of up to $150,000 per violation or up to 1% of the institution’s operating budget.

Is your institution ready for October 1, 2014? Can it afford not to be?

Continue reading

The Difference Between Safety and Security

Posted on 15, Jul | Posted by Christine L. Peterson, CPP, ISP

Maslow's Hierarchy of NeedsMaslow’s Hierarchy of needs begins with humanity’s most basic needs and builds from there until we reach our most satisfied self. After our most basic physical needs (air, food, water, sleep), the need for safety is the second most critical stage to our wellbeing. Whether or not we believe in Maslow’s theory, we can all agree that on its surface this makes sense, whether we are talking about ourselves, our families, our businesses, or our community.

This concept also illustrates a dilemma that many clients face when developing a security program that protects its people, reputation and other assets. What is safety? What is security? Are they synonymous words and concepts? What difference does it make?

Safety vs. SecurityLet’s start with an accepted definition. According to the Webster’s Collegiate Dictionary, safety is the “the condition of being safe from undergoing or causing hurt…to protect against a failure, breakage or hurt…a device that prevents a piece of military apparatus from being fired accidentally.” The same reference defines security as “A quality or state of being secure…free from fear or anxiety…protection…to make safe…guard or shield…to relieve from exposure to danger.” They sound almost the same, but they are not. Safety measures are created to protect people and property from injury or loss by circumstance, accident, or negligence. Security measures are created to protect people and property from injury or loss by deliberate actions taken by people.

In our world, safety events happen by accident while security events happen on purpose. The difference is people and intent. People cause security events, and a security program must provide effective guardianship to protect the people, reputation, and infrastructure of your organization. This distinction is critical to understanding the role security must play in your organization and how an effective security program is a comprehensive blending of people, processes, and technology.

warehouse with collapsed racks
Murrah Building

Have you ever wondered why there are so many safety regulations and organizations – such as OSHA, FDA, EPA, and others – and yet very few security-related regulations? It’s all about people and intent. People with fiduciary responsibility – governments, management, and leadership – have a moral responsibility to plan for and protect constituents from circumstance, accident, or negligence. As an economy based on a free market, our success is based on the decisions we make every day with the overall objectives of growth, profitability, sustainability, and possibly legacy. Security is a loss-driven and litigation-driven industry that relies on foreseeability, industry standards, and the real possibility of significant economic loss. If there is a moral responsibility in the security arena, it is to the owners, employees, and customers.

Most businesses include a diverse cross-section of people, including employees, contractors, customers, guests, community partners, and others. In addition to the human assets of the organization, there are hard and soft assets that are critical to its operation. Hard assets include buildings, equipment, and supplies; soft assets include reputation, personal information, and research. Effective security programs are a comprehensive blending of the people, processes, and technology in a manner that enhances operations and supports the culture. Programs need to be based on “real” threats, the probability of those threats becoming reality, and the threat to the organization if individual threats are realized.

Too often security program are viewed as overhead costs to the organization, but that is misleading. Security programs are actually money retainers for an organization. They allow the organization to retain the dollars that would have been lost due to turnover, poor morale, internal and external theft and misappropriation, sabotage, industrial espionage, and other deliberate actions that a sound security program seeks to prevent.

From Maslow’s hierarchy of needs, there is little question that safety as a state of being is critical to each of us individually and collectively. When the term “safety” is used a generic term for security, it changes the dynamic and challenges management’s ability to put in place the best countermeasures to change the behaviors of persons intent on causing injury or loss to company assets. The differentiation is important and often misunderstood by management and even practitioners. Safety professionals require a distinct set of skills and knowledge with the intention of preventing injury or loss due to circumstance, accident, or negligence. Although security is also the prevention of injury or loss, it is predicated on the fact that there is a desirable asset, a motivated person who wants that asset, and the perception by that motivated person that there is a lack of guardianship over the asset. This defense requires a very different set of skills and experience. Rarely can one person possess the breath of skills and experience to effectively manage both safety and security. If one program is going to suffer, it is usually security because legislation drives safety.

A typical organization loses 5% of revenue per year according to the Association of Certified Fraud Examiners, 2012 Report to the Nations on Occupational Fraud and Abuse. What is the effect on your organization?

Asset + Desire + Opportunity = Loss and/or Injury

Continue reading

The “Fractional” Security Manager

Posted on 12, Mar | Posted by Martin F. Coolidge

The “Fractional” Security Manager:

A Cost Effective Approach to Managing Security

Fractional Security Manager I have met with a large number of business leaders – especially in small business – over the years because of a security issues they faced such as internal theft, threat to executives, employee malfeasance, compliance issues, or other security problems. These issues turned into the need for an investigation and/or an assessment to determine what happened and how to prevent future incidents. What I have observed is that most of these problems could have been prevented through the use of sound security practices. The lack of a competent security plan is usually due to lack of industry knowledge and typically due to the lack of a security manager. By security manager, I mean someone dedicated to the position, not someone simply appointed as such, which seems to be common in many small to medium-sized companies.

Security events are not accidental but are the deliberate actions of employees and/or non-employees who have the motivation to take or destroy an asset because they perceive there is no guardianship over that asset. They often take place without warning, requiring quick-minded response. Sometimes security events can develop from minor issues and failures – security events that might have been avoidable with proper security controls in place.

Security is also about people. It’s not about whether a tree branch may fall onto a roof; it’s about how that tree branch is making it easier to gain access to the roof. It’s about deterrence, target hardening, proactively seeking out security lapses and addressing them, properly investigating the incidents that do occur to resolve them, and identifying and installing safeguards to prevent future such incidents. It includes making security a part of company culture. For this to occur, there has to be a competent level of knowledge of current security issues and practices.

If security is not of high importance to a company, it can expect that some people – employees included – will take advantage of them because they are vulnerable. We have seen high-paid executives steal hundreds of thousands of dollars from their employer because the security lapse was so significant it was too inviting to pass up.

A good security program can reduce a company’s exposure to loss, help make risk more manageable, and increase the safety of employees and visitors. However, a good security program needs an effective security manager. For some companies, this is often not practical. For many small businesses, physical security is limited to the obvious: locking doors at night, installing a few CCTV cameras, and installing intrusion alarms. Unfortunately for many of these companies, this is the extent of their security program, making them more vulnerable and more prone to an incident. Many of them already have a security issue in progress and are not even aware of it.

One approach for a small business is to utilize an existing manager or supervisor and then add security duties to that person’s job description, with or without additional salary. However, a title does not bring industry knowledge and it is not what builds a proper security program. There are too many variables in play to expect a job description to create effective security solutions that protect your company’s assets and economic advantage. A security manager is someone educated, trained, and experienced in applying the principles of security, not a human resource representative that took a few “security” courses. To believe otherwise is to not take security seriously.

Another approach is to hire a security manager with the education, training, and experience to create an effective security program. A security manager can help make a business run more efficiently because security issues are addressed before they become problems, employees and vendors know someone is watching, and problems like workplace violence and internal theft can be minimized. While this is a common business practice for larger companies, it is not cost effective for smaller businesses, whose bottom line is usually fairly thin. Every company could benefit by employing a security manager – some just cannot afford to do so. A security manager is likely to cost around $100,000 per year or more with salary and benefits. This cost is absorbed in large business settings where losses could easily total much more than that. An alternative is to find a security manager willing to work part-time, but it is rare to find someone with the requisite skill-set willing to work part-time. It is difficult enough to find a full-time security manager who individually possesses the expertise necessary to effectively manage all of the aspects of a comprehensive security program.

There is a third approach: “lease” a security manager through a professional service agreement (PSA). This is accomplished by contracting with a security consulting company that can provide a security manager with the education, training and experience needed to competently fulfill the position. In our current economy, many companies are switching to “fractional” titles to save money. A PSA provides an economical and efficient solution to security management needs. It is economical because the cost is a fraction of what it costs to employ a full-time, salaried security manager. It is efficient because a company pays only for the time expended on security-related matters as directed by the company, unlike a full-time security manager that is paid 40 hours per week regardless of how the time is used. Under a PSA a company does not pay a full-time salary and does not pay benefits. With a “leased” security manager the company gets the services of a security professional that can conduct professional security assessments, provide loss control, oversee installation of technology, interview employees, create policies, assist HR during terminations, conduct pre-employment background screening, escort individuals from company property, investigate incidents, liaise with law enforcement when necessary, and provide any other security-related function deemed necessary by the company. Similar to a security manager, the “leased” security manager works for and at the direction of the company. Under a PSA model, companies have a security manager who has “real world” experience. The PSA is tailored to create an effective security program, to fit the company’s culture, and to be cost effective and sustainable.

Another benefit of a PSA agreement is that, depending on the “leasing” organization, the company gets the investigative and administrative support that complements a security and investigations program. This is something large companies with security managers rarely have. With the right organization, the company retains an entire division of security and investigations professionals at their disposal complete with security experts, design experts, and former police investigators, complete with thousands of hours of professional law enforcement, security and military training.

So how does a PSA work? Each PSA is tailored to meet the needs and budget of each individual company. It starts with an evaluation of security needs based on current security posture, trends in the community, company history, vulnerability and exposure, industry, annual hiring rate, and interviews with company officials. A minimum monthly rate that fits the company’s budget – the base rate – is agreed on for which time and expenses are incurred. Services are anything related to security that a company requests, such as workplace violence and other training programs, internal and external investigation, employee investigation, outplacement of terminated employees, background investigations, security assessments, threat assessments, policy development, review/check security systems operations, card readers/keypad systems, CCTV, oversee installation of new systems, creation of security related documents, reports and logs, and many other services. PSAs not only help businesses achieve effective security solutions but they can also be used to provide training and expert security consulting to existing security directors and security managers.

Failure to properly address security is like driving without insurance: you’re gambling your personal worth on a hope that a mistake is not made by you or someone else. Most likely that failure is driven by company economics. With a fractional security manager under a PSA, security management can not only be achieved, it is cost-effective.

Continue reading

Kevin McQuade Attends AMAG’s Security Engineering Symposium

Posted on 4, Mar | Posted by RMA

Kevin McQuade attended AMAG Technology’s Security Engineering Symposium (SES) held February 28-March 3, 2014 in Tampa, Florida at the Saddlebrook Resort. AMAG Technology invited the industry’s top consultants to learn more about AMAG’s product solutions and to engage in conversations about trends, end user expectations and partner integrations. AMAG introduced several new products that will be launched at ISC West, reviewed the product roadmap and displayed an integrated security solution that included all the technology partners who sponsored the event. Interactive break-out sessions offered an in-depth look and opportunity for further discussion about these topics.

AMAG Technology’s Symmetry Access Control and Video Solutions can be found in a wide spectrum of markets: government, commercial, education, transportation, healthcare, utilities and banking. Based out of Torrance, California with sales and support located throughout the US, AMAG sells its Symmetry Product Portfolio of access control and network video systems through its Symmetry Authorized Resellers throughout North America. AMAG Technology has been at the leading edge of access control technology for over 40 years, and is part of G4S, the world’s largest security solutions provider.

Continue reading

Perimeter Security

Posted on 14, Nov | Posted by William F. Booth, CPP

Every security program must be an integrated whole and each element must grow out of the specific needs dictated by the circumstances affecting the facility to be protected. Nevertheless, the first and basic defense is still the outer perimeter of the facility. Planning this defense is neither difficult nor complicated, but it is the product of common sense. Whereas the engineering and design of an electronic security management system requires particular sophistication and expertise, the implementation of an effective physical security program is the result of conventional wisdom and a lot of legwork expended during a security assessment.

A basic security concept is to design a series of layers so that highly protected assets are within a configuration of multiple barriers. Barriers are commonly utilized to discourage three types of penetration – accidental, by force, and by stealth. A properly installed barrier should clearly warn a potential penetrator to “Keep Out”. There should be no accidental or inadvertent penetration.

Barriers may be divided into two general categories – natural and structural. Natural barriers include terrain difficult to traverse and other topographical features that assist in impeding or denying access to an area. Structural barriers are manmade and include landscaping, ditches, fences, and walls. A structural barrier physically and psychologically deters or discourages the undetermined, delays the determined, and channels the flow of authorized traffic through proper entrances.
natural barrier open area near waternatural barrier river
bollard in parking areafence


The most common type of structural barrier normally used for protection is a chain link fence. Fencing an area will only delay, not permanently prevent, an entry attempt. Therefore, fencing must be supplemented or enhanced by other countermeasures such as signage and security patrols. Nevertheless, a fence can be a valuable element in an integrated protection scheme.
man climbing fencesecurity fence with three barriers


Any barrier utilized must be supplemented or enhanced by other countermeasures such as signage. In keeping with this philosophy to be a “good neighbor” and have an open campus environment for lawful and undisruptive use, a signage program to clearly define the expectations of the administration should be deployed. Two categories of signs, the command sign and the informational sign, are predominantly used. Command signs tell people what to do or not to do. Examples are “No Trespassing”, “No Admittance”, and “Visitors must register at the front office.” Informational signs may alert the reader to a potential danger or give other information. Examples are “Hazardous Materials” and “No Smoking”.
posted no trespassing keep out signstop wait for gate to close sign

Vegetation and Crime Prevention Through Environmental Design (CPTED)

In security applications the concept of Crime Prevention through Environmental Design is one that is prominently used. The concept emphasizes that lighting, vegetation management, traffic flow, pedestrian flow, and other physical attributes can be manipulated to lessen the opportunity of a crime-related event occurring in a particular location.

Security industry standards suggest that foliage be trimmed to allow for casual surveillance. Tree limbs should be trimmed seven feet from the ground and shrubbery trimmed to 24 inches high.
overgrown bushes and trees reduce casual surveillanceovergrown bushes reduce casual surveillance

Building Perimeter

Another layer of security continues with building access control. An excellent tool to control access requires the determination, not less than annually, of the minimum number of exterior doors that should be unlocked at any given time. Whenever possible, it should be the policy to manage access by utilizing only those exterior doors that are practical and/or absolutely necessary to the day-to-day operation.
open exterior dooropen exterior door

Continue reading

RMA Completes Security Assessment of RTP

Posted on 18, Sep | Posted by RMA

Risk Management Associates, Inc. has completed a security assessment of Research Triangle Park. The Research Triangle Foundation has developed and is in the process of implementing a new master development plan for the Research Triangle Park (RTP) community. As a critical component of that plan, the foundation decided to conduct a security assessment to provide stakeholders with the current security posture of RTP. A security assessment is one of the most cost effective means to assess the current security people, processes, and technology that are in place today and plan for the security needs of the community moving forward.

The Research Triangle Park is home to more than 170 global companies – including IBM, GSK, Syngenta, RTI International, Credit Suisse, and Cisco – that foster a culture of scientific advancement and competitive excellence. RTP is located between three major universities: Duke University in Durham, North Carolina State University in Raleigh, and the University of North Carolina at Chapel Hill.

Through five decades, the Park still holds to its founders’ aspirations: to generate economic activity, engage the talents of local graduates and citizens and carry North Carolina forward to ever-greater prominence and prosperity.

Continue reading

Jerry Blanchard Attends Paradigm 2013

Posted on 19, Aug | Posted by RMA

Jerry Blanchard was invited to attend Paradigm 2013, a specifier technology symposium held by Lenel.

Paradigm, Lenel’s annual consultant symposium, is a unique experience that is educational, interactive, and fun! Through presentations, demonstrations, and hands-on training sessions consultants become familiar with Lenel’s latest technologies and learn what’s coming next. In addition, roundtable discussions will provide an opportunity to offer feedback directly to the Lenel team. Lenel partners will also be on hand to showcase how their products integrate with the Lenel platform and together create a comprehensive security solution.

Topics and activities:

  • OnGuard and Prism demonstrations
  • Casi and Infographics system migrations to OnGuard program
  • Sneak peek of the new Lenel Certification Program
  • Overview of the new Lenel & Interlogix organization
Continue reading

Stealing on the Way Out

Posted on 12, Aug | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

Having to terminate an employee is never easy. To make the process even more difficult, consider the recent survey conducted by Harris Interactive on behalf of Courion which stated that 19% of employees age 18 to 34 would take company data with them if they knew they were about to be fired. Read the full story here.

Depending on the employee’s position at the company, the termination process could be quite cumbersome. Before terminating an employee, it is good to think about their role in the company and what they have access to or control over. Each situation is different and should not be handled in a cookie-cutter fashion. Terminating the IT manager will involve different issues than terminating a sales person.

What steps can you take to minimize risk? Strong policies and procedures are a good starting point. If an employee knows that severe repercussions may result for data theft, he or she may decide against the theft.

As we’ve said before, there are opportunities for companies to preserve data and protect themselves prior to the termination process or as part of the termination procedure itself (When Employees Leave Data Should Stay). When it is evident that an employee must be terminated, steps should be taken to image the computer or devices used by the employee, even if a future computer forensic analysis is not needed. It may even be beneficial to image the computer prior to termination and again after termination. I have often been called to recover data deleted by an employee after they have learned of their impending termination.

As a consultant, I have assisted in a number of terminations, and they are all different. Proper preparation and forethought will not only benefit the company but protect the employee as well.

Continue reading