If you have not read “Training Warning Flags”, go through that first along with “Owning Training” as they are built upon each other.

Four of the five more significant warning flags are dependent upon the social skills of those leading and following. Tone of voice, body gestures/language, respect given and received are large players when conveying a message. When the student has already “checked out” it is even more challenging to bring them back. When these skills are corrected and honed during training, the dividends will pay off on the street.

The following list applies to classroom, the firehouse and the fire ground.

1. How people interact with each other.
2. How leaders interact with their subordinates.
3. How bosses disseminate information down to the managers.
4. In the ways we influence each other through social skills when dealing with our customers.
5. How the public perceives us.

Does the administration empower the students to take ownership of their training?

This can be a difficult situation to pin down. Consider this scenario, you are the duty Captain and the BC called to have your crew sweep the drive near the road. It is nearing the end of winter and all the salt, sand and rocks make for a not so clean appearance. How do you approach your guys? “Hey guys, the #$%^ Chief told us we have to clean up the drive because it makes his station look like we are a bunch a lazy !@#$%%^.” Instead, try this “Men, I noticed that the drive could use some spring cleaning and we should clean it up because I know how much pride you take in our house.” Which one would motivate you more to get the job done, well with less complaining at least? A scene from the movie Office Space really shows how poor social interaction while giving orders in the work place fails. Mmm-k. Department administration should feel confident they have the right oversight in place. Micromanaging the players takes away feeling ownership of their personal success. Training is where it starts. As the lead or assistant, wear the same amount of gear the students are expected to. Sweat with them, crawl with them and work with them. Standing by the rehab fan with coffee is not re-enforcing expectations; in fact, you will fall well short of the mark. The students will understand how important the training is when those that teach it also participate. Success is built on how we fail, allow the students to fail so they can learn and succeed. Ownership comes from the sense of accomplishment. A human emotion cannot truly be created for someone else, it must come from within. Empower your students to want that emotion.

Does your program allow for student feedback?

This small gesture is monumental. The students use these skills. If they do not find value when applied on the street or see better ways, collect that feedback. We have many books to educate with, but they are not perfect resources. A combination of classroom, hands on training, real world application and feedback, works best to create excellence. Collecting the feedback is not enough; it is your response to the feedback that must be valued. Even if the feedback is not substantial, thank the student; let them know you will consider their point of view. Body language as a social interaction skill will tell your feelings more then your words. Be mindful of this when receiving and responding to feedback. Save feedback and use it to YOUR advantage. Create a type of log to review and ensure changes are made to your program that address these short-comings.

When the student sees this process in the training environment, they will also see the benefits on the fire ground. Personal experience has shown the best Incident Commanders value the information coming from the crews performing the work. When the feedback is valued, a cohesive organization exists.

Do you have weaknesses with the conduct of training?

The training program may be the best in the world but unless you lay out your expectations in an open, honest and positive way, you are destined to fail. The simple interaction between students and Instructors could be the only weakness. Create a systematic approach to training. Define what types of training there are and define how each is to be conducted. For example:

Department Training – training that all members are required to attend. Each session will start with the Instructor defining the expectations for the session, reviewing all rules and responsibilities and how the training will be conducted. These sessions are started in the classroom using a presentation regardless of the type of training. Stay consistent with the regimen. Knowing what is going to happen allows the students to focus on what is being taught rather then how its being taught.

Company Training – training that a company or squad performs under the direction of a senior member or officer. This informal session typically reviews skills that the company would like to practice and are performed with less rigor.

The world’s problems get solved sitting on the tailboard. Smaller group sessions can discover imperfections in how training is performed. The feedback collected from this type of training can sometimes excogitate the Training Organization, as we go along.

Are your trainers reinforcing department standards and expectations?

Refer back to the first example, cleaning the drive. We are here to do a job, we may not always agree and may not feel it is our job, but the bosses make the decisions. In my experience, this falls back to the staff not seeing they are part of a larger picture. The bosses may have a plan; they may not articulate every detail of the plan to the crews. If your duty is to work the haul line, focus on the haul line and do it well. The team works best as a team, all performing their function. During training, leaders should follow department standards and expectations. Just as we want our people to “train like we fight”, we should be consistent with other department policies.

Strategies, tactics and socially engaged.

Being at the end of a hose line, working to stop unrestrained fire is the last place you need to be worried about social shortcomings. The training environment shouldn’t limit it’s scope to the skills of our vocation. Training can develop solid communication and interaction skills between members. Fireground participants must have strong teamwork and interactions skills so their tasks are completed with vigor. Individuals entering the fire service in current times may not have participated in team sports, those skills will need to be developed.

For the Instructor, the most important social skill that you can exhibit, allowing your passion to shine. When you make training on new and old skills your passion, others will appreciate that. For the Officer, when you have well-trained and proficient Firefighters, you can step back and manage people. Social skills are strategies and tactics.

When a major fire occurs, especially one with associated firefighter injuries or deaths, departments often produce after-action reports, conduct investigations and inspect equipment. All of these are valuable in helping us understand what went right—and wrong—as well as institutionalizing the lessons learned from the specific incident.

But today’s technology allows us to go beyond our more traditional means of learning. Using sophisticated models, we can simulate the movement of fire gases and heat through a building and estimate the response of various fire-protection systems. The National Institute of Standards and Technology (NIST) is the leader in the development of computer-based fire models, which have progressed dramatically as computer technology has improved. Such models allow us to understand from a scientific perspective how fires will play out under various conditions—and use this understanding to enhance firefighter safety.

2 Models
The Fire Research Division at NIST has developed different kinds of fire models for more than 30 years. Currently, it maintains two: Consolidated Fire and Smoke Transport (CFAST) and the Fire Dynamic Simulator (FDS).

CFAST is a “two-zone” model that was developed in the 1980s. It has the advantage of producing a model in just seconds, but the disadvantage of providing only average compartment temperatures. FDS is a computational fluid dynamics (CFD) model developed in the past decade. It provides far more detail of the fire and the gas flow, but calculations can take hours or days to complete.

Both of these models can be used to simulate the movement of smoke and heat through a building. They can also be used to examine the activation time of smoke alarms and sprinkler systems. Both models use the scientific visualization tool Smokeview to visualize model results. Typically, these models are used by engineers to develop and support “performance-based” fire safety designs and to simulate fires as part of the fire investigation process. These fire models are verified and validated against fire test data to ensure that they provide the expected results.

Fire Reconstructions
In conjunction with local fire departments and NIOSH, NIST has developed fire simulations via FDS and Smokeview to assist in the understanding of the fire behavior in several line-of-duty death (LODD) incidents. The fire simulations provide insight into the growth and spread of fire and hot gases through the structures.

FDS, rather than CFAST, is typically used for fire reconstructions. FDS requires the fire building to be modeled in a 3-D volume divided into computation cells; it then numerically computes the density, velocity, temperature, pressure and species concentration of the gas in each cell. The model tracks the generation and movement of fire gases based on the laws of conservation of mass, momentum, species and energy.

Smokeview is a user-friendly post-processing tool that allows FDS’ numerical simulation outputs to be easily displayed with 3-D images. Smokeview can display contours of temperature, velocity and gas concentration in planar slices, plus realistic renderings of the smoke and fire.
Inputs required by FDS include:

– Geometry of the structure
– Computational cell size
– Location of the fire source
– Energy release rate of the fire source
– Mass, geometry and thermo-physical properties of walls, ceilings, floors and furnishings
– Size, location and timing of door and window openings inside and outside of the structure

The selection of input parameters has a significant impact on the outcome of the simulation. In many cases we don’t know all of the materials and fuels that existed at a fire scene. Due to this uncertainty, a range of values is typically used for input into the fire model. As a result, for a given fire, dozens of simulations are run to determine the parameters that generate the simulation that best aligns with the physical damage, photographic and/or video recordings of the fire, fire timeline, fireground recordings and witness statements.

Lessons from Fire Modeling
One of the key features of FDS models is the ability to visualize the fire’s flow path. In many of the incidents NIST and others have analyzed with FDS, the firefighters lost their lives due to a rapid change in the fire environment. In almost all of the LODD cases examined with FDS, a change in ventilation resulted in a major increase in the energy release of the fire that either limited the firefighters’ ability to leave the building or overtook them.

For example, Cherry Road (Washington D.C., 1999), Iowa (1999), Prince William County, Va. (2007) and Texas (2009) all involved situations where the firefighters were positioned in the flow path between the source of the fire, and—due to the change in ventilation—the exit point for the fire gases. In other words, the firefighters were caught between where the fire was and where it wanted to go.

As complicated a technological marvel that FDS and Smokeview are, for the firefighter on the street, it helps to think of fire modeling as an advanced way of visualizing the fire triangle. As the triangle tells you, fuel, heat and oxygen are required to combine via chemical reaction for a fire to exist. Take any one of these away, and the fire cannot exist.

Most structure fires today are ventilation-limited fires. This means that there’s more fuel inside the structure (fuel-rich) than the available ventilation can provide oxygen for. The scenario has been demonstrated on the fireground and with FDS many times: The fire department arrives at the structure fire and only sees smoke. The smoke contains products of combustion that include fuels such as carbon monoxide, carbon particles and unburned hydrocarbons. So the structure, full of smoke, is effectively a large, insulated container full of pre-heated fuel.

The only thing missing from the fire triangle: oxygen. Opening a door or breaking windows will lead to a ventilation-induced flashover. This phenomenon was demonstrated at Cherry Road, and in wind-driven LODD fires, such as those in Prince William County and in Texas. The phenomenon was also demonstrated in the Charleston Sofa Super Store Fire. Significant quantities of hot smoke mixed with fresh oxygen after windows along the front of the store were broken out. As more oxygen was available to be burned, the heat release rate increased and flames extended out of the window openings.

What’s Next
Although the LODD simulations have been effectively used in firefighter training courses, effort is being made at NIST to enable firefighters to use fire models in a more proactive and interactive manner. As the capabilities of the fire models increase and computational speeds improve, the use of models in training must expand in order to aid in the understanding of fire dynamics, particularly the impact of ventilation on a fire and other tactical considerations that will help prevent LODDs in the future.

For More Information

More details on NIST fire models, reports and test data can be downloaded from www.fire.nist.gov

The importance of physical security in commercial buildings escalated in the wake of the tragic events of September 11, 2001. “As a result, it [became] imperative that critical infrastructures, such as government agencies, military bases, financial institutions, pharmaceutical companies, utilities, and petrochemical plants take appropriate measures to deter terrorist threats.” (1) However, protection against global terrorism is only one aspect of building security. Tenants, landlords, and managers of any high-profile, high-occupancy building must also consider other issues such as domestic terrorists, workplace violence, and disgruntled employees.

During the appraisal process, appraisers should weigh the impact of antiterrorism security measures on the value of a property. The following article focuses on how the design and construction of physical structures, rather than procedural changes, can diminish the damages caused by terrorism. Such enhancements should “block a terrorist’s destructive mission, while providing easy escape for occupants in an emergency.” (2)

Background

Obviously, not all buildings face the same risks. The criteria mentioned in this article do not apply for all projects. “For government facilities and other … buildings that have been identified as possible terrorist targets,” (3) the following will be invaluable to an appraiser.

Regulation and Implementation

All security enhancements must meet local or state building codes. However, security system design is not regulated, and no universal codes or standards apply to all public and private buildings. (4)

The federal government has led the way in developing and adopting security design criteria. The attack on the Murrah Building in Oklahoma City brought monumental changes in security for federal buildings and their leased spaces. The Interagency Security Committee (ISC) Security Design Criteria has been used as a minimum requirement for federal government facilities, especially for non-Department of Defense facilities. (5) The U. S. General Services Administration, the Internal Revenue Service, the U.S. Department of Agriculture, and the Social Security Administration have embraced the ISC Security Design Criteria. The Department of Homeland Security has indicated that it intends “to use the process through the many agencies under its control.” (6) However, the criteria can be applied to any facility, public or private.

Terrorist Threats to Commercial Buildings

Terrorist threats are of two general forms: blast/ballistic threats and chemical, biological, and radiation (CBR) threats.

Blast threats involve the use of large or small explosive devices. Large amounts of explosives usually require the use of a vehicle or aircraft in order to deliver the device to the intended target. On the other hand, smaller amounts may simply be hand carried into an unsecured area. “Ballistic threats range from random drive-by shootings to high-powered rifle attacks directed at specific targets within the facility.” (7)

The CBR modes of terrorism have a low probability of occurrence, but are potentially more destructive to human life than blast/ballistic weapons. (8) This form of terrorism involves the use of naturally occurring or human-engineered toxins with the express intent to cause illness or death. Chemical threats include the use of gases such as sarin and sulfur mustard gas. Anthrax, smallpox, and the Ebola virus are biological agents that can be transmitted from person to person after their initial release. Radioactive weapons obviously cause injuries from the initial explosion. However, people exposed to the radioactive material are in danger of developing radiation sickness afterward, as well as being at a greater risk of developing cancer later in life. Often, CBR weapons are referred to as weapons of mass destruction (WMD).

Owner and Occupant Concerns

According to the General Services Administration, structural enhancements should support “risk mitigation and reduce casualties, property damage and loss of critical function.” (9) They should also provide a safe and pleasant workplace environment without creating a “fortress mentality.” (10) Critics are concerned that certain security measures will interfere with urbanism and promote suburban sprawl if “businesses and government functions retreat behind a new kind of gated community.” (11) They believe systems should blend aesthetically with the buildings, site, and architecture, creating a “layer of transparent security-security that is unobtrusive and visually pleasing.” (12)

The cost effectiveness of such systems is also a concern. It is often hard to justify changes to a design or retrofit an existing building with antiterrorism security measures when the likelihood of an event may be relatively small, but the potential losses catastrophic. It is estimated that the insured property losses associated with the World Trade Center attacks in 2001 were between $50 billion and $35 billion. (13) Unfortunately, expensive security systems offer no guarantees and possibly only limited protection.

Antiterrorism Improvements

There are two ways improvements are protected from attack: access control and structural hardening. During site inspection, a variety of specific antiterrorism design elements may be noted.

Access Control

Access control attempts to deter or deny unauthorized persons access to the facility by limiting points of entry. Access control makes buildings more difficult to get into. The access control measures discussed in this section are site security requirements; vehicle entry/exit and parking; lighting; anti-ram devices; building layout; ventilation safeguards; fire protection; detection devices and electronic security; windows; and doors.

Site Security Requirements. The appraiser may first examine the site for evidence of security requirements such as perimeter buffer zones, sufficient setback, acquisition of adjacent sites, and control of rights-of-way; clear, easy to read signage; landscaping that deters unwanted entry; and security fencing no shorter than eight feet high along the perimeter of the site.

Vehicle Entry/Exit and Parking. To prevent high-speed approaches by unauthorized vehicles, site circulation should be designed to slow incoming traffic, vehicular entry/exits should be kept to a minimum number of locations, and parking should “concentrate activity to the [fullest] extent possible.” (14)

Lighting. Security lights should be mounted very high (i.e., inaccessible without a tall ladder) and protected by shields of wire or polycarbonate. (15) Metal halide bulbs are preferred because they provide “white light which spreads light more evenly over the visual spectrum, helping to improve what people see under it.” Multiple lamps of moderate power provide a more secure environment than a few powerful lamps. (16) It is desirable for some lighting systems to be tied to sensors, turning on when someone or something approaches. The entire lighting circuit (not just the lamp) should be protected.

Anti-Ram Devices. Anti-ram devices provide physical security to a building by acting as a barrier and increasing standoff. Standoff is “the distance between the potential explosion and the structural component.” (17) Bollards set around the perimeter of a commercial building can protect against vehicles carrying explosives. They may be made of steel or concrete. Concrete planters offer standoff protection via a level of transparent security while adding greenery to the site. In addition, speed bumps; walls; trenches; ponds and water basins; static barriers; sculpture and street furniture; and concrete signage can act as barriers. For sites large enough, perimeter security gates along with guard stations or booths bolster security. (18)

Layout of Building. It is very important for high-risk Areas–areas where blast or contaminants are likely to enter–to be physically isolated from the rest of the building. Executive offices “should be placed so that the occupant cannot be seen from an uncontrolled public area such as a street. These offices should face courtyards, internal sites, or controlled areas.” (19) Loading docks, and shipping and receiving areas should be located at least 50 feet away from critical utilities and services. (20) Ideally, the mailroom would be located at an off-site location. However, when this is not possible, the mailroom should be located at the perimeter of the building along an outside wall. It should have adequate space for explosive and CBR disposal containers.

Ventilation Safeguards. Ventilation system safeguards prevent a terrorist attack using the systems to spread chemical, biological, or radiological agents. (21) Access to the ventilation system should be limited only to authorized persons. During inspection, the appraiser may consider outdoor air intake vents and return air grills; these should not be easily observable or accessible by the public. Heating, ventilation, and air conditioning (HVAC) systems should have detection and filtration systems; emergency HVAC shutoff and control is desirable. Portions of the building may be zoned or have separate HVAC systems. The HVAC system should have the capability to respond to fire detection apparatus and be designed for smoke control and removal. (22)

Fire Protection. Fire protection should include features such as sprinklers, fire alarms, smoke control and fire-resistant barriers, a water system that is adequate for fighting a significant blaze, fireproof elevators, and wide stairwells.

Detection Devices and Electronic Security. When it comes to detection devices and electronic security systems, appraisers may consider the following when valuing such a system: balanced magnetic switches for all exterior doors (including overhead and roll-up doors), (23) glass-break sensors for windows, motion sensors for interior rooms, closed-circuit television (CCTV) surveillance system with recording capability, and duress alarms with hidden call buttons.

Windows. According to the National Security Institute, “The ideal security situation (regarding blasts) is a building with no windows.” (24) However, since fire-safety considerations and municipal ordinances usually preclude such drastic measures, appraisers should look for panes of thermal tempered glass, which break into small pieces that would inflict less injury, (25) steel frames and anchorages “since their inherent resistance to blast may impart large reaction loads to the supporting walls,” (26) and protective coverings, such as bars, gates, mesh screens or shutters over windows, floor vents, transoms, and skylights.

Doors. Points of entry used by the general public and by delivery persons should be limited. However, doors should facilitate emergency evacuation and control during an event. (27) All exterior doors should have locking capability. Key card or biometric (eye scan, fingerprint) access is a preferred feature for high-risk areas. Entrance and exit doors should have hinges and hinge pins on the inside to prevent removal. Solid wood or sheet metal-faced doors provide extra integrity. In the case of lobby doors and partitions made of glass, these doors should be hardened through glazing, or installation of blast resistant glass. (28) Door frames should be made of steel.

Full Article Here:

The bad guys are getting smarter. Whether they are terrorists who realize another way to hurt the world and advance their agenda is to destabilize the economies of developed nations, especially leaders like the USA, disgruntled insiders, or “ordinary” criminals with a predominant profit motive, cyber crimes are increasing and becoming more costly. In information technology security circles, there is some buzz about a July 2010 Cost of Cyber Crime Benchmark Study of a representative sampling of U.S. companies conducted by the Ponemon Institute. This organization conducts independent research on privacy, data protection, and information security policy.

The point that the Institute is seemingly trying to make with their representative study is that Enterprise Risk Management (ERM), especially as it relates to IT, needs to ramp up; companies are getting lax again/still and re-assuming an attitude of “it” (i.e.: bad things) won’t happen to them. The 23-page Ponemon Institute report is available online at their website but, here is a high-level, seven-point summary and my input of how the information may relate to your company’s situation.

Cyber crimes are far more costly than taking steps to harden an environment beforehand

The study reports that the average for response costs for companies that were impacted was $3.8 million per year. The cost of the technologies and processes that could have effectively mitigated or prevented the same incidents, were generally less than 1/3 the cost. In other words, and rather obviously — pre-planning and mitigation is a heck of a lot cheaper, in most cases, than merely reacting with an ad hoc response after an incident/breach.

Even more importantly, the appointment of a single top executive responsible for enterprise risk management, a la a Chief Security Officer, or better still, a Chief Risk Officer is a critical factor for success. Often autonomously reporting straight to the board of directors and with a true enterprise-wide view, not just technology centric, this executive can appropriately ensure that risk management is “baked in” at the start of projects and programs, rather than merely “bolted on” haphazardly as an afterthought. Also, merely relegating IT security and risk management to some “underling” as one facet of a job in some other line department is a quick recipe for big trouble.

Additionally, the creation and rollout of an ERM strategy and adherence to a voluntary governance/certification framework (such as ITIL / NIST, etc.) appear to both, substantially lessen the chance of occurrence and the total cost of a dealing with a cyber crime incident.

Cyber crimes are pervasively intrusive and increasingly common occurrences

Why you ask? Many companies seem to have a cavalier or complacent attitude, at least unofficially, something akin to, “Our security is already good enough;” “We are already better than the competition;” “Those requirements don’t pertain to us” etc. These hardening of the attitudes are dead wrong on several counts!

What about your company? Also, know that compliant (with whatever standard or regulation) does not necessarily mean secure! IT Risk Management (InfoSec, BC / DR, Compliance, Governance), like ERM, is a continuous improvement program, not merely an “achieve it once and forget it” project. Then there is the mixed blessing of social networking, the newest avenue for potential business growth and nefarious conduct. Some analysts estimate that 30 percent of corporate bandwidth is consumed by social networking traffic.

Some proponents argue that social networks such as Twitter and LinkedIn function as agents of business outreach. Some IT vendor support is now delivered by social media sites. In addition, public relations and marketing teams are finding value in social networking to deliver promotions. YouTube is becoming a more mainstream platform for companies’ public relations efforts.

While all that may be true however, social media may also provide the gateway for viruses and malware, productivity distraction, and employees may end up discussing sensitive or proprietary information without appropriate authorization. Furthermore, the competition and debt collectors also now use these sources to check up on companies’ employees.

The most costly cyber crimes are those caused by web attacks and malicious insiders

How many public web-facing web sites does your company use or host? What about your interfaces to the cloud? Have any of these sites been checked via a serious penetration test or for OWASP coding compliance? Generally accepted better practices state we should be doing quarterly OWASP scans and biannual penetration testing. How robust is your change management process? Also, have you considered — Quis custodiet ipsos custodes? It is Latin for, “who will guard the guards.” Will it be internal auditing and logging for privileged access accounts? Mitigation of such potential vulnerabilities requires implementing technologies such as SIEM, DLP, HIPS, (among others) in concert within enterprise level threat and risk management strategy.

At onset, rapid resolution is the key to reducing costs

According to this benchmark study sample, cyber attacks can become even more costly if not resolved quickly. The report shows that the average number of days to resolve a cyber attack was 14 days with an average cost to the organization of $17,696 per day! How would that kind of dollar loss impact your company’s bottom line?

The survey revealed that malicious insider attacks can take up to 42 days or more to resolve. These costs demonstrate that quick resolution is needed for today’s sophisticated attacks. The study did not cover, but you do need to consider the exorbitant costs of reputation damage (a.k.a. headline risk). For instance, in addition to the court and financial sanctions, what would happen to your organizations brand if it were caught in violation of heightened PII protection laws like those in California, Massachusetts, or the EU?

Loss of information due to theft represents the highest external cost, followed by the costs associated with the disruption to business operations

The report cites that on an annualized basis, information theft accounts for 42 percent of total external costs. Costs associated with disruption to business or lost productivity accounts for 22 percent of external costs. It also follows then, that the bigger a company grows, the bigger their potential exposure is as well. Tangential to these costs, is expense and reputation damage from the “second disaster” of negative press and lost customer/shareholder confidence. This is where a solid, pre-planned crisis communication program can help save the day, literally.

Detection of and recovery from incidents/breaches are the most costly internal activities. That also means that these investments are likely the most neglected areas due to these higher costs. Here is a quick reality check. If there is no/very little committed funding (not just a budget category pretext) and no/little top executive time dedicated to Risk Management, then all you have is another lip service program. Good luck with that WHEN things hit the fan! Were beginning to hear of another gambit that some companies use to skirt the requirement to accept their responsibility of due care. Some companies are “budgeting” for ERM and/or InfoSec, but never actually committing the money. Or alternately, the companies claim they are continuing to research newer technologies, not for weeks or months – but for years! Some regulators and insurance companies are taking notice, even pursuing fraud charges or denying claims based on contributory negligence of the insured.

All industry verticals are susceptible to cybercrime

This report indicates that the average annualized cost of cyber crime appears to vary by industry segment, where defense, energy and financial services companies experience higher costs than organizations in retail, services and education. Nonetheless, all verticals are being adversely impacted and on an increasing frequency.

Over the last 5 years, an increasing amount of business disaster declarations are not the result of Acts of God. Rather, they are the result of companies’ intentional embrace (passive or not) of risk they obviously should not have accepted. Insurance companies are noticing. They are increasingly seeking further proof of due care and due diligence prior to issuing policies and before paying claims. The government is taking notice too!

There is some active discussion that the Federal government may soon further weigh in on private sector risk management, especially as it relates to IT. The premise here is that IT is now widely considered as part of the mission critical infrastructure of the modern interconnected economy and voluntary adherence by non-governmental entities to generally accepted risk management practices is woefully insufficient. Actively being discussed as potential new “due care” MINIMUM standard for all business (of certain size/revenue volumes) are more rigorous security frameworks, like PCI-DSS.

So, the next time your company makes budgetary considerations, perhaps you ought to at least encourage your IT departments to think about ear marking some additional funds for — at a minimum, a thorough enterprise-wide security assessment. For relatively little expense, existing personnel can be trained and even certified on how to do thorough assessments. There is a caveat however. Frequently, existing, internal staff is somewhat jaded and less objective than unbiased, independent third parties.

Ideally, a company should do regular internal assessments with a mind to collect and analyze the results within the organization. The next step then is to retain a qualified outside entity to do another assessment of similar scope to ensure an accurate picture. The outside entity can also offer independent expertise on prioritization for risk management and IT security investment. This way, your organization will know more accurately where you are and how you need to invest to ensure that your company does not imprudently risk making the wrong kinds of headlines and/or potentially adding to the nation’s vulnerabilities.

Jon Murphy is a nationally regarded technology, homeland security, risk management professional, author and speaker.

Visit article here at PCWORLD

Takeaway: Insiders pose the top corporate security threat today. Recent reports indicate that insider breaches have risen from 80% to 86% of all incidents, with more than half occurring after employee termination. Not surprisingly, internal employees who are authorized to access company systems are most likely to be linked to fraud or a security breach — [...]

Insiders pose the top corporate security threat today. Recent reports indicate that insider breaches have risen from 80% to 86% of all incidents, with more than half occurring after employee termination. Not surprisingly, internal employees who are authorized to access company systems are most likely to be linked to fraud or a security breach — and of all employees, IT staff members have the most resources to do so. Accordingly, IT audits focus on several areas to identify risks.Employee fraud is built on a triangle — opportunity, motive, and rationalization. Effective controls require attention to all three angles. Here are some ways to implement these controls and reduce the opportunities your staff has to defraud you.

#1: IT security policies

Review IT security policies that address accounts and users with privileged access, such domain administrators, application administrators, and DBAs. Ensure that policies exist and are clear on how access is requested, justified, and approved, and make sure they’re regularly reviewed. Without this, there is little basis for management of privileged access. Policies for managing privileged accounts aren’t complete without related reporting. Audit reports for privileged passwords often cover such topics as when passwords are updated, any update failures, and which individual identities performed tasks under a shared account.

Learn More » Policies should have the goal of being able to stop user activities that are clearly indefensible. Ensure that all employees, contractors, and other users are aware of their responsibility to comply with the IT security policies, practices, and relevant guidance that is appropriate to their role.

#2: “Super user” accounts and access

It is important to know the level of exposure your organization has related to access. Determine the population of accounts and users with privileged access. Obtain a list of all accounts with elevated access to networks, applications, data, and admin functions. Include all computer (machine to machine) accounts, which are often overlooked. With this, ensure access is reviewed and deemed appropriate with proper approvals. A good practice is to review access on a regular basis and determine that the “owners” of the data and systems have been explicitly approved.

#3: Account and password configuration standards

Ensure that all administrative accounts are updated according to policy. Default password settings on a specific device should not exist. There is ample information available to those who are resourceful enough about default account names and their default passwords. Some security accounts are created with the password the same as the account name. This is an area of really low-hanging fruit. Password expiration is important, but it’s also wise to disable certain accounts that are known to be temporary. Contractors’ and consultants’ accounts are often available long after their work is complete.

#4: Controlled access to passwords

Manage access to passwords whose accounts have elevated and administrative access. This may sound like stating the obvious, but sharing access to, and communication of, passwords is not always controlled. Offline records or open access, such as e-mails containing passwords, should not exist. Even an encrypted file of passwords is not recommended. In the worst case, the password to the file of passwords is not controlled.

#5: Service accounts, aka “machine” accounts

Service accounts can be implemented with elevated access and used in nefarious ways. These accounts are not typically assigned to human users and not included in traditional approval or password management processes. These accounts can be easier to hide than non-human access tracking. Ensure all service accounts have only necessary access. These accounts should also be reviewed on a periodic basis, as they often have super user capabilities. There are often too many of them; accounts exist that are not being used.

#6: High risk users and roles

Some organizations actively monitor certain roles where business risks are higher to identify potentially “unacceptable” behavior. Many businesses have critical roles where risks of crime are higher. For example, a purchasing manager may have access to sensitive data that he or she is planning to take to a new job with a competitor. In this case, access is authorized, but there may be misuse. Rotating jobs and duties and mandating time off is often a solution in high risk areas. IT security pros often meet the high risk criteria.

#7: Security awareness program

Any employee or user can pose a threat. It is imperative to implement a security awareness program that addresses all of the above topics and that it is enforceable. Many simple solutions exist for ensuring all users have read and consented to policies. A tool for this is a sign-on message that is presented at login, requiring the user to confirm his or her consent in the form of an Accept check box. Ongoing awareness activities help enforce policies.

#8: Background screening
Background screeners ask carefully worded questions to reveal red flags about specific behaviors and attitudes such as:

Irregular work history — Questionable reasons for leaving jobs, long periods of unemployment
Dishonesty — Misrepresentations in facts, such as education, licensure, or previous employment
Character/attitude problems — Poor relationships with coworkers and/or supervisors
Behaviors such as frustration, problems with authority, suspicion or paranoia, or inability to accept change

#9: Event logging

Security event management (SEM) provides significant real-time visibility of use and activities. Accurate and complete records of users and their activities are essential for incident analysis and development of additional security measures. Of key importance are the methods used to gain access, the extent of access, and past activities. To ensure that adequate records exist, consider improving logging usage information for higher risk areas and services.

#10: Evidence

Managers should be familiar with the different storage devices used and also have an adequate level of knowledge of “fingerprints” if there is any suspicion. These can be headers, cookie data, usage data, hidden OS data, etc. It is easy to acquire confidential files from company systems and place them on flash drives, which can be disguised as a normal fountain pen, digital watch, digital camera, personal digital assistant (PDA), or cell phone. Some investigators do nothing but collect and analyze information from cell phones, since they contain voice mail, text messages, address files, phone numbers, and a log of calls missed, received, and made. If there is any suspicion of criminal activity, evidence should be preserved and guarded until its fate is determined.

Schreiner ProSecure has integrated its new invisible FluxSecure authentication technology into self-adhesive products, to meet the growing tamper- and counterfeit protection demands made on security features for products and packaging. The FluxSecure feature can be quickly checked even through product enclosures and packaging. In addition, it is easy to integrate and ensures reliable authentication.

The FluxSecure technology by Schreiner ProSecure consists of a magnetically encoded, extremely thin thread which is inserted between the adhesive and the masking paper. FluxSecure has a diameter of about 30 micrometers, which makes it thinner than a human hair. The delicate thread consists of a metal alloy mixture and is surrounded by a glass coating. The magnetic properties of the security feature are read out without line of sight, using a handheld reader or a sensor that generates a magnetic field.

This allows products to be verified even through heavy and metallic packaging. The readers are specifically adapted to the customer’s system solution. Authentication is indicated by both an optical and an acoustical signal. Customized sensor solutions are available for integration into machines, equipment or products or for stationary reading systems.

The magnetic properties can be modified through variations of the alloy and changes to the thickness and length of the FluxSecure thread. In addition, the alloy mixtures are customized and therefore not reproducible. The FluxSecure technology can be easily integrated into existing products like folding boxes or blister packs and marking solutions. Since the security feature is hidden, it does not interfere with specified design patterns. Combinations with additional overt or covert security features are possible as well.

The FluxSecure technology not only provides brand owners with an efficient method to authenticate their original products, but to automate machine calibration and settings and to introduce further customer service tools.

Courtesy of Corporate Security Portal:
Visit Article Here

Organisations are at risk of unsolicited viruses and malware as 76% of workers plug unknown USB flash drives into company PCs, potentially compromising corporate network security.

A research of over 1,000 UK office workers initiated by BlockMaster to reveal attitudes to handling portable devices, such as USBs, also revealed that almost a quarter (20%) have lost unprotected USB drives holding sensitive information, exposing businesses to huge potential risks, such as loss of IP and reputational damage.

“This is alarming as many viruses on USB sticks can run as soon as they are plugged into a PC, without user activation and causing widespread damage to a corporate network,” says Anders Kjellander, CSO, BlockMaster. “Indeed, the Stuxnet worm, the first ‘industrial’ virus, was well-known for spreading via unsecure USB sticks. Furthermore, even if unprotected USB sticks are not infected with viruses or worms, they can contain sensitive corporate data, leaking important information to external organisations causing harm for the party that lost the device.”

Kjellander continues: “Around 83% of office workers use USB sticks today, making them almost as common as the mobile phone. However, although we often have work email on our mobile phones, it’s quite rare to store a significant quantity of sensitive business data on them. Unsecure USB drives pose a unique security threat, as they are usually small, easy to lose and have a high capacity for storing documents, videos or corporate presentations.”

The survey also discovered that approximately 85% of lost USB sticks are later found, so office workers hoping that lost sensitive data will simply ‘vanish’ will frequently be disappointed.

Kjellander concludes: “Organisations need to put technology and policies in place to secure and remotely manage their USB devices. A lost unsecure and unmanaged USB stick can contain sensitive data including customer details – or in the case of public sector organisations, details of patient records, benefits or tax details – so it is imperative that organisations put in place a managed secure USB drive solution that automatically protects stored data and allows administrators to centrally manage them to perform policy updates and remotely erase any lost device.”

Courtesy of Corporate Security Portal:
Corporate Security Portal- See article here