A Company Model for Developing Policies and Procedures

Posted on 1, Jun | Posted by Christine L. Peterson, CPP, ISP

While attending the NCMS Carolinas Chapter meeting at Cisco Systems recently, I saw a presentation by Mark Whitteker, MSIA, CISSP, ISP. Mark comes out of the IT security world, so most of his presentation focused on IT security. He also presented a segment on Building a Comprehensive Security Architecture Framework that might benefit all of us. What Mark shared with the group is a pragmatic approach to creating and updating policies and procedures that could be used by any organization. When implemented, this process creates a customizable framework that will allow organizations the stability to prosper.

In general, policies establish the strategic objectives and priorities of an organization. They set the standards and expectation for the population. From a security perspective, they are a powerful tool because they identify roles and responsibilities and provide for accountability. Policies establish responsibilities and expectations for every population within an organization. This should include all employees, contractors, visitors, and any other personnel on site. As is demonstrated in Mark’s flow chart below, procedures are developed much later in the process. Procedures are the detailed implementation instructions for individuals to carry out the policies. They are often presented as forms or as lists of steps to be taken.

Why is this so important from a security perspective? All security events are caused by people who intentionally do something to obtain, injure, or destroy an asset, or unintentionally do something due to lack of knowledge or understanding. Therefore, unless an organization can protect all of their assets (human, capital, and reputation) from the nefarious or inadvertent actions of others – at all times – they need a security program that deters, detects, and defends business assets every day, all the time. Most businesses are not Fort Knox (which, by the way, is not immune from security events), and security-related policies and procedures are a critical tool that businesses can use to defend against the human threat.

What I believe Mark’s flow chart does is provide a systematic approach to the development of policies based on industry standards in a manner that can be applied company-wide.

policy and procedure flow chart

In any organization that is evaluating their policies or putting policies in place, the first place to start is the industry standards for the area to be covered by the policy. Areas such as lighting, egress, the protections of trade secrets, IT security, and the protection of classified and/or personal information are just some of the areas where security industry standards are available. In addition to the industry standards, there are security best practices that play an important role in any company’s security program. These may be industry specific or provide general guidance. In the absence of standards, companies will and are judged based on recognized best practices. Premises liability is a prime example of where this would apply. An organization’s ability to defend itself against litigation is incumbent in its ability to establish that a security program was in place to respond to threats that they were aware of or should have been aware of. Similarly if an organization has to defend itself from a compliance violation or establish that they are due damages in a loss of trade secrets, it is incumbent on the organization to be able to demonstrate the protective measures that were in place to protect that information. In all cases security-related policies will be a key component of the security program.

There are many sources for security related standards and best practices. Organizations such as ASIS International, the International Association for Healthcare Security & Safety (IAHSS), or National Classification Management Society (NCMS), are good starting points for this kind of information.

Policies are the guidance necessary to protect your organization’s assets. When establishing those guidelines, look to industry standards and best practices for a general framework. Policies should be high-level and solution agnostic in order to minimize the need to revisit them as technology changes. Those details should be left to the policy standards.

Policy Standards are the specific technical implementation requirements established within the policies. Within the policies these should be hyperlinks or references to policy standard documents, not detailed within the policy itself. This enables an organization to modify or update the standards as technology advances without requiring policy changes with resulting review and approval by senior management.

Policy Implementation is about communication (who, what, when, where). Considerations include:

  • Who does this policy apply to?
  • What do you want them to do?
  • When does it apply?
  • When and how will the population be trained?
  • When and where will the population get additional awareness reinforcement?

Procedures are the guidance that individuals will need to comply with the policy. It provides detailed, step-by-step instructions users must follow in order to implement controls according to the latest standards.

Services provide the population with information about the support services that are available to them and are there to support their efforts. In this case we are referring to security-related services, but it could also be applied in other areas of the business. If this is considered on the front end, it will provide better communication and hopefully provide the professionals responsible for implementing the policy and procedures the resources they need to provide the population with the tools and support they need to comply.

Measuring Success brings the process full circle and puts in place a system of continuous quality control and improvement. Things change; populations change; and industry standards and best practices change. There should be a process to measure success and allow the organization to adapt.

In the world of security, the best that any organization can hope for is that they have the internal and external controls in place to divert persons with nefarious intent. It’s kind of like termites – if we can’t eliminate them, let’s at least make it so uncomfortable that they move somewhere else because there are lots of unprotected opportunities.

Continue reading

Data Security: Where there is data, there should be policy

Posted on 30, Mar | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

locked computerThe recent report by the Wall Street Journal about the Morgan Stanley breach scares me as an employee. Reportedly Galen Marsh, a financial adviser for Morgan Stanley, was fired for allegedly stealing account information from about 350,000 wealth management clients and posting some of it online. The part that concerns me are the reports that federal law enforcement officials are focusing their probe on the possibility that Marsh’s computer was hacked. (Full story here.)

I have not reviewed the full report nor have I looked deeply into the incident. My attention was drawn to the consequences that befell Mr. Marsh and the slim possibility that he did nothing wrong. It seems that in this day of BYOD – Bring Your Own Device – and the use of laptops and mobile devices by employees, it is time for there to be a clear understanding about the company’s responsibilities and the individual employee’s responsibilities. This is not to suggest that an employee’s first question should be “Will I get fired if this laptop is hacked and company data is stolen?” when presented with a company laptop. There should be a clear understanding between the company and the employee what is expected of each as it relates to the security and control of any electronic device that contains company data.

The foundation of this understanding begins with a good company policy. A policy should be specific regarding the proper use of electronic devices. A policy should also indicate who is responsible for areas such as email security, data security, acceptable use, and physical security of the device. A policy should be a living document. An electronic device policy that covers laptops should be reviewed at a minimum once a year. Policies should be flexible. Some employees may take a laptop home and some may not.

Companies should give employees a chance to review policy before they sign it and allow them to ask questions. I suspect Morgan Stanley utilizes policies that cover the use of laptops by employees for work purposes. I doubt the employee thought he would get fired if the laptop was hacked and client data was exposed. What if the employee were a CFO or CEO?

There is most likely a lot more to this story than has been made public, but the heart of the matter is, as an employee, make sure you are fully aware of what the company expects as it relates to the use of company data and company provided electronic devices.

Continue reading

RMA Exhibits at the IACLEA Southeast Regional Conference & the 15th Annual SCCLEA Linda B. Floyd Safety Conference hosted by Furman University

Posted on 2, Mar | Posted by RMA

RMA participated as an exhibitor at the IACLEA Southeast Regional Conference & the SCCLEA Safety Conference hosted by Furman University in Greenville, SC. The conference brought together over 250 campus law enforcement administrators from across the southeastern United States. The Director of University Police, Tom Saccenti and his staff provided all the participants with gracious southern hospitality with the beautiful Furman campus as a backdrop. This framework allowed the attendees to focus on the serious business of Leadership in a Crisis.

“Knowing how to respond quickly and efficiently in a crisis is critical to ensuring the safety of our schools and students. The midst of a crisis is not the time to start figuring out who ought to do what. At that moment, everyone involved – from top to bottom – should know the drill and know each other.”

Margaret Spellings
Secretary of Education, 2005-2009

Chief Michael Kehoe, Newtown, CT began his presentation with this quote which also captured the underlying themes that were a part of all the presentations on the first day of the conference. The IACLEA Southeast Region brought together a powerful group of presenters including:
• Retired Chief Wendell Flinchum, Virginia Tech Police Department 2006-2014
• Dr. Gene Deisinger, Ph.D. Executive officer, Virginia Tech Police Department
• Chief John DiFava , MIT Police Department
• Chief Michael Kehoe, Newtown, Connecticut
• Lt. Col. Dave Grossman

Each of these presenters shared, for the benefit of the audience, the “good, the bad, and the ugly” side of leading their department’s during a significant or a series of significant crisis. They took the audience through the details that they could share that formed the basis of the decisions that were made as the crisis situation unfolded. What they knew, what they didn’t know, lessons that were learned along the way, and changes they made to their response program after the fact. Each of the presenter’s shared common themes that they learned in response to a crisis including the need for a multi-disciplined approach that include but is not limited to:

• Relationships, build the network of diverse support before the event happens, reach out to your network during the crisis – ask for help from people you trust
• Develop a case management plan that is proactive, integrated, and adaptive
• Training, training, training and awareness are critical
• Prevent and mitigate
• Be prepared to monitor and reassess during the crisis continuously
• Assign scribes and capture as much as possible during the crisis, don’t rely on memory
• Communicate

Continue reading

RMA Awarded South Carolina Federal Credit Union Security Assessment Project

Posted on 24, Feb | Posted by RMA

RMA will perform a physical security assessment, including a threat assessment, of the South Carolina Federal Credit Union (SCFC) Corporate Office and 17 branches. Included in the assessment RMA will review existing security programs, security officer duties, reporting structure, and job descriptions. Members of the RMA Team will be traveling to 18 different sites in South Carolina to become familiar with SCFC security practices. RMA will complete a physical assessment, interviews and review security programs and security officer responsibilities at the corporate office as well as 17 branch offices.

South Carolina Federal is a community-chartered credit union with 17 branches and more than 50 ATMs throughout Charleston, Georgetown and Columbia. South Carolina Federal Credit Union offers a full range of financial services including savings and investments, checking, credit cards and loans.

Continue reading

RMA Awarded DHSS – State Laboratory of Public Health Security Assessment Project

Posted on 17, Feb | Posted by RMA

RMA will conduct a physical security assessment of the North Carolina Department of Public Health State Laboratory of Public Health and Office of the Chief Medical Examiner. The security assessment will include site interviews, physical security and electronic security assessment and a review of the policies and procedures.

The State Laboratory of Public Health provides certain medical and environmental laboratory services to public and private health provider organizations responsible for the promotion, protection and assurance of the health of North Carolina citizens.

Continue reading

RMA Teams with Perkins &Will to Provide a Security Assessment of Piedmont Electrical Membership Corporation

Posted on 12, Feb | Posted by RMA

RMA has teamed with Perkins & Will a global architecture and design firm, to provide a security assessment to Piedmont Electrical Membership Corporation. The security assessment will include a physical security of building exteriors and a review of security systems technology.

Perkins & Will is an interdisciplinary, research-based architecture and design firm established in 1935. Each of the firm’s 24 offices focuses on local, regional and global work in a variety of practice areas. Perkins & Will is recognized as one of the industry’s preeminent sustainable design firms due to its innovative research, design tools, and expertise.

Piedmont Electric Membership Corporation is a Touchstone Energy Cooperative in Hillsborough, North Carolina. Piedmont Electric is a nonprofit electric utility serving 31,000 consumers in parts of Alamance, Caswell, Durham, Granville, Orange and Person counties.

Continue reading

Chris Peterson and Mike Epperly are Keynote speakers at the NCACLEA 2015 Winter Conference

Posted on 2, Feb | Posted by RMA

RMA was pleased to be able to support the North Carolina Association of Campus Law Enforcement Administrators (NCACLEA) as keynote speakers at their 2015 Winter Conference. The conference was hosted by the Wake Tech Community College Police Department and held at North Campus at the Wake Tech Community College Public Safety Center.

Chris and Mike presented “Clery Compliance Update: Campus SaVE Act & VAWA”. Risk Management Associates, Inc. works with administrators and campus public safety officials to make sure they understand their obligations under the Jeanne Clery Act and associated regulations as well as Title IX. We help them develop the procedures necessary to satisfy the requirements under those federal laws. At the same time we address other security-related issues that affect operations, facilities, students, faculty, staff and guests.

The NCACLEA has been a key partner in the campus law enforcement community. The conference brought together administrators from across the state to network, share best practices, discuss challenges, and develop the resources that law enforcement administrators need to protect the people, physical assets, and reputation of the colleges and universities. As a security advocate and partner in the education area, RMA was pleased to support NCACLEA and the members they serve.

Continue reading

Mike Epperly attends Association of Title IX Administrator Investigator Training

Posted on 30, Jan | Posted by RMA

In January Mike Epperly attended Association of Title IX Administrator (ATIXA) Investigator Training. ATIXA’s training is a comprehensive training class focused on treating campus sexual misconduct as a civil rights discrimination and investigation. Civil rights investigations are not police-led investigations, and it is not the same as investigating a student conduct violation. Title IX investigation skills are specific and highly specialized. Title IX investigative skill sets are developed and enhanced through the ATIXA Investigator Training.

ATIXA provides a professional association for school and college Title IX Coordinators, administrators, and investigators who are interested in serving their districts and campuses more effectively. Since 1972, Title IX has proved to be an increasingly powerful leveling tool, helping to advance gender equity in schools and colleges. ATIXA has been formed to promote professional development and foster collaboration in what is actually a field of 25,000 people who all are assuring Title IX compliance in our schools, colleges and universities.

The National Center for Higher Education Risk Management Group, LLC (NCHERM) a law and consulting firm endowed a grant that created Association of Title IX Administrators (ATIXA). In 2010, NCHERM created the only Title IX Coordinator/Investigator Training and Certification Course that is now an ATIXA professional development opportunity. ATIXA is an independent, not-for-profit organization served by an Advisory Board.

Continue reading

Rusty Gilmore Speaks at the ASIS Monthly meeting

Posted on 28, Jan | Posted by RMA

On Wednesday January 21, 2015, the local Chapter of ASIS International, Chapter 119 held their monthly meeting at the PNC Center in Raleigh, NC. Rusty Gilmore was the guest speaker. Rusty gave a presentation on Computer and Network Vulnerabilities: Steps to Protecting Your Systems and Data.

Continue reading

Rusty Gilmore presents at the ProNet Systems Executive Briefing 2014

Posted on 17, Dec | Posted by RMA

ProNet Systems hosted their annual Executive Briefing on December 9th, at the City Club in Raleigh, NC. The event was titled, “Keeping up with Security Trends and Technologies. Some of the key speakers included:

  • Alan Jelley, ProNet Systems, Inc. – New Technology Advancements and Trends
  • Nathan Schroeder, Focus Sales; Ryan Bach, Avigilon – Totally Integrated Access & High Resolution Video
  • Rusty Gilmore, Computer Forensic Consultant, Risk Management Consultants – Hacking and Computer Security 101
  • Lou Tunno, HID – Latest Credential And Biometric Development The Smart Phone as a Credential
  • Nathan Schroeder, Focus Sales; Ryan Bach, Avigilon – Advances in High Definition Video and Video Analytics

Dana Frentz and Emily Liner of RMA attended the ProNet Systems seminar.

Continue reading