A Company Model for Developing Policies and Procedures

Posted on 1, Jun | Posted by Christine L. Peterson, CPP, ISP

While attending the NCMS Carolinas Chapter meeting at Cisco Systems recently, I saw a presentation by Mark Whitteker, MSIA, CISSP, ISP. Mark comes out of the IT security world, so most of his presentation focused on IT security. He also presented a segment on Building a Comprehensive Security Architecture Framework that might benefit all of us. What Mark shared with the group is a pragmatic approach to creating and updating policies and procedures that could be used by any organization. When implemented, this process creates a customizable framework that will allow organizations the stability to prosper.

In general, policies establish the strategic objectives and priorities of an organization. They set the standards and expectation for the population. From a security perspective, they are a powerful tool because they identify roles and responsibilities and provide for accountability. Policies establish responsibilities and expectations for every population within an organization. This should include all employees, contractors, visitors, and any other personnel on site. As is demonstrated in Mark’s flow chart below, procedures are developed much later in the process. Procedures are the detailed implementation instructions for individuals to carry out the policies. They are often presented as forms or as lists of steps to be taken.

Why is this so important from a security perspective? All security events are caused by people who intentionally do something to obtain, injure, or destroy an asset, or unintentionally do something due to lack of knowledge or understanding. Therefore, unless an organization can protect all of their assets (human, capital, and reputation) from the nefarious or inadvertent actions of others – at all times – they need a security program that deters, detects, and defends business assets every day, all the time. Most businesses are not Fort Knox (which, by the way, is not immune from security events), and security-related policies and procedures are a critical tool that businesses can use to defend against the human threat.

What I believe Mark’s flow chart does is provide a systematic approach to the development of policies based on industry standards in a manner that can be applied company-wide.

policy and procedure flow chart

In any organization that is evaluating their policies or putting policies in place, the first place to start is the industry standards for the area to be covered by the policy. Areas such as lighting, egress, the protections of trade secrets, IT security, and the protection of classified and/or personal information are just some of the areas where security industry standards are available. In addition to the industry standards, there are security best practices that play an important role in any company’s security program. These may be industry specific or provide general guidance. In the absence of standards, companies will and are judged based on recognized best practices. Premises liability is a prime example of where this would apply. An organization’s ability to defend itself against litigation is incumbent in its ability to establish that a security program was in place to respond to threats that they were aware of or should have been aware of. Similarly if an organization has to defend itself from a compliance violation or establish that they are due damages in a loss of trade secrets, it is incumbent on the organization to be able to demonstrate the protective measures that were in place to protect that information. In all cases security-related policies will be a key component of the security program.

There are many sources for security related standards and best practices. Organizations such as ASIS International, the International Association for Healthcare Security & Safety (IAHSS), or National Classification Management Society (NCMS), are good starting points for this kind of information.

Policies are the guidance necessary to protect your organization’s assets. When establishing those guidelines, look to industry standards and best practices for a general framework. Policies should be high-level and solution agnostic in order to minimize the need to revisit them as technology changes. Those details should be left to the policy standards.

Policy Standards are the specific technical implementation requirements established within the policies. Within the policies these should be hyperlinks or references to policy standard documents, not detailed within the policy itself. This enables an organization to modify or update the standards as technology advances without requiring policy changes with resulting review and approval by senior management.

Policy Implementation is about communication (who, what, when, where). Considerations include:

  • Who does this policy apply to?
  • What do you want them to do?
  • When does it apply?
  • When and how will the population be trained?
  • When and where will the population get additional awareness reinforcement?

Procedures are the guidance that individuals will need to comply with the policy. It provides detailed, step-by-step instructions users must follow in order to implement controls according to the latest standards.

Services provide the population with information about the support services that are available to them and are there to support their efforts. In this case we are referring to security-related services, but it could also be applied in other areas of the business. If this is considered on the front end, it will provide better communication and hopefully provide the professionals responsible for implementing the policy and procedures the resources they need to provide the population with the tools and support they need to comply.

Measuring Success brings the process full circle and puts in place a system of continuous quality control and improvement. Things change; populations change; and industry standards and best practices change. There should be a process to measure success and allow the organization to adapt.

In the world of security, the best that any organization can hope for is that they have the internal and external controls in place to divert persons with nefarious intent. It’s kind of like termites – if we can’t eliminate them, let’s at least make it so uncomfortable that they move somewhere else because there are lots of unprotected opportunities.

Continue reading

Data Security: Where there is data, there should be policy

Posted on 30, Mar | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

locked computerThe recent report by the Wall Street Journal about the Morgan Stanley breach scares me as an employee. Reportedly Galen Marsh, a financial adviser for Morgan Stanley, was fired for allegedly stealing account information from about 350,000 wealth management clients and posting some of it online. The part that concerns me are the reports that federal law enforcement officials are focusing their probe on the possibility that Marsh’s computer was hacked. (Full story here.)

I have not reviewed the full report nor have I looked deeply into the incident. My attention was drawn to the consequences that befell Mr. Marsh and the slim possibility that he did nothing wrong. It seems that in this day of BYOD – Bring Your Own Device – and the use of laptops and mobile devices by employees, it is time for there to be a clear understanding about the company’s responsibilities and the individual employee’s responsibilities. This is not to suggest that an employee’s first question should be “Will I get fired if this laptop is hacked and company data is stolen?” when presented with a company laptop. There should be a clear understanding between the company and the employee what is expected of each as it relates to the security and control of any electronic device that contains company data.

The foundation of this understanding begins with a good company policy. A policy should be specific regarding the proper use of electronic devices. A policy should also indicate who is responsible for areas such as email security, data security, acceptable use, and physical security of the device. A policy should be a living document. An electronic device policy that covers laptops should be reviewed at a minimum once a year. Policies should be flexible. Some employees may take a laptop home and some may not.

Companies should give employees a chance to review policy before they sign it and allow them to ask questions. I suspect Morgan Stanley utilizes policies that cover the use of laptops by employees for work purposes. I doubt the employee thought he would get fired if the laptop was hacked and client data was exposed. What if the employee were a CFO or CEO?

There is most likely a lot more to this story than has been made public, but the heart of the matter is, as an employee, make sure you are fully aware of what the company expects as it relates to the use of company data and company provided electronic devices.

Continue reading

RMA Exhibits at the IACLEA Southeast Regional Conference & the 15th Annual SCCLEA Linda B. Floyd Safety Conference hosted by Furman University

Posted on 2, Mar | Posted by RMA

RMA participated as an exhibitor at the IACLEA Southeast Regional Conference & the SCCLEA Safety Conference hosted by Furman University in Greenville, SC. The conference brought together over 250 campus law enforcement administrators from across the southeastern United States. The Director of University Police, Tom Saccenti and his staff provided all the participants with gracious southern hospitality with the beautiful Furman campus as a backdrop. This framework allowed the attendees to focus on the serious business of Leadership in a Crisis.

“Knowing how to respond quickly and efficiently in a crisis is critical to ensuring the safety of our schools and students. The midst of a crisis is not the time to start figuring out who ought to do what. At that moment, everyone involved – from top to bottom – should know the drill and know each other.”

Margaret Spellings
Secretary of Education, 2005-2009

Chief Michael Kehoe, Newtown, CT began his presentation with this quote which also captured the underlying themes that were a part of all the presentations on the first day of the conference. The IACLEA Southeast Region brought together a powerful group of presenters including:
• Retired Chief Wendell Flinchum, Virginia Tech Police Department 2006-2014
• Dr. Gene Deisinger, Ph.D. Executive officer, Virginia Tech Police Department
• Chief John DiFava , MIT Police Department
• Chief Michael Kehoe, Newtown, Connecticut
• Lt. Col. Dave Grossman

Each of these presenters shared, for the benefit of the audience, the “good, the bad, and the ugly” side of leading their department’s during a significant or a series of significant crisis. They took the audience through the details that they could share that formed the basis of the decisions that were made as the crisis situation unfolded. What they knew, what they didn’t know, lessons that were learned along the way, and changes they made to their response program after the fact. Each of the presenter’s shared common themes that they learned in response to a crisis including the need for a multi-disciplined approach that include but is not limited to:

• Relationships, build the network of diverse support before the event happens, reach out to your network during the crisis – ask for help from people you trust
• Develop a case management plan that is proactive, integrated, and adaptive
• Training, training, training and awareness are critical
• Prevent and mitigate
• Be prepared to monitor and reassess during the crisis continuously
• Assign scribes and capture as much as possible during the crisis, don’t rely on memory
• Communicate

Continue reading

Chris Peterson and Mike Epperly are Keynote speakers at the NCACLEA 2015 Winter Conference

Posted on 2, Feb | Posted by RMA

RMA was pleased to be able to support the North Carolina Association of Campus Law Enforcement Administrators (NCACLEA) as keynote speakers at their 2015 Winter Conference. The conference was hosted by the Wake Tech Community College Police Department and held at North Campus at the Wake Tech Community College Public Safety Center.

Chris and Mike presented “Clery Compliance Update: Campus SaVE Act & VAWA”. Risk Management Associates, Inc. works with administrators and campus public safety officials to make sure they understand their obligations under the Jeanne Clery Act and associated regulations as well as Title IX. We help them develop the procedures necessary to satisfy the requirements under those federal laws. At the same time we address other security-related issues that affect operations, facilities, students, faculty, staff and guests.

The NCACLEA has been a key partner in the campus law enforcement community. The conference brought together administrators from across the state to network, share best practices, discuss challenges, and develop the resources that law enforcement administrators need to protect the people, physical assets, and reputation of the colleges and universities. As a security advocate and partner in the education area, RMA was pleased to support NCACLEA and the members they serve.

Continue reading

Mike Epperly attends Association of Title IX Administrator Investigator Training

Posted on 30, Jan | Posted by RMA

In January Mike Epperly attended Association of Title IX Administrator (ATIXA) Investigator Training. ATIXA’s training is a comprehensive training class focused on treating campus sexual misconduct as a civil rights discrimination and investigation. Civil rights investigations are not police-led investigations, and it is not the same as investigating a student conduct violation. Title IX investigation skills are specific and highly specialized. Title IX investigative skill sets are developed and enhanced through the ATIXA Investigator Training.

ATIXA provides a professional association for school and college Title IX Coordinators, administrators, and investigators who are interested in serving their districts and campuses more effectively. Since 1972, Title IX has proved to be an increasingly powerful leveling tool, helping to advance gender equity in schools and colleges. ATIXA has been formed to promote professional development and foster collaboration in what is actually a field of 25,000 people who all are assuring Title IX compliance in our schools, colleges and universities.

The National Center for Higher Education Risk Management Group, LLC (NCHERM) a law and consulting firm endowed a grant that created Association of Title IX Administrators (ATIXA). In 2010, NCHERM created the only Title IX Coordinator/Investigator Training and Certification Course that is now an ATIXA professional development opportunity. ATIXA is an independent, not-for-profit organization served by an Advisory Board.

Continue reading

Rusty Gilmore Speaks at the ASIS Monthly meeting

Posted on 28, Jan | Posted by RMA

On Wednesday January 21, 2015, the local Chapter of ASIS International, Chapter 119 held their monthly meeting at the PNC Center in Raleigh, NC. Rusty Gilmore was the guest speaker. Rusty gave a presentation on Computer and Network Vulnerabilities: Steps to Protecting Your Systems and Data.

Continue reading

Rusty Gilmore presents at the ProNet Systems Executive Briefing 2014

Posted on 17, Dec | Posted by RMA

ProNet Systems hosted their annual Executive Briefing on December 9th, at the City Club in Raleigh, NC. The event was titled, “Keeping up with Security Trends and Technologies. Some of the key speakers included:

  • Alan Jelley, ProNet Systems, Inc. – New Technology Advancements and Trends
  • Nathan Schroeder, Focus Sales; Ryan Bach, Avigilon – Totally Integrated Access & High Resolution Video
  • Rusty Gilmore, Computer Forensic Consultant, Risk Management Consultants – Hacking and Computer Security 101
  • Lou Tunno, HID – Latest Credential And Biometric Development The Smart Phone as a Credential
  • Nathan Schroeder, Focus Sales; Ryan Bach, Avigilon – Advances in High Definition Video and Video Analytics

Dana Frentz and Emily Liner of RMA attended the ProNet Systems seminar.

Continue reading

Avoiding Pandemic Paranoia

Posted on 1, Dec | Posted by Billy Gordon Green, Jr. M.Ed., CPP, CHS

sick personTwice during the past decade and a half, the specter of pandemic has been a cause for prudent worry in the public health sector, among business continuity planners, and certainly within the security community. Security professionals would not be tasked with reducing the impact upon the public or generally with providing for the continuity of operation for a large corporation, campus, or agency.

The security manager and planner would, however, be responsible for planning and implementing contingency security operations in the face of epidemic conditions or pandemic threat. The mission and role of the security department is ancillary to the direct mission of most all organizations. As such, the security planner is concerned with the effect that widespread disease would have on the ability of the security organization to fulfill its mission of protecting the personnel and assets of the parent organization.

The effects of a pandemic or epidemic upon an organization and subsequently on the security group depend on the business and mission of the larger entity. For instance, a healthcare facility such as a hospital would be impacted exponentially. Not only would the organization’s internal casualties make it harder to deliver services, the external client/customer system would be greatly expanded as the illness spreads through the population and they seek help from the healthcare provider. In the same way – although to a lesser degree – health care suppliers would see demand for products and equipment increase dramatically while they too were trying to cope with increased activity with a workforce affected by the disease.

The demand for security services in the chaotic conditions a pandemic or severe epidemic could create within the healthcare delivery system would be substantial. The threat would also be significantly increased as valuable and perhaps limited medical treatment and drugs become potential targets for crime or lead to possible breakdowns in public order in the clamor to receive lifesaving medical help. This may sound a little like a doomsday movie script, but security professionals and law enforcement authorities are fully aware that civilized society is held together by the thinnest of threads, and under the right conditions, they may fray or break completely.

Faced with all this, the security manager must respond with the necessary services and infrastructure to safeguard the parent organization, no matter what the business. As with planning for catastrophic emergencies, which a pandemic certainly is, there must be preparation to stand alone by predicting the impacts on the security organization and planning realistically to meet those needs in a contingency manner, with fewer people and little infrastructural support because those agencies and companies will be affected too.

It is not the security organization’s job to maintain business continuity or deliver services to the client or customer. It will be security’s job to protect those who will be trying to do so, while facing the same impediments. It will require a contingency plan that rebalances the integrated security formula toward non-human assets. It also will require an accurate assessment of the intensity and duration of the pandemic or epidemic.

All past pandemics have involved Influenza A viruses. These viruses that cause influenza are much more easily spread among larger groups in the population because of the nature of transmission as aerosols and the respiratory characteristic of the disease. Whether or not other viral and bacterial disease can become that virulent when confronted with modern medicine and public health practices remains to be seen. The experience with Ebola has suggested that while it is contagious, it may not have the capacity to spread like influenza has in the past. Time will tell. There are historical data and scenarios that can be examined and studied to identify and gauge the effects of widespread disease on healthcare, service, and production organizations. We can learn from history, hopefully so we do not have to repeat it. Security professionals do not treat disease, but we can study the effects it may have of the organizations and the population in order to prepare as best we can to provide the envelope around our organizations so that they can continue to function during the crisis.

As with any threats, the prudent security professional should research the threat and be familiar with the potential for such a threat developing. Historically, the development of pandemic or severe epidemic disease has a run up period during which it becomes apparent that a problem is looming. It does not have the sudden onset of catastrophic weather or a terrorist attack. Forethought and modest advance planning in advance will provide the foundation for more precise preparation and decisive response should the problem intensify.

The following sources can be used to better understand and prepare for this kind of emergency.

About Pandemics from Flu.gov – http://www.flu.gov/pandemic/about/
Pandemic Influenza from CIDRAP – http://www.cidrap.umn.edu/infectious-disease-topics/pandemic-influenza
Guidance on Preparing Workplaces for an Influenza Pandemic from OSHA – https://www.osha.gov/Publications/influenza_pandemic.html

Always prepare for the worst and hope for the best.

Continue reading

Managing Global Integration of Systems

Posted on 1, Nov | Posted by Kevin M. McQuade, CPP

global integrationDuring the last several years, we have seen many companies expanding within their own organization or through mergers and acquisitions. Growth of any kind challenges the expansion of systems utilized within the company or organization, such as network infrastructure, payroll systems, and other technology. One area that is always a challenge is the security systems that protect the organization. Card access and digital video systems manufactured today are designed so that they can grow exponentially as the company grows. The question is how to implement and oversee the installations of these systems at a regional, national, or global level.

There are security integration companies today that through their own expansions and mergers have a national or global footprint that can be utilized to assist an organization with the implementation of their security systems. What happens if the current system or systems being used by an organization are not supported by a large national or global integration company? The task becomes a lot tougher to assure that the same quality equipment and installation practices used in one facility are used throughout an entire organization.

One way to accomplish smooth security integration would be to assign an existing employee as a project manager. This individual should already be familiar with the security program. His or her tasks would be to:

  • find qualifying integration companies in each location where a new or upgrade installation might take place,
  • prepare design and standardization documents, coordinate with the IT department and other trades that would be involved,
  • attend coordination meetings (via conference call or in person),
  • perform installation reviews during the installation,
  • follow up on the record documentation once the project has been completed,
  • become familiar with and address any issues specific to the site including local codes, state regulations, or country requirements, and
  • perform their current duties.

Since most companies seem to be running as lean as possible, there probably is not a single person available that would be able to handle this. If this is the case, then what is the next option?

There are security integration companies that can offer some of these services through a network of companies on a regional or a national level, but not necessarily on a global level. This places a lot of responsibilities on the security integrator. What happens if the relationship between the security integration company and the organization takes a turn for the worse? What happens if the account manager leaves the security integrator? What happens if the security integrator is purchased by another company or changes their business model? You’re back to square one.

Another option would be to hire a company that understands security and security programs. What we have seen work well is organizations that can partner with a company that can handle all system integration at multiple sites. This company – which would not provide installation or service of any security equipment – would be product agnostic but knowledgeable on the organization’s systems. In addition, they would have the capability of providing a team of professionals that would divide and conquer all of the associated tasks and provide a Project Manager as a direct line of communication with the Security Director Of course there is a cost associated with this, however if the implementation of a large multi-regional new installation or upgrade does not go well, there is the potential that the costs and internal manpower to coordinate and correct any deficiencies could exceed the dollars spent to bring a company like this on board as part of the team.

If a large-scale security installation or upgrade is in the future for your organization, begin the planning early, assess exactly how the plan will be implemented, and designate who will do the work to assure that all goes smoothly.

Continue reading

The SaVE Component of the Clery Act

Posted on 1, Sep | Posted by Christine L. Peterson, CPP, ISP

Are You Ready for October 1, 2014?

college studentsAccording to the CDC, on average, 1 in 5 women (18.3%) and 1 in 71 men (1.4%) reported experiencing rape at some time in their lives. In a study of undergraduate women, 19% said that they experienced an attempted or completed sexual assault since entering college (Source: http://www.cdc.gov/violenceprevention/pdf/sv-datasheet-a.pdf). The victimization of college students is not new, and this article will not address whether the problem is getting better or worse. The issue is that dating violence, domestic violence, sexual assault (including rape but not limited to rape), and stalking are crimes. Beginning October 1, 2014, colleges and universities are required to meet new requirements of the Jeanne Clery Act. The Campus Sexual Violence Elimination Act (SaVE) component of the Clery Act will require institutions of higher learning to compile statistics for incidents of dating violence, domestic violence, sexual assault, and stalking. In addition there are policies, procedures, training, and other programs that pertain to these incidents that must be included in an annual security report (ASR).

In this article we will provide the requirements of the Clery Act, the SaVE component, and Title IX requirements as they currently exist and hopefully provide college compliance personnel with information that they can utilize to meet the current requirements. The purpose of this article is to address administrators who are the key to an institution’s ability to meet the requirements of the Clery Act and its SaVE component.

The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Jeanne Clery Disclosure of Campus Security Policy and Crime Statistics Act, 20 U.S.C.§ 1092(f)(2011)) is a federal statute requiring colleges and universities participating in federal financial aid programs to maintain and disclose campus crime statistics and security information. It is a requirement of the entire institution, not a requirement limited to the security department. This is an important distinction and one that too many college and university administrators fail to recognize and embrace. Until administrators recognize this distinction and put in place top-down responsibility and accountability for Clery Act compliance, institutions will be at risk.

A single event could lead to a full scale investigation by the U.S. Department of Education (ED), applicable civil fines of up to $35,000 per violation, and potential loss of federal student financial aid programs. This is in addition to the potential damage to the reputation and brand of the school, potential lawsuits by victims and others, and a drop in applications. Yet we find that many colleges and universities are still confused by the requirements, especially as they relate to Clery geography and the identification and training of Campus Security Authorities (CSAs). Most institutions are making at least a basic attempt to meet the requirements but do not have the resources or training to understand or implement a program at anything greater than a cursory level. With the additional requirements under SaVE, this is only expected to get worse before it gets better. In addition victims, legislators, and the President have made sexual violence on campuses a priority by sharing their experiences, creating task forces, and designing legislation. This will put more pressure on institutions to address the issues on a campus-by-campus basis and may lead to substantially greater penalties.

On March 7, 2013, President Obama signed the Violence Against Women Reauthorization Act of 2013 (VAWA) (Pub. Law 113-4), which, among other provisions, amended section 485(f) of the Higher Education Act (HEA), otherwise known as the Clery Act. The Clery Act requires institutions of higher education to comply with certain campus safety-related and security-related requirements. Notably, VAWA amended the Clery Act to require institutions to compile statistics for incidents of dating violence, domestic violence, sexual assault, and stalking and to include certain policies, procedures, and programs pertaining to these incidents in their annual security reports. It is intended to increase transparency about sexual violence on campuses, guarantee victims enhanced rights, provide for standards in institutional conduct proceedings, and provide the campus community a broader awareness and prevention educational programs (Source: https://www.federalregister.gov/articles/2014/06/20/2014-14384/violence-against-women-act).

The law is not in its final form as of the creation of this article. However, institutions are required to implement and have in place the required policy disclosures and programs related to SaVE no later than October 1, 2014. The collection of campus crime statistics as they relate to SaVE is currently in effect beginning with the 2014-2015 reporting period. Failure to collect and report statistics for domestic violence, dating violence, and stalking (as defined by VAWA) can result in civil penalties of up to $35,000 per violation for substantial misrepresentations of the number, location, or nature of crimes required to be reported, or for violation of any other safety or security-related provision of the HEA. In addition, violations can lead to the limitation or suspension of federal student aid eligibility or the loss of eligibility to participate in federal student aid programs.

A summary of the current proposed regulations as they are published in the Federal Register on June 27, 2014, is as follows:

  • Require institutions to maintain statistics about the number of incidents of dating violence, domestic violence, sexual assault, and stalking that meet the proposed definitions of those terms.
  • Revise the definition of “rape” to reflect the Federal Bureau of Investigation’s recently updated definition in the UCR Summary Reporting System, which encompasses the several categories of sexual assault that are used in the UCR National Incident-Based Reporting System.
  • Revise the categories of bias for the purposes of Clery Act hate crime reporting to add gender identity and to separate ethnicity and national origin into independent categories.
  • Require institutions to provide and describe in their annual security reports primary prevention and awareness programs to incoming students and new employees. These programs must include: A statement that the institution prohibits the crimes of dating violence, domestic violence, sexual assault, and stalking; the definition of these terms in the applicable jurisdiction; the definition of consent, in reference to sexual activity, in the applicable jurisdiction; a description of safe and positive options for bystander intervention; information on risk reduction; and information on the institution’s policies and procedures after a sex offense occurs;
  • Require institutions to provide and describe in their annual security reports ongoing prevention and awareness campaigns for students and employees. These campaigns must include the same information as in the institution’s primary prevention and awareness program;
  • Define the terms “awareness programs,” “bystander intervention,” “ongoing prevention and awareness campaigns,” “primary prevention programs,” and “risk reduction.”
  • Require institutions to describe each type of disciplinary proceeding used by the institution; the steps, anticipated timelines, and decision-making process for each type of disciplinary proceeding; and how the institution determines which type of proceeding to use based on the circumstances of an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to list all of the possible sanctions that the institution may impose following the results of any institutional disciplinary proceedings for an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to describe the range of protective measures that the institution may offer following an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to provide for a prompt, fair, and impartial disciplinary proceeding in which (1) officials are appropriately trained and do not have a conflict of interest or bias for or against the accuser or the accused; (2) the accuser and the accused have equal opportunities to have others present, including an advisor of their choice; (3) the accuser and the accused receive simultaneous notification, in writing, of the result of the proceeding and any available appeal procedures; (4) the proceeding is completed in a reasonably prompt timeframe; (5) the accuser and the accused are given timely notice of meetings at which one or the other or both may be present; and (6) the accuser, the accused, and appropriate officials are given timely access to information that will be used after the fact-finding investigation but during informal and formal disciplinary meetings and hearings.
  • Define the terms “proceeding” and “result.”
  • Specify that compliance with these provisions does not constitute a violation of section 444 of the General Education Provisions Act (20 U.S.C. 1232g), commonly known as the Family Educational Rights and Privacy Act of 1974 (FERPA).

The proposed regulations would (Source: https://www.federalregister.gov/articles/2014/06/20/2014-14384/violence-against-women-act):

  • Add and define the terms “Clery Geography,” “dating violence,” “domestic violence,” “Federal Bureau of Investigation’s (FBI) Uniform Crime Reporting (UCR) program (FBI’s UCR program),” “hate crime,” “Hierarchy Rule,” “programs to prevent dating violence, domestic violence, sexual assault, and stalking,” “sexual assault,” and “stalking.”
  • Require institutions to address in their annual security reports their current policies concerning campus law enforcement, including the jurisdiction of security personnel, as well as any agreements, such as written memoranda of understanding between the institution and police agencies, for the investigation of alleged criminal offenses.
  • Require institutions to address in their annual security reports their policies to encourage accurate and prompt reporting of all crimes to the campus police and the appropriate police agencies when the victim of a crime elects to or is unable to make such a report.
  • Require institutions to provide written information to victims about the procedures that one should follow if a crime of dating violence, domestic violence, sexual assault, or stalking has occurred, including written information about the preservation of evidence, how and who to report offenses to, victim’s options for support by local law enforcement and campus authorities and victim’s rights and the institution’s responsibilities regarding order of protection or similar orders issued by a court or institution.
  • Require institutions to address in their annual security reports how the institution will complete publicly available recordkeeping requirements, including Clery Act reporting and disclosures, without the inclusion of identifying information about the victim;
  • Require institutions to address in their annual security reports how the institution will maintain as confidential any accommodations or protective measures provided to the victim, to the extent that maintaining such confidentiality would not impair the ability of the institution to provide the accommodations or protective measures.
  • Require institutions to specify in their annual security reports that they will provide written notification to students and employees about existing counseling, health, mental health, victim advocacy, legal assistance, visa and immigration assistance, and other services available for victims both within the institution and in the community.
  • Require institutions to specify in their annual security reports that they will provide written notification to victims about options for, and available assistance in, changing academic, living, transportation, and working situations and clarify that the institution must make these accommodations if the victim requests them and if they are reasonably available, regardless of whether the victim chooses to report the crime to campus police or local law enforcement.
  • Require institutions to specify in their annual security reports that, when a student or employee reports to the institution that the student or employee has been a victim of dating violence, domestic violence, sexual assault, or stalking, whether the offense occurred on or off campus, the institution will provide the student or employee a written explanation of the student’s or employee’s rights and options.
  • Require institutions to maintain statistics about the number of incidents of dating violence, domestic violence, sexual assault, and stalking that meet the proposed definitions of those terms.
  • Revise the definition of “rape” to reflect the FBI’s recently updated definition in the UCR Summary Reporting System, which encompasses several categories of sexual assault that are used in the UCR National Incident-Based Reporting System.
  • Revise and update the definitions of “sex offenses,” “fondling,” “incest,” and “statutory rape” in Appendix A to subpart D of part 668 to reflect the FBI’s updated definitions.
  • Emphasize that institutions must, for the purposes of Clery Act reporting, include in their crime statistics all crimes reported to a campus security authority.
  • Clarify that an institution may not withhold, or subsequently remove, a reported crime from its crime statistics based on a decision by a court, coroner, jury, prosecutor, or other similar non-campus official.
  • Specify that Clery Act reporting does not require initiating an investigation or disclosing identifying information about the victim.
  • Revise the categories of bias for the purposes of Clery Act hate crime reporting to add gender identity and to separate ethnicity and national origin into independent categories.
  • Specify how institutions should record reports of stalking, including how to record reports in which the stalking included activities in more than one calendar year or in more than one location within the institution’s Clery Act-reportable areas, and how to determine when to report a new crime of stalking involving the same victim and perpetrator.
  • Create an exception to the requirements of the Hierarchy Rule in the UCR Reporting Handbook for situations in which an individual is a victim of a sex offense and a murder during the same incident so that the incident will be included in both categories.
  • Clarify that an institution must withhold as confidential the names and other identifying information of victims when providing timely warnings.
  • Implement the requirements pertaining to an institution’s educational programs to promote the awareness of dating violence, domestic violence, sexual assault, and stalking by requiring specific information about awareness campaigns, programs, policies and procedures, and definitions be included in the annual security report that they publish annually.
  • Implement requirements pertaining to an institution’s procedures for campus disciplinary action in cases of alleged dating violence, domestic violence, sexual assault, or stalking.
  • Prohibit retaliation by an institution or an officer, employee, or agent of an institution against any individual for exercising their rights or responsibilities under any provision under the Clery Act.

Legislation is written as a response to a problem that is not being addressed appropriately. Assigning roles and responsibilities for compliance is the first step, but an effective program will require a comprehensive and coordinated effort that includes people, processes and technology – as does any security program. Training and gap analysis will be an on-going requirement to the development of a compliant program and a safer campus for all students and employees.

On the surface the new requirements under SaVE look onerous, but just as in the case of the earlier version of the Clery Act, there are specific components that support each other and begin with the policy statements. The 2013 amendment is expected to raise the level of response and prevention of sexual violence in institutions of higher learning by raising awareness, increasing transparency, and providing for accountability. The framework of the new requirements provide for victim’s rights, conduct proceedings, and education programs and have the support of bipartisan legislation and victims who are currently working to increase the current penalties for non-compliance.

In today’s environment the consensus is that the threat of lost funding and imposition of $35,000 fines per violation are not driving compliance. Legislators now explore the possibility of imposing new penalties including fines of up to $150,000 per violation or up to 1% of the institution’s operating budget.

Is your institution ready for October 1, 2014? Can it afford not to be?

Continue reading