Avoiding Pandemic Paranoia

Posted on 1, Dec | Posted by Billy Gordon Green, Jr. M.Ed., CPP, CHS

sick personTwice during the past decade and a half, the specter of pandemic has been a cause for prudent worry in the public health sector, among business continuity planners, and certainly within the security community. Security professionals would not be tasked with reducing the impact upon the public or generally with providing for the continuity of operation for a large corporation, campus, or agency.

The security manager and planner would, however, be responsible for planning and implementing contingency security operations in the face of epidemic conditions or pandemic threat. The mission and role of the security department is ancillary to the direct mission of most all organizations. As such, the security planner is concerned with the effect that widespread disease would have on the ability of the security organization to fulfill its mission of protecting the personnel and assets of the parent organization.

The effects of a pandemic or epidemic upon an organization and subsequently on the security group depend on the business and mission of the larger entity. For instance, a healthcare facility such as a hospital would be impacted exponentially. Not only would the organization’s internal casualties make it harder to deliver services, the external client/customer system would be greatly expanded as the illness spreads through the population and they seek help from the healthcare provider. In the same way – although to a lesser degree – health care suppliers would see demand for products and equipment increase dramatically while they too were trying to cope with increased activity with a workforce affected by the disease.

The demand for security services in the chaotic conditions a pandemic or severe epidemic could create within the healthcare delivery system would be substantial. The threat would also be significantly increased as valuable and perhaps limited medical treatment and drugs become potential targets for crime or lead to possible breakdowns in public order in the clamor to receive lifesaving medical help. This may sound a little like a doomsday movie script, but security professionals and law enforcement authorities are fully aware that civilized society is held together by the thinnest of threads, and under the right conditions, they may fray or break completely.

Faced with all this, the security manager must respond with the necessary services and infrastructure to safeguard the parent organization, no matter what the business. As with planning for catastrophic emergencies, which a pandemic certainly is, there must be preparation to stand alone by predicting the impacts on the security organization and planning realistically to meet those needs in a contingency manner, with fewer people and little infrastructural support because those agencies and companies will be affected too.

It is not the security organization’s job to maintain business continuity or deliver services to the client or customer. It will be security’s job to protect those who will be trying to do so, while facing the same impediments. It will require a contingency plan that rebalances the integrated security formula toward non-human assets. It also will require an accurate assessment of the intensity and duration of the pandemic or epidemic.

All past pandemics have involved Influenza A viruses. These viruses that cause influenza are much more easily spread among larger groups in the population because of the nature of transmission as aerosols and the respiratory characteristic of the disease. Whether or not other viral and bacterial disease can become that virulent when confronted with modern medicine and public health practices remains to be seen. The experience with Ebola has suggested that while it is contagious, it may not have the capacity to spread like influenza has in the past. Time will tell. There are historical data and scenarios that can be examined and studied to identify and gauge the effects of widespread disease on healthcare, service, and production organizations. We can learn from history, hopefully so we do not have to repeat it. Security professionals do not treat disease, but we can study the effects it may have of the organizations and the population in order to prepare as best we can to provide the envelope around our organizations so that they can continue to function during the crisis.

As with any threats, the prudent security professional should research the threat and be familiar with the potential for such a threat developing. Historically, the development of pandemic or severe epidemic disease has a run up period during which it becomes apparent that a problem is looming. It does not have the sudden onset of catastrophic weather or a terrorist attack. Forethought and modest advance planning in advance will provide the foundation for more precise preparation and decisive response should the problem intensify.

The following sources can be used to better understand and prepare for this kind of emergency.

About Pandemics from Flu.gov – http://www.flu.gov/pandemic/about/
Pandemic Influenza from CIDRAP – http://www.cidrap.umn.edu/infectious-disease-topics/pandemic-influenza
Guidance on Preparing Workplaces for an Influenza Pandemic from OSHA – https://www.osha.gov/Publications/influenza_pandemic.html

Always prepare for the worst and hope for the best.

Continue reading

Managing Global Integration of Systems

Posted on 1, Nov | Posted by Kevin M. McQuade, CPP

global integrationDuring the last several years, we have seen many companies expanding within their own organization or through mergers and acquisitions. Growth of any kind challenges the expansion of systems utilized within the company or organization, such as network infrastructure, payroll systems, and other technology. One area that is always a challenge is the security systems that protect the organization. Card access and digital video systems manufactured today are designed so that they can grow exponentially as the company grows. The question is how to implement and oversee the installations of these systems at a regional, national, or global level.

There are security integration companies today that through their own expansions and mergers have a national or global footprint that can be utilized to assist an organization with the implementation of their security systems. What happens if the current system or systems being used by an organization are not supported by a large national or global integration company? The task becomes a lot tougher to assure that the same quality equipment and installation practices used in one facility are used throughout an entire organization.

One way to accomplish smooth security integration would be to assign an existing employee as a project manager. This individual should already be familiar with the security program. His or her tasks would be to:

  • find qualifying integration companies in each location where a new or upgrade installation might take place,
  • prepare design and standardization documents, coordinate with the IT department and other trades that would be involved,
  • attend coordination meetings (via conference call or in person),
  • perform installation reviews during the installation,
  • follow up on the record documentation once the project has been completed,
  • become familiar with and address any issues specific to the site including local codes, state regulations, or country requirements, and
  • perform their current duties.

Since most companies seem to be running as lean as possible, there probably is not a single person available that would be able to handle this. If this is the case, then what is the next option?

There are security integration companies that can offer some of these services through a network of companies on a regional or a national level, but not necessarily on a global level. This places a lot of responsibilities on the security integrator. What happens if the relationship between the security integration company and the organization takes a turn for the worse? What happens if the account manager leaves the security integrator? What happens if the security integrator is purchased by another company or changes their business model? You’re back to square one.

Another option would be to hire a company that understands security and security programs. What we have seen work well is organizations that can partner with a company that can handle all system integration at multiple sites. This company – which would not provide installation or service of any security equipment – would be product agnostic but knowledgeable on the organization’s systems. In addition, they would have the capability of providing a team of professionals that would divide and conquer all of the associated tasks and provide a Project Manager as a direct line of communication with the Security Director Of course there is a cost associated with this, however if the implementation of a large multi-regional new installation or upgrade does not go well, there is the potential that the costs and internal manpower to coordinate and correct any deficiencies could exceed the dollars spent to bring a company like this on board as part of the team.

If a large-scale security installation or upgrade is in the future for your organization, begin the planning early, assess exactly how the plan will be implemented, and designate who will do the work to assure that all goes smoothly.

Continue reading

The SaVE Component of the Clery Act

Posted on 1, Sep | Posted by Christine L. Peterson, CPP, ISP

Are You Ready for October 1, 2014?

college studentsAccording to the CDC, on average, 1 in 5 women (18.3%) and 1 in 71 men (1.4%) reported experiencing rape at some time in their lives. In a study of undergraduate women, 19% said that they experienced an attempted or completed sexual assault since entering college (Source: http://www.cdc.gov/violenceprevention/pdf/sv-datasheet-a.pdf). The victimization of college students is not new, and this article will not address whether the problem is getting better or worse. The issue is that dating violence, domestic violence, sexual assault (including rape but not limited to rape), and stalking are crimes. Beginning October 1, 2014, colleges and universities are required to meet new requirements of the Jeanne Clery Act. The Campus Sexual Violence Elimination Act (SaVE) component of the Clery Act will require institutions of higher learning to compile statistics for incidents of dating violence, domestic violence, sexual assault, and stalking. In addition there are policies, procedures, training, and other programs that pertain to these incidents that must be included in an annual security report (ASR).

In this article we will provide the requirements of the Clery Act, the SaVE component, and Title IX requirements as they currently exist and hopefully provide college compliance personnel with information that they can utilize to meet the current requirements. The purpose of this article is to address administrators who are the key to an institution’s ability to meet the requirements of the Clery Act and its SaVE component.

The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Jeanne Clery Disclosure of Campus Security Policy and Crime Statistics Act, 20 U.S.C.§ 1092(f)(2011)) is a federal statute requiring colleges and universities participating in federal financial aid programs to maintain and disclose campus crime statistics and security information. It is a requirement of the entire institution, not a requirement limited to the security department. This is an important distinction and one that too many college and university administrators fail to recognize and embrace. Until administrators recognize this distinction and put in place top-down responsibility and accountability for Clery Act compliance, institutions will be at risk.

A single event could lead to a full scale investigation by the U.S. Department of Education (ED), applicable civil fines of up to $35,000 per violation, and potential loss of federal student financial aid programs. This is in addition to the potential damage to the reputation and brand of the school, potential lawsuits by victims and others, and a drop in applications. Yet we find that many colleges and universities are still confused by the requirements, especially as they relate to Clery geography and the identification and training of Campus Security Authorities (CSAs). Most institutions are making at least a basic attempt to meet the requirements but do not have the resources or training to understand or implement a program at anything greater than a cursory level. With the additional requirements under SaVE, this is only expected to get worse before it gets better. In addition victims, legislators, and the President have made sexual violence on campuses a priority by sharing their experiences, creating task forces, and designing legislation. This will put more pressure on institutions to address the issues on a campus-by-campus basis and may lead to substantially greater penalties.

On March 7, 2013, President Obama signed the Violence Against Women Reauthorization Act of 2013 (VAWA) (Pub. Law 113-4), which, among other provisions, amended section 485(f) of the Higher Education Act (HEA), otherwise known as the Clery Act. The Clery Act requires institutions of higher education to comply with certain campus safety-related and security-related requirements. Notably, VAWA amended the Clery Act to require institutions to compile statistics for incidents of dating violence, domestic violence, sexual assault, and stalking and to include certain policies, procedures, and programs pertaining to these incidents in their annual security reports. It is intended to increase transparency about sexual violence on campuses, guarantee victims enhanced rights, provide for standards in institutional conduct proceedings, and provide the campus community a broader awareness and prevention educational programs (Source: https://www.federalregister.gov/articles/2014/06/20/2014-14384/violence-against-women-act).

The law is not in its final form as of the creation of this article. However, institutions are required to implement and have in place the required policy disclosures and programs related to SaVE no later than October 1, 2014. The collection of campus crime statistics as they relate to SaVE is currently in effect beginning with the 2014-2015 reporting period. Failure to collect and report statistics for domestic violence, dating violence, and stalking (as defined by VAWA) can result in civil penalties of up to $35,000 per violation for substantial misrepresentations of the number, location, or nature of crimes required to be reported, or for violation of any other safety or security-related provision of the HEA. In addition, violations can lead to the limitation or suspension of federal student aid eligibility or the loss of eligibility to participate in federal student aid programs.

A summary of the current proposed regulations as they are published in the Federal Register on June 27, 2014, is as follows:

  • Require institutions to maintain statistics about the number of incidents of dating violence, domestic violence, sexual assault, and stalking that meet the proposed definitions of those terms.
  • Revise the definition of “rape” to reflect the Federal Bureau of Investigation’s recently updated definition in the UCR Summary Reporting System, which encompasses the several categories of sexual assault that are used in the UCR National Incident-Based Reporting System.
  • Revise the categories of bias for the purposes of Clery Act hate crime reporting to add gender identity and to separate ethnicity and national origin into independent categories.
  • Require institutions to provide and describe in their annual security reports primary prevention and awareness programs to incoming students and new employees. These programs must include: A statement that the institution prohibits the crimes of dating violence, domestic violence, sexual assault, and stalking; the definition of these terms in the applicable jurisdiction; the definition of consent, in reference to sexual activity, in the applicable jurisdiction; a description of safe and positive options for bystander intervention; information on risk reduction; and information on the institution’s policies and procedures after a sex offense occurs;
  • Require institutions to provide and describe in their annual security reports ongoing prevention and awareness campaigns for students and employees. These campaigns must include the same information as in the institution’s primary prevention and awareness program;
  • Define the terms “awareness programs,” “bystander intervention,” “ongoing prevention and awareness campaigns,” “primary prevention programs,” and “risk reduction.”
  • Require institutions to describe each type of disciplinary proceeding used by the institution; the steps, anticipated timelines, and decision-making process for each type of disciplinary proceeding; and how the institution determines which type of proceeding to use based on the circumstances of an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to list all of the possible sanctions that the institution may impose following the results of any institutional disciplinary proceedings for an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to describe the range of protective measures that the institution may offer following an allegation of dating violence, domestic violence, sexual assault, or stalking;
  • Require institutions to provide for a prompt, fair, and impartial disciplinary proceeding in which (1) officials are appropriately trained and do not have a conflict of interest or bias for or against the accuser or the accused; (2) the accuser and the accused have equal opportunities to have others present, including an advisor of their choice; (3) the accuser and the accused receive simultaneous notification, in writing, of the result of the proceeding and any available appeal procedures; (4) the proceeding is completed in a reasonably prompt timeframe; (5) the accuser and the accused are given timely notice of meetings at which one or the other or both may be present; and (6) the accuser, the accused, and appropriate officials are given timely access to information that will be used after the fact-finding investigation but during informal and formal disciplinary meetings and hearings.
  • Define the terms “proceeding” and “result.”
  • Specify that compliance with these provisions does not constitute a violation of section 444 of the General Education Provisions Act (20 U.S.C. 1232g), commonly known as the Family Educational Rights and Privacy Act of 1974 (FERPA).

The proposed regulations would (Source: https://www.federalregister.gov/articles/2014/06/20/2014-14384/violence-against-women-act):

  • Add and define the terms “Clery Geography,” “dating violence,” “domestic violence,” “Federal Bureau of Investigation’s (FBI) Uniform Crime Reporting (UCR) program (FBI’s UCR program),” “hate crime,” “Hierarchy Rule,” “programs to prevent dating violence, domestic violence, sexual assault, and stalking,” “sexual assault,” and “stalking.”
  • Require institutions to address in their annual security reports their current policies concerning campus law enforcement, including the jurisdiction of security personnel, as well as any agreements, such as written memoranda of understanding between the institution and police agencies, for the investigation of alleged criminal offenses.
  • Require institutions to address in their annual security reports their policies to encourage accurate and prompt reporting of all crimes to the campus police and the appropriate police agencies when the victim of a crime elects to or is unable to make such a report.
  • Require institutions to provide written information to victims about the procedures that one should follow if a crime of dating violence, domestic violence, sexual assault, or stalking has occurred, including written information about the preservation of evidence, how and who to report offenses to, victim’s options for support by local law enforcement and campus authorities and victim’s rights and the institution’s responsibilities regarding order of protection or similar orders issued by a court or institution.
  • Require institutions to address in their annual security reports how the institution will complete publicly available recordkeeping requirements, including Clery Act reporting and disclosures, without the inclusion of identifying information about the victim;
  • Require institutions to address in their annual security reports how the institution will maintain as confidential any accommodations or protective measures provided to the victim, to the extent that maintaining such confidentiality would not impair the ability of the institution to provide the accommodations or protective measures.
  • Require institutions to specify in their annual security reports that they will provide written notification to students and employees about existing counseling, health, mental health, victim advocacy, legal assistance, visa and immigration assistance, and other services available for victims both within the institution and in the community.
  • Require institutions to specify in their annual security reports that they will provide written notification to victims about options for, and available assistance in, changing academic, living, transportation, and working situations and clarify that the institution must make these accommodations if the victim requests them and if they are reasonably available, regardless of whether the victim chooses to report the crime to campus police or local law enforcement.
  • Require institutions to specify in their annual security reports that, when a student or employee reports to the institution that the student or employee has been a victim of dating violence, domestic violence, sexual assault, or stalking, whether the offense occurred on or off campus, the institution will provide the student or employee a written explanation of the student’s or employee’s rights and options.
  • Require institutions to maintain statistics about the number of incidents of dating violence, domestic violence, sexual assault, and stalking that meet the proposed definitions of those terms.
  • Revise the definition of “rape” to reflect the FBI’s recently updated definition in the UCR Summary Reporting System, which encompasses several categories of sexual assault that are used in the UCR National Incident-Based Reporting System.
  • Revise and update the definitions of “sex offenses,” “fondling,” “incest,” and “statutory rape” in Appendix A to subpart D of part 668 to reflect the FBI’s updated definitions.
  • Emphasize that institutions must, for the purposes of Clery Act reporting, include in their crime statistics all crimes reported to a campus security authority.
  • Clarify that an institution may not withhold, or subsequently remove, a reported crime from its crime statistics based on a decision by a court, coroner, jury, prosecutor, or other similar non-campus official.
  • Specify that Clery Act reporting does not require initiating an investigation or disclosing identifying information about the victim.
  • Revise the categories of bias for the purposes of Clery Act hate crime reporting to add gender identity and to separate ethnicity and national origin into independent categories.
  • Specify how institutions should record reports of stalking, including how to record reports in which the stalking included activities in more than one calendar year or in more than one location within the institution’s Clery Act-reportable areas, and how to determine when to report a new crime of stalking involving the same victim and perpetrator.
  • Create an exception to the requirements of the Hierarchy Rule in the UCR Reporting Handbook for situations in which an individual is a victim of a sex offense and a murder during the same incident so that the incident will be included in both categories.
  • Clarify that an institution must withhold as confidential the names and other identifying information of victims when providing timely warnings.
  • Implement the requirements pertaining to an institution’s educational programs to promote the awareness of dating violence, domestic violence, sexual assault, and stalking by requiring specific information about awareness campaigns, programs, policies and procedures, and definitions be included in the annual security report that they publish annually.
  • Implement requirements pertaining to an institution’s procedures for campus disciplinary action in cases of alleged dating violence, domestic violence, sexual assault, or stalking.
  • Prohibit retaliation by an institution or an officer, employee, or agent of an institution against any individual for exercising their rights or responsibilities under any provision under the Clery Act.

Legislation is written as a response to a problem that is not being addressed appropriately. Assigning roles and responsibilities for compliance is the first step, but an effective program will require a comprehensive and coordinated effort that includes people, processes and technology – as does any security program. Training and gap analysis will be an on-going requirement to the development of a compliant program and a safer campus for all students and employees.

On the surface the new requirements under SaVE look onerous, but just as in the case of the earlier version of the Clery Act, there are specific components that support each other and begin with the policy statements. The 2013 amendment is expected to raise the level of response and prevention of sexual violence in institutions of higher learning by raising awareness, increasing transparency, and providing for accountability. The framework of the new requirements provide for victim’s rights, conduct proceedings, and education programs and have the support of bipartisan legislation and victims who are currently working to increase the current penalties for non-compliance.

In today’s environment the consensus is that the threat of lost funding and imposition of $35,000 fines per violation are not driving compliance. Legislators now explore the possibility of imposing new penalties including fines of up to $150,000 per violation or up to 1% of the institution’s operating budget.

Is your institution ready for October 1, 2014? Can it afford not to be?

Continue reading

Assessment Completed at University of Maryland Eastern Shore

Posted on 14, Nov | Posted by RMA

Risk Management Associates, Inc. completed its assessment of the University of Maryland Eastern Shore security program. The assessment began with the review of security-related policies and procedures and other related documents. Members of the RMA team visited the UMES campus to conduct independent observations and interviews with approximately 100 individual stakeholders. Local law enforcement was contacted, and both police calls for service and reported crime data at each campus and the surrounding areas were requested and reviewed. Copies of any internal security-related incident reports were obtained and evaluated. A report of findings and recommendations was provided.

The University of Maryland Eastern Shore (UMES) is a land-grant, historically black college founded in 1886 as the Delaware Conference Academy. Since its beginning, the institution has had several name changes and governing bodies. It was Maryland State College from 1948 until 1970, when it became one of the five campuses that formed the University of Maryland. In 1988, it became a member of the then eleven campus (now thirteen) University of Maryland System, now known as the University System of Maryland. UMES is approved by the state of Maryland and fully accredited by the Middle States Association of Colleges and Schools.

Continue reading

RMA Presents at CSI Week at Meredith College

Posted on 25, Oct | Posted by RMA

Chris Peterson presented Enemies at the Gate – or Are They Already Inside? as part of CSI Week at Meredith College. CSI Week allows students at Meredith to explore career opportunities in law enforcement and related fields. The event is sponsored by the Sociology and Criminology Programs, and the Sociology & Criminology Club (and with the support of Political Science, Accounting, & Social Work).

Other presenters during the week included:

  • Special Agent Jahaira Torrens spoke about Homeland Security Investigations.
  • Cat Flowers, owner of Cat Eye Detective Agency, presented.
  • Police Officer and Social Worker Renea Lockhart spoke about domestic violence and being both an officer and a social worker.
  • U.S. Marshals talked about the work they do tracking down fugitives and other law enforcement activities.
  • Wake Country Prosecutors spoke about their work.
  • RPD Gang Unit talked about their work with gang prevention and dealing with gangs in Raleigh.
  • Crime Scene Analysis, RPD patrol officer, CCBI investigator (the local CSI) and a detective from Raleigh Police talked about how they work and investigate a crime scene.
  • Cary Police Department crime mapping analyst Elise Pierce spoke about her work in the use of Crime Scene mapping to facilitate the work of police in Cary.

Chartered in 1891, Meredith College is one of the largest independent private women’s colleges in the U.S. Meredith also offers coeducational graduate programs in business, education and nutrition, as well as post-baccalaureate certificate programs in pre-health and business, a dietetic internship program, a didactic program in dietetics and a paralegal program. Meredith’s programs – undergraduate and graduate — challenge each individual student to think deeply, push hard, discover new strengths and grow even stronger. Meredith has been cited as one of the “best colleges” in the region and the country by U.S. News & World Report, The Princeton Review and Forbes.com.

Continue reading

Termination Guidelines

Posted on 16, Oct | Posted by Julius Stanley Carroll, CPP, CFE

pink slipTerminations are often a stressful situation, both for the terminated employee and for the individual responsible for conducting the termination. Listed below are some guidelines that could help diffuse volatile situations and make the process run more smoothly.

  1. Always plan the termination. Think it through.
  2. Always have two supervisors/managers present during the termination. The meeting should be cordial and professional but also attempt to accommodate the employee’s feelings and concerns. Regardless of whether the employee becomes angry or upset, do not resort to harsh words or language.
  3. If you feel the termination might become heated, contact security and discuss prior to the termination. If you don’t have a security director, obtain guidance from a company like RMA that has security professionals who have participated in hundreds of outplacements.
  4. If the employee is known to be highly volatile and potentially prone to violence, consider having security present and ensure you have an appropriate plan to respond to those concerns. Provide reason(s) for the termination. However, do not engage in a debate. The decision has been made and arguments should be avoided.
  5. Carefully choose the room to be used for the termination.
    • When possible use a room with two access points.
    • Remove or hide things that can be used as a weapon. Keep the room “clean” (sanitize).
    • The setting should be private. Allow the employee to retain their dignity.
  6. Try to avoid Thursday and Friday as a day for the termination. Monday and Tuesday is better. Select a time during the day when there are fewer employees around.
  7. If offering a separation package, avoid a detailed review of the package at the termination meeting. The employee will likely remember little of that discussion. Do, however, tell the employee that the package is confidential and must not be discussed with others.
  8. If the termination goes as planned:
    • Retrieve all company property i.e. keys, ID badge, monies, etc.
    • Do not let the individual go back to his or her personal workspace but ascertain if the individual has personal belongings such as a purse or medications that you need to retrieve for them. Advise the individual all their personal property will be mailed/shipped to them.
    • Do not let the individual leave the facility and come back into the facility.
    • Walk the individual out of the facility and watch them leave the property but do it in a cordial way.
    • Notify the proper facility managers of the termination so the individual can’t get back into the facility.
    • Have the individual removed from the card access system immediately
  9. If the termination becomes heated, never challenge or argue with the employee.
    • Advise the individual to leave the property. If they don’t comply, call 911.
    • Do nor challenge or argue.
    • Report to HR and Safety/Security immediately.
    • Be prepared to go into lock-down.
Continue reading

Held Hostage by a Dishonest Employee

Posted on 16, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

power shiftI recently was involved in a case in which a company employee was discovered using a company credit card for personal reasons. This happens occasionally, and one would think that immediately terminating the employee would resolve the issue. But what happens when the employee is the one and only IT person for the company?

Many companies have only one person to manage all of their IT needs. There is nothing wrong with this. Considering that 99.7 percent of U.S. employer firms are a small business (http://www.sba.gov/sites/default/files/FAQ_Sept_2012.pdf), having a sole IT person may be very common. The problem with this situation is the lack of oversight and management of the IT person by company executives and owners. What are the consequences caused by this scenario? How can companies and organizations prevent the backlash experienced when a single person has the “keys to the kingdom”?

This issue can occur in any business with a small IT staff. This particular case involved an employee who had been with the company for eight years. In that time, the employee came to be the only person who dealt with all IT issues. He managed the website, the phone system, the internet service, all servers, all workstation, the data connections for multiple facilities – you get the point. The employee could have brought the company to a standstill for several days if not several weeks, if he had wanted to do so. It was not until deciding that he needed to be fired that someone finally asked the question “What does he do and can we do it without him?” The answer was, “No.”

In this case, the employee was being terminated for cause. What if he had been hit by a bus? The company would still be in the same position. The only option left for the company was to hire someone to come in and inventory the network to help them prepare for the employee’s termination. This involved hundreds of man hours. Fortunately, the transition was successful and the company lost no production time.

There are several steps that can be taken to prevent this from occurring in your business. The person responsible for a company’s IT needs should document everything and provide this documentation to management or ownership in a reviewable format on a regular basis. This document should be considered a living document, and any time there is a network change or system change, the document should be edited to reflect the change. The document should include but not be limited to:

  • A list of service providers and all information needed to contact this service provider for support or changes. This includes the Internet service provider, phone service provider, web hosting company, cell phone provider, cloud services, or any other service provider used by the company.
  • Administrator passwords. These can be sealed in an envelope and/or put in a safe.
  • Device passwords and configuration. Think about firewalls, switches, wireless routers, and other equipment.
  • Software passwords and configurations. The IT administrator may be the only person aware of specialized software used in the office that requires specialized configuration or passwords. Make sure this information is documented and available to company executives.
  • Procedures for backing up and restoring systems.
  • A “What if…” document. This document would include instructions on how to deal with and recover from system outages, power outages, or other unique IT failures.

Depending on your network, the information needed in this document will differ. The best way to determine what you may need to document is to sit back and think of the problems created if your IT person were gone. What questions would you have? The document should answer all of these questions. It is also important to make the person responsible aware that this document is a “Continuity of Operations” document. There are many reasons why an IT employee may not be able to come to work, but their absence should not disable any part of the IT infrastructure.

It is also critical to make sure there are two people on the point-of-contact list with all service providers. The second person on the list should be an owner or executive of the company. If the IT person should be unable to perform his or her duties for any reason, the executive or owner of the company can call the service provider and make necessary changes without jumping through a lot of hoops to gain ownership of the service.

Finally, have a third party review this information at least once a year. That third party could be an outside consultant or even a current employee with knowledge of the network and need for business continuity. An outside consultant has the advantage of being objective when looking at an environment and utilizing their experience to help direct and drive a “Continuity Plan” that will protect the company in the event of any number of unexpected events.

Continue reading

RMA Presents Bring-Your-Own-Device Policies at RTP CFO Forum

Posted on 6, Sep | Posted by RMA

Chris Peterson and http://www.rmasecurity.com/about-rma/team-profiles/russell-w-gilmore/ presented BYOD (Bring Your Own Device): Issues and Implications for Companies at the September RTP CFO Forum. The program discussed security issues and considerations for companies when employees connect personal devices to the company network. What issues need to be considered to accommodate lawsuits, audits, and records requests? How can companies prepare for lost or stolen devices? What steps can and should be taken when terminating employees?

The RTP CFO Forum serves the greater Raleigh, Durham and Chapel Hill region, supporting over 200 senior financial executives. The Forum is designed to provide interactive networking and discussion of technical and strategic topics in an environment created exclusively for senior-level peers. CPE is provided on select topics.

The RTP CFO FORUM is scheduled for the first Friday of every month, from 7:30AM – 9:00AM. Attendance is limited to CFOs or senior financial professionals in similar positions. The RTP CFO Forum is sponsored by Hughes Pittman & Gupton, LLP.

Continue reading

Stealing on the Way Out

Posted on 12, Aug | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

Having to terminate an employee is never easy. To make the process even more difficult, consider the recent survey conducted by Harris Interactive on behalf of Courion which stated that 19% of employees age 18 to 34 would take company data with them if they knew they were about to be fired. Read the full story here.

Depending on the employee’s position at the company, the termination process could be quite cumbersome. Before terminating an employee, it is good to think about their role in the company and what they have access to or control over. Each situation is different and should not be handled in a cookie-cutter fashion. Terminating the IT manager will involve different issues than terminating a sales person.

What steps can you take to minimize risk? Strong policies and procedures are a good starting point. If an employee knows that severe repercussions may result for data theft, he or she may decide against the theft.

As we’ve said before, there are opportunities for companies to preserve data and protect themselves prior to the termination process or as part of the termination procedure itself (When Employees Leave Data Should Stay). When it is evident that an employee must be terminated, steps should be taken to image the computer or devices used by the employee, even if a future computer forensic analysis is not needed. It may even be beneficial to image the computer prior to termination and again after termination. I have often been called to recover data deleted by an employee after they have learned of their impending termination.

As a consultant, I have assisted in a number of terminations, and they are all different. Proper preparation and forethought will not only benefit the company but protect the employee as well.

Continue reading

Security in the Office – A Checklist

Posted on 30, Jul | Posted by Christine L. Peterson, CPP, ISP

  • Comply with and support your company’s safety and security program and regulations, and insist that others do the same.
  • Protect wallets, keys, purses, and other personal valuables on the job. This especially includes smartphones and tablets.
  • Challenge strangers in restricted areas. The best way to approach this is from a helpful perspective, such as “Can I help you?”
  • Do not discuss company affairs off the job.
  • When leaving the office, even for a short period of time, clean up and secure your work space, with special attention to confidential documents. Also provide for the protection of company equipment assigned to you.
  • If you handle money as a part of your job, insist on positive identification before you cash checks, and refuse obviously counterfeit or questionable currency.
  • If you work in a retail establishment or any other business, guard against shoplifting and employee theft within the frameworks of the law. To deter shoplifting, speak to all customers in your area. Be wary of bulky coats, large shopping bags, partially opened umbrellas, and folded newspapers. Know your company’s policy on dealing with shoplifters, and adhere to it.
  • Make certain your employer has clear and adequate guidelines for handling complaints of sexual harassment.
  • Retain security guards, because they provide a substantial deterrent to the criminal’s expectation of success.
Continue reading