New Standard Published – Chief Security Officer

In its drive to improve the standard of security across private and public organisation, ASIS International has just published a new Chief Security Officer (CSO) US Standard. This document builds on ASIS’ previous CSO Guidelines and provides the background and guidance necessary to support security operations in the dynamic business environment and to protect against equally dynamic threats. We will post the PDF on our website resources page soon but in the meantime, if you would like a copy, it is available for free download from ASIS:
CSO 2008

Information Focus – Port Cyber Security

Many people see maritime security as a physical loss prevention and protection issue. However, like any other business activity, there is significant potential for theft and other adversary activity using IT systems. The range of cyber threats has been highlighted in an article recently published by Continuity Central. Port Cyber.

ARC addresses IT as well as maritime and transport security during various courses in 2009. Contact Janet for information.

Biometrics – Does Your Knowledge Measure Up?

The use of biometric technology continues to grow in importance for access control and tracking systems. Measurements of fingerprints and hand geometry led to iris and retinal scans with face recognition growing in popularity. But did you know that everyone’s tongue is different? And did you know that your body odour can be used for biometric access control? The future of access control may involve unwashed employees lining up to stick out their tongues before logging onto their IT systems!
An interesting CNN article can be accessed through this link: CNN Biometric Report

New Report on Disaster Protection

We reported last month on the inevitability of a pandemic in the future and highlighted some of the worrying facts about avian flu in particular. Many organisations and public authorities are addressing the risks and threats associated with pandemics and are also looking at other public health issues which need to be managed. One such organisation is the ‘Trust for America’s Health’ which has released a 2008 Report entitled ‘Ready or Not’, covering a range of bio-related public health issues and if you haven’t thought about this and the potential effect on you and your business, it’s worth reading. Read the report here Bio 2008 and contact us if you would like to discuss pandemic, CBRN or BCM planning and training.

New Malware Threats Approaching

In a reflection of the rapidly developing and evolving nature of IT threats, a recently published internet article from Messagelabs lists the 5 new malware threats for 2009. These threats include ‘mash-up malware’, social network phishing and new botnets. As the criminals continue to develop their expertise, the risks continue to grow for home and business users. Read the Messagelabs article here: 2009 Malware, and go to the ARC website for resources on IT security: IT Resources

Are You Vulnerable to Fraud?

As an already worried financial world is rocked by yet another allegedly massive fraud, have you considered your own vulnerabilities? Fraud tends to be carried out by those who are normally considered to be trustworthy or work in specialised roles without oversight or management. People who are fraudulent are normally extremely competent in their area of specialisation and, because they know their own management systems so well, can effectively cover their tracks. The impact of fraud can be not only damaging but can destroy companies completely if the scale of the activity is large enough. So, is it time that you had a good look at your own organisation’s processes and what exactly goes on in vulnerable areas? If you want to know what to look for and the types of fraudulent activities that can go on, ARC conducts various workshops and programmes which cover their symptoms and treatment. Contact Janet for details.

Are Your Financial Transactions Secure?

Business transactions, whether between corporate organisations or between individuals and retailers, are part of everyday life. Also, the means of making these transactions have become simpler and more user–friendly over recent years. Unfortunately, the ways in which these activities are carried out are also criminal-friendly. The incidences of intrusion into personal and corporate information, identity theft and fraud are on the increase and becoming difficult to effectively combat. Organised criminal gangs and terrorist groups have the intent, means and opportunity to make effective intrusions and to capitalise upon lax security and will strike wherever there are gaps in protective measures. Are you at risk? Follow this link Transaction Security Report to look at a report on transaction security issues and make up your own mind.

Business Travel Security Focus

Currently, Greece is in a state of chaos due to ongoing civil unrest. Although the country has a long ‘tradition’ of street protest, these latest riots are far more serious than any in the past. Greece has in recent years been a safe place to visit either for business or leisure but the last week has proven the case that serious unrest can often flare up without warning. There have been many cases of worldwide travellers being caught up in similar unrest but there are precautions that can be taken if it happens to you or your staff. ARC is running courses and workshops throughout 2009 which cover business travel security and protection of at-risk personnel. For more information on this critical subject, either go the ARC website or contact Janet

Technology – Friend or Foe?

In March this year we covered on this blog the use of satellite imagery by activists in the UK. The recent Mumbai attacks may have been the latest incidence of this effective, and increasingly advanced, tool being used by adversary groups. Satellite mapping allows close detail surveillance of terrain, topography and infrastructure and also allows distances and dispositions of personnel to be checked with a good degree of accuracy.

Also, the increased availability and capability of Voice over Internet Protocol (VoIP) communications, satellite phones and GPS navigation systems provide such groups with technological agility which greatly enhances their ability to reach targets and communicate with each other.

For most businesses, it must now be assumed that any potential adversary can and will make use of satellite mapping services in their assessment of a site’s weaknesses and strengths. The challenge for the security professional is to ensure that they can optimise protection whilst accepting the fact that they are under satellite surveillance. But remember – although satellites can photograph fences and barriers, approach and escape routes, they cannot assess your security awareness programmes and the effectiveness of your personnel in implementing security procedures. If you can strengthen those, perhaps you can negate the effectiveness of the ‘eye in the sky’!

See a NY Times report on the issue here: NY Times

How to Reduce Information Risks

Protecting businesses against information loss is becoming more difficult as technology continues to develop and employees try to keep pace with increasing security risks. Organisations and companies world-wide face the same problems, regardless of business sector and, of course, mismanagement of information has the potential to result in catastrophic losses. Ernst and Young have recently published their 10th Global Information Security Survey which identifies trends and measures in place to prevent information loss. The report is available here: Ernst and Young 2008

If you would like to know more about this subject, ARC’s 2009 programme of courses deals with the range of information threats and provides detailed guidance on how to protect your business. Further details are available in the ARC 2009 brochure 2009 Brochure or from Phil

An Essential Physical Security Resource – Now Available

Physical security is a wide subject area and there are many resources available for this area of security, upon which many managers quite rightly place a great deal of emphasis. However, it is often difficult to find a ‘one-stop’ resource where all of the major subject areas are treated together. The US Army Physical Security Manual, however, is an excellent source of all things physical security related and discusses not only the hardware required but a systems, design and planning approach to optimise asset protection. This resource is now available from the ARC website via this link: US Army Physical Manual

The Manual is one of the resource documents for the ASIS PSP™ certification. In the New Year, ARC will begin the first of its 2009 preparation programmes for the examination. For further information, go to the ARC website http://www.arc-tc.com/pages/asis_cpp_psp.asp#asis2
or contact Phil

Chemical Plant Security – Alternative Thinking

Chemical plants are dangerous places and make an attractive target for terrorist attack. However, there are ways - apart from closing down operations – of reducing significantly the potential after effects of attacks. By changing processes, logistic arrangements and implementing alternative ways of working, risks and their impact can potentially be mitigated. An interesting report by the Center for American Progress is available via this link: Chemical 101

UK Law Guidance Online

Law and regulation can be confusing; and few legal systems are as complicated as that of the UK. For those UK-based security professionals who need to understand the Law, help is at hand online. The Criminal Justice System website provides authoritative guidance and resources concerning UK Law and its implementation. Follow this link to access, for example, the site's guide to Magistrates’ Courts: CJS Magistrates

How To Implement Security Awareness Programmes.

Companies and organisations spend huge amounts of money each year on security and asset protection measures. How would you like to maintain high levels of security and perhaps spend a little less of your budget?

A good method is to raise the levels of security awareness amongst employees – of course, this can be difficult if there is resistance or apathy amongst the workforce. The US National Security Institute has produced an excellent guidance document, ‘Improving Security from the Inside Out’, which provides analysis of awareness training methodologies and recommendations along with checklists for implementing programmes.

The NSI report is available here: NSI Report

Our upcoming 2009 programmes and courses promote the value of security awareness within vulnerable organisations and we emphasise the positive results that can be achieved throughout all of our training activities. If you would like to know more, please contact Janet, and get your employees' heads out of the sand!

Security Managers – Protectors against Risk or Sources of Competitive Advantage?

The role of security managers has developed in recent years from that of ‘company policeman’ to a more proactive and business-friendly role. There is considerable weight behind the argument that security professionals should not only know their own specialisation, but also be able to operate with, and speak the ‘language’ of other business departments.

In 2006, Demos, a UK ‘think-tank’, published Rachel Briggs’ and Charlie Edwards’ pamphlet The Business of Resilience, which consulted business leaders globally and drew the conclusion that security professionals have the potential to contribute far more to business if they can move away from thought processes which focus only on security.

ARC’s Security Management Stage 3 Courses, which will run in the UK from 11th to 22nd May and 21st September to 2nd October 2009, deal with the themes from The Business of Resilience and ask delegates to critically appraise their own contributions and assess areas in which they could maximise the value of security to their businesses. If you are interested in maximising your own potential or that of your security managers, contact Janet.

You can download a PDF of Briggs’ and Edwards’ report here:

The Business of Resilience

Request for Post-Graduate Assistance

Those who have worked with us know that ARC champions academic development in the security profession and it is important that academic research is based upon reliable information. In keeping with that spirit, can you help with the following request?

‘Dear Participant,

I thank you in advance for taking the time to complete this questionnaire. The survey is purely for research purposes and is a very important element of my Post Graduate studies in Security Management. The information you provide will be confidential, however the outcome of the research can be made available to you if you so wish. My details should you wish to contact me are:
Mobile: 0044 79 58 046 285 and
Email: ddaniead@aol.com.

I would also be extremely grateful if the questionnaire could be completed on or before 15 December 2008.

You can follow this link to my questionaire: http://www.surveymonkey.com/s.aspx?sm=vQayWtY3kAIafniu9s8npA_3d_3d

Danie Adendorff (MSyl)’

Protect Your Assets - Anti-Piracy Insurance

The recent high-profile piracy incidents at sea have prompted a reaction from consultancies and insurance companies in order to mitigate the impact of losses. By introducing piracy risk insurance, it is hoped to cover many potential problems, including damage to ships, loss or harm to cargo, terror attacks and kidnap and ransom.

The UK’s Times newspaper has published an article on this latest development in the war on piracy – read it here: The Times - Piracy

Lack of Security Awareness Costs Financial Organisations

A new report by ENISA -the European Network and Information Security Agency - has found that thefts of customer information and the costs associated with security incidents are on the increase. ‘Information Security Awareness in Financial Organisations’ assesses the risks facing financial organisations and provides guidance on implementing security awareness programmes, recommendations and case studies.

You can download a copy of the report from the ARC website by following this link: ENISA Report

If you would like to learn about countering such risks, ARC will be offering a range of Information Security courses and workshops throughout 2009; download the new brochure here or contact Janet for more information.

Quick Links to the Law

The ARC web resources page now has quick links to some of the main pieces of UK legislation affecting the security manager. Click on the link below to be taken to the list:

http://www.arc-tc.com/pages/resources_publications.asp#L

International Terrorism and Critical Infrastructures

The threat of international terrorism and the increasing number of natural disasters pose a growing challenge for the protection of critical infrastructures, many of which are operated by the private sector. And information technology, which has pervaded all areas of life and economic activity, brings new vulnerabilities.

The German Government has produced an excellent guide in English on the protection of such infrastructures. The guide can be accessed via the ARC website by clicking on the link below:
Protecting Critical Infrastructures - Risk and Crisis Management. A guide for companies and government authorities

In 2009 ARC Training will be offering two new courses on the protection of critical infrastructure:

Protecting Critical Infrastructure, 17-21 August, is intended for security managers who manage the security of critical infrastructure - typically, energy, communications, water, finance, food, health and transport sectors. It will examine the range of threats to designated critical infrastructure, including external physical attacks, sabotage, terrorism, IT-based attacks and insider-assisted attacks, and includes strategies for risk management. For details click on the link below:
http://www.arc-tc.com/pages/other_accredited_sm.asp#s5

Managing Security Risks in the Oil & Gas Sector, 24-28 August, is a sector-specific programme intended for security managers or consultants in the oil and gas industry, or those seeking work in this sector. Drawing on case studies from around the world, it addresses some of the more complex risks associated with oil and gas operations in various environments and includes many practical exercises. Participants should have a baseline level of security management knowledge, such as that covered in Security Management Stage 1. For details click on the link below:
http://www.arc-tc.com/pages/other_accredited_sm.asp#s1

For details on any ARC course, or to discuss an on-house requirement, contact Janet.

The Human Rights Act 1998 – Are you Bound by It?

The UK Human Rights Act 1998 is based on the European Convention on Human Rights. The Act makes it unlawful for a public authority in the UK to act incompatibly with the Convention rights and allows for a case to be brought in a UK court or tribunal against the authority if it does so.

Privatised utilities such as water, gas and electricity companies have functions that will probably count as "public" under the Human Rights Act. If a body of this type has breached Convention rights, a claim under the Act is possible only if the act or decision complained about is in the public sphere. If it is a wholly private matter (for example where such a person, body or company is acting as an employer or in a commercial capacity), a claim under the Human Rights Act will not be possible.

For a detailed explanation of the guide, click below:
A Guide to the Human Rights Act 1998

Corporate Social Responsibility Focus

The International Finance Corporation (IFC) publishes a set of Performance Standards to manage social and environmental risks and impacts and to enhance development opportunities in its private sector financing in its member countries eligible for financing. The Performance Standards may also be applied by other financial institutions electing to apply them to projects in emerging markets.

On a recent ARC Training on-site course, the CEO of a leading oil and gas company addressing security management delegates underscored his belief that within the context of oil and gas operations in developing countries corporate social responsibility and security management we “two sides of the same coin”.

To download the standards go to:
http://www.arc-tc.com/pages/resources_publications.asp#C
and scroll down to the heading Corporate Social Responsibility.

The relationship between Corporate Social Responsibility and security management will be one of the topics covered in detail in the new Managing Security Risks in the Oil & Gas Sector, 24-28 August. Click on
http://www.arc-tc.com/pages/other_accredited_sm.asp#s1

For details on any ARC course, or to discuss an on-house requirement, contact Janet.

New EU Study on Countering Information Security Risks

ENISA, the EU agency for information security, has published a new study on how to counter information security risks with a focus on the financial sector staff awareness.
To access the report, go to:
http://www.enisa.europa.eu/pages/02_01_press_2008_11_26_financial_markets.html

Panel Warns Biological Attack Likely by 2013

The United States can expect a terrorist attack using nuclear or more likely biological weapons before 2013, reports a bipartisan commission in a study being briefed Tuesday to US Vice President-elect Joe Biden.

"The United States should be less concerned that terrorists will become biologists and far more concerned that biologists will become terrorists," the report states. The report is due for release today.

Click on the link below for the full story:

http://www.usatoday.com/news/washington/2008-12-02-terrorist-attacks-report_N.htm

Shared Destinies: Security in a Globalised World

The Institute for Public Policy Research is the UK’s leading progressive think-tank. Its Commission on National Security has just released its latest report in which it warns:

“There is a pressing need to do more to prevent and prepare for violent conflict, state failure, nuclear proliferation, bioterrorism and global pandemics."

Contact David for a copy of the report, or sign up for a copy at http://www.ippr.org/security/publicationsandreports.asp?id=636&tid=2656

Developing Skills in Security Management

Security Management Stage 1 (Postgraduate University Accredited)
“The course is EXCELLENT content & procedure wise. A MUST for the Security Manager.”
Corporate Security Manager, Manufacturing Company

18 – 29 January, Bahrain
9 – 20 March, Cape Town
23 March – 3 April, UK
http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1

***

Security Management Stage 2 (Postgraduate University Accredited)
“The SM2 was challenging ….overall a very successful
programme and highly recommended for security professionals..”
Security Manager, Multinational Oil Company

9 – 20 February, UK
http://www.arc-tc.com/pages/university_acredited_sm.asp#sm2

***

Security Management Stage 3 (Postgraduate University Accredited)
“Excellent presentation of topics. Leant a lot, especially when focussing on the more strategic elements.”
Security Manager, Logistics Company

9 – 20 February, Kuala Lumpur
11 – 22 May, UK
http://www.arc-tc.com/pages/university_acredited_sm.asp#sm3

***

Security Coordination and Management
“Not only a learning experience, but one of the most enjoyable courses I’ve been on.”
Company Fire Prevention & Security Manager, Manufacturer

23 – 27 February
http://www.arc-tc.com/pages/other_accredited_sm.asp#s1b

***

Retail and Supply Chain Management
New Course - Conducted by Barry Vincent MSc, MA and Mike Goodman MSc - former heads of security with leading international retailers and specialists in supply chain and distribution

27 – 29 January
http://www.arc-tc.com/pages/other_accredited_sm.asp#s6

For details on any ARC course, or to make a booking, contact Janet.

Many more courses can be found at www.arc-tc.com

Retail Security – Best Practice Hints and Tips

Keep alert for suspicious or abnormal behaviour such as:


- Constantly looking around watching staff
- Appearing nervous
- Taking little notice of products
- Wearing clothing inappropriate for the time of year that may be used to hide goods
- Carrying a large bag
- Carrying a coat over their arm or shoulder
- Repeatedly refuses your offers of help
- Wheeling around a baby buggy when a shop baby trolley is available
- Appearing to have concealed an item
- Spending a long time browsing



Measures to discourage shoplifting…



- Good customer services - Always acknowledge the customer and regularly ask if they need help. Do this if you are suspicious of a customer;



- Secure stock - Make sure the shop is tidy, well lit and laid out so all areas are visible from the CCTV cameras. High valued items can be held behind the counter;



- Warehouse and store rooms - Always escort deliveries and follow the security rules in this area. An authorised touch pad lock should restrict these rooms.



- At the checkout - Take out high value notes regularly and store in a safe. Be observant of baby buggies and the bottoms of trolleys. Check items that appear cheaper than you think they should be. Never turn away from an open till draw. Look out for fake notes. Check card and cheque signatures carefully. Tills should be protected from the customer by screens. Do not count cash in front of customers.



- Banking security controls - Anchor safes to the floor. Use a professional service to collect cash from your shop and where this service is not available bank at different times of the day and never alone or in a work uniform. Don't carry cash in bags that are obviously bank bags.

- Key control - Don't leave keys in doors, on counters or in drawers. Sign a register for any keys. Keep spare keys in a secure cabinet. Safe and security room keys should not be left on the site over night.



- Other - If you are suspicious of a customer make them feel nervous by walking passed them, talking on the phone and letting them see you do it. Also let them see you walking near the shop exit and talking to other staff. Thieves may try to rush you to avoid noticing forged notes etc, so always take your time.



What to do if someone becomes abusive or threatening?



- Try to separate yourself from the offender (e.g. get behind a counter)
- Remain calm
- Use methods to diffuse the situation
- Put personal safety first
- Know how to raise the alarm and operate security equipment
- Do not resist or follow violent offenders
- Remember information such as a description of the offender
- Write what happened in the incident book.



Source: http://www.crimereduction.homeoffice.gov.uk/business/business36.htm

For details on ARC Training’s new Retail and Supply Chain Security Course, 27-29 January, led by two former heads of retail security, contact Janet or go to

http://www.arc-tc.com/pages/other_accredited_sm.asp#s6

The Flu Pandemic – Are You Prepared for this Inevitable Event and Dare You Read these Chilling Predictions?

This is what Lloyds of London is saying:

1. A pandemic is inevitable.

2. A repeat of the 1918 event is expected to cause a global recession with estimated impacts ranging from 1% to 10% of global GDP. Most industries will be affected, some more than others. In particular, industries with significant face to face contact will be impacted significantly.

3. The World Health Organisation reports that we have passed the “interpandemic period” and are now in the first stage of the “pandemic alert period”, due to concerns of Avian Influenza H5N1.

4. Taking the 1918 pandemic as an example, it infected around 30% of the population and had a case mortality rate of up to 2.5%. Unusually, it most affected those aged between 20 and 40 (the young and old were affected, but no more than normal seasonal flu). The pandemic killed between 20 million and 100 million people.

5. If the pandemic starts elsewhere, it will probably reach the UK within 2-4 weeks.

6. Until a virus has emerged there are so many unknowns we cannot prepare a vaccine. It then takes several months to isolate the virus and prepare a vaccine; which will therefore not be available to fight the first wave of pandemic.

7. Unlike the 1918 pandemic, global networks, global travel, larger populations, concentrations in cities, large pools of sick or incubating people in buildings or on public transport will accelerate the spread.

According to Lloyds, many businesses are not prepared for this inevitable event which could lead to prolonged employee absentee levels of 50% and many fatalities. Their finding include:

1. Over three-quarters of companies have inadequate plans for coping with a flu pandemic.

2. Around a third of businesses have no strategy at all, while 14% have only rudimentary contingency plans.

3. Around a third of executives are unaware of how their companies intend to deal with the threat, only 22% are comfortable that they are prepared.

For a full copy of the report, contact David.

Business Continuity Management is addressed as a one-day workshop on the Security Management Stage 2 Course. The next Stage 2 course takes place in the UK, 9-20 February 2009. Contact Janet for details.

To enquire about how an ARC associate can assist you in preparing your Pandemic Business Continuity Plan contact David.

Online Business Studies Resource

Great background reading and company case studies available at:

http://www.thetimes100.co.uk/index.php

Topics include:

- Business Ethics and Corporate Social Responsibility
- Using PEST Analysis to Manage External Influences
- Managing Risk through Effective Team-Based Decision Making
- SWOT Analysis in Action

Changes to the Computer Misuse Act Tighten the Noose on Cyber Criminals

A law criminalising denial of service attacks and the supply of hacking tools has been brought into force in England and Wales after a number of delays. The law was already in force in Scotland.

Denial of service (DoS) attacks involve the simultaneous sending of millions of messages or page requests to an organisation's servers. The sudden, massive deluge of information can render website and email servers inoperable.

Read the full story at:

http://www.out-law.com/page-9592

Maritime Hijackings Are Decreasing in Asia

In the Gulf of Aden Somali pirates use automatic rifles and RPGs. In SE Asia it may be knives and catapults. Read the full story at:

http://www.nytimes.com/2008/11/19/world/asia/19asiaships.html?_r=2

Fraud Report Provides Comprehensive Guidance

The word ‘fraud’ is often understood to mean the covert theft of financial assets within business; however, fraud has many facets. Kroll’s Global Fraud Report 2008/2009 examines the world trends in fraud and also provides information on many other aspects of the subject and associated investigations which are an excellent source of guidance and advice.

The report is available in downloadable PDF through the following link, along with other resources concerning issues such as supply chain fraud and investigation procedures.

http://www.kroll.com/library/fraud/FraudReport_English-UK_Sept08.pdf

ARC has a range of Fraud and Investigation courses available throughout 2009 which deal in detail with the issues raised in reports such as Kroll’s and provide an essential tool for those involved in preventing fraud and in managing investigations into suspected fraudulent activity.

The ARC 2009 Brochure http://www.arc-tc.com/pages/documents/ARCTraining2009Brochure.pdf
has more information or contact Janet Ward for more details.

16 Recommendations for Better Laptop Security

The 16 security managers currently attending the postgraduate university-accredited Security Management Stage 1 Course spent Monday 24th November tackling the difficult problem of information security, a subject of topical concern given the recent high profile data loss incidents.

The training day concluded with a look at laptop security, during which delegates formulated procedures which could be realistically implemented in order to reduce exposure to hardware loss and data compromise. The recommendations included:

1. Laptops should be equipped with a basic security software suite to ensure that they are protected when in use off-site. This should include anti-virus software, anti-spyware software and a firewall.
2. Encryption should be available on all laptops.
3. Boot sector password protection as standard.
4. Card and PIN access control to be fitted. Biometrics may provide an alternative, but currently most biometrics systems on laptops have a password override, thereby reducing security.
5. USB ports should be disabled, or access managed using special software.
6. During working hours, laptops should be secured to worktops using cable locks. Security staff should patrol to ensure that this rule is not violated at night.
7. If laptops are left on site overnight, they should be secured in a special cabinet.
8. There should be comprehensive policies and procedures to cover laptop security. These should be realistic, communicated and understood. Compliance should be audited.
9. Staff should be made aware of the risks, and trained in laptop risk management.
10. User should exercise good email discipline so that laptops do not become infected with malware when off-site.
11. Laptops should never be left unattended.
12. Laptop losses should always be investigated and, if necessary, action taken against the employee if negligence can be established.
13. Off-site communications with the corporate network should take place over virtual private network (VPN) tunnels.
14. Users should be denied permissions (by logical controls) to install any software.
15. Data should be backed up regularly. If in frequent off-site use, special provisions should be made for this.
16. There should be regular reviews of data held, and any unnecessary data should be destroyed using a shredding programme.

Improving Terrorism Resilience of Chemical and Petrochemical Facilities by the Use of Inherently Safer Technologies

The US Department of Homeland Security and numerous security experts have repeatedly warned that terrorists could use industrial chemicals as improvised weapons of mass destruction. Current chemical security efforts, however, are inadequate to protect workplaces and communities.

Most of the US’s 101 most dangerous chemical and petrochemical facilities could become less attractive terrorist targets by converting to alternative chemicals or processes. Doing so would improve the safety and security of more than 80 million Americans living within range of a worst-case toxic gas release from one of these facilities, according to data compiled for this report. Millions more living near railroads and highways used for transporting hazardous chemicals would also be safer and more secure.

Read the full report at:

http://www.americanprogress.org/issues/2008/11/chemical_security.html

IT Security’s Emerging Threat – Employees under 30! Seven Things You Need to Be Worried About

Since Nov. 5, three separate studies -- from Accenture, Intel, and ISACA, a major IT users group -- have indicted the youngest generation of employees as one of the enterprise's newest and most serious security risks. Seven of the key risks posed by this group are:

1. Unaware of company IT policy and lack of inclination to adhere.
2. Use of non-approved personal communications and storage devices for work-related activities, thereby significantly raising the risk of data loss or compromise.
3. Use of non-supported (and insecure) applications for work-related activities – examples: Facebook and IM.
4. Younger employees' propensity to download non-sanctioned applications.
5. Lack of interest in the security of their desktop PCs.
6. Online shopping during working hours (one in four respondents either does not check -- or is unsure how to check -- the security of a site before making a purchase).
7. Giving online retailers work emails, which can leave the enterprise network open to a variety of threats.

Read the full report at:
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212100952

Biometric Focus – Finger Vein Authentication Begins to Replace Fingerprint Authentication

Source: Times Online

Forget fingerprinting. Companies in Europe have begun to roll out an advanced biometric system from Japan that identifies people from the unique patterns of veins inside their fingers.

Finger vein authentication, introduced widely by Japanese banks in the last two years, is claimed to be the fastest and most secure biometric method. Developed by Hitachi, it verifies a person's identity based on the lattice work of minute blood vessels under the skin.

Read on by clicking below:

http://technology.timesonline.co.uk/tol/news/tech_and_web/article5129384.ece

Biometric Access Control of one of many subjects covered in the two-week Security Management Stage 1 Course, currently being run in the UK with 16 participants from the UK, Russia, Saudi Arabia, Italy, Democratic Republic of Congo, Nigeria, Sudan and Kazakhstan.

The next Security Management Stage 1 Course will take place in Bahrain, 18-29 January 2009, and thereafter in Cape Town, 9-2- March 2009. For further details click on the link below or contact Janet.

http://www.arc-tc.com/pages/reg_train.asp

Technology Sets Sights on Maritime Crime

The BBC’s technology reporter discusses was to protect ships and other offshore facilities against criminal threats, such as piracy, at:
http://news.bbc.co.uk/1/hi/technology/7735685.stm

Offshore and maritime security is one of a range of subjects covered in the new Managing Security Risks in the Oil & Gas Sector, which will be taking place in the UK, 24-28 August 2009.

For details, go to:

http://www.arc-tc.com/pages/other_accredited_sm.asp#s1

To make a provision booking and reserve a place, contact Janet Ward.

Don’t Bribe Your Way into Jail!

Employers in the UK who negligently fail to prevent bribery by their employees or agents could face up to 10 years in prison under a new law proposed by the Law Commission today, reports Out-Law.com.

The Law Commission recommends that it should be an offence for a company "negligently to fail to prevent bribery where someone (A) performing services on that organisation’s behalf bribes another person, the bribe was in connection with the business of that organisation, and someone (other than A) connected with or employed by the organisation, who has responsibility for preventing bribery, negligently fails to prevent A bribing the other person."

"We recommend that it should be possible to hold directors, managers, secretaries or similar officers of a body corporate individually liable if they consent to or connive at the commission of bribery by the body corporate," said the Law Commission.

Full story at:
http://www.out-law.com/page-9613

Security Management Team Tackles the Tiger

The security professionals currently attending the ARC Training Security Management Stage 1 Course in the UK are attacking their course project 'Sumatran Tiger' with unusual vigour.

16 delegates from various countries are tackling the 2-week long project, with which our previous alumni will be familiar, and are currently deep into research and planning including a detailed risk analysis in readiness for presenting their project solution at 'board' level. The course has been split into four groups and already the teams are showing signs of serious competitiveness.

Sumatran Tiger aims to validate and consolidate the delegates' understanding of the course content and is an invaluable confidence and knowledge builder for security professionals. On current indications - we are expecting great things from this group!

Getting the Board to Buy in to Security

During a recent ARC security management course, delegates discussed ways in which to achieve better Board engagement in security strategy. Some recommended methods included:

1. Speak the language of the Board: risk management and finance.
2. Demonstrate that you understand the business, the business drivers, strategic objectives and the business model, and the sector dynamics.
3. Share their aspirations, aims and objectives.
4. Risk-based security measures that can demonstrate ROSI.
5. Add value by demonstrating that you are multi-talented.
6. Present security solutions that are cost effective, least inconvenient, and have stakeholder buy-in.
7. Use “we” and not “you”, or use “the business”.
8. Understand convergence and how security systems can become multifunctional (cross-functional) and add cross functional value to the business.
9. Ensure that your priorities and those of the Board coincide, but be prepared to raise issues that you feel strongly about.
10. Be able to compromise. Don’t anchor yourself to a principle or solution and always show flexibility by having alternatives.

Cybercrime Wave Sweeps Britain

The BBC is reporting that a cybercrime wave is sweeping Britain, and much of it it home-grown. Citing a report by online identify firm Garlik the story claims that more than 3.5 million online crimes were committed in the UK last year.

One interesting revelation in the report is the origin of cybercrime, the popular conception of which believes it originates in Eastern Europe or Africa. Not so, says the FBI’s Internet Crime Complaint Center - Britain came second after the United States as the source of online crime.

For a link to the story click below.
http://news.bbc.co.uk/1/hi/technology/7697704.stm

Free CCTV Guide

CCTV expert John Honovich has released version 2 of his excellent book on IP CCTV. The publication is free to download from http://www.arc-tc.com/pages/resources_publications.asp.

Just navigate down the page to the CCTV heading and click on the last link.

Anti-Illicit Trade Resources

The Anti-Counterfeiting Group (ACG) is a not for profit trade association, recognised as a leading authority on the worldwide trade in fakes. ACG was founded in the UK in 1980 with just 18 members in the automotive industry, who discovered that they all had a common problem with counterfeit parts. We now represent nearly 200 organisations globally, operating in, or providing specialist advice to, most industry sectors where counterfeiting is an issue.

The ACG’s website, with a wealth of useful resources, can be found at the following link:

http://www.a-cg.org/guest/about_acg/guest_about_acg_overview.php

Illicit Trade and Counterfeiting is covered on the forthcoming Security Management Stage 3 Course in Kuala Lumpur, 9-20 February 2009. Other course subjects include: Corporate Risk Management; Corporate Social Responsibility; Adding Strategic Value to Security Management; Setting a Vision for Corporate Security; Kidnap Risk Reduction & Response; Illicit Trade & Counterfeiting; Product Tampering & Extortion; Investigating Information Leaks; Security Project Management; IT Security - Managing Strategic Risks; Terrorism - Future Trends & Responses; External Liaison & Stakeholder Engagement; Business Expansion - Security Considerations; Security Intelligence; Dealing with Protest Activity; Strategic Security Management Exercise; Multi-Site Security Management Project.

Contact Janet for details.

Becoming a More Effective Security Manager

During a recent security management course delegates discussed the range of skills that they felt necessary for a security management to possess in order to be effective. All agreed that interpersonal and communication skills were paramount.

In addition to pure security management skills, delegates divided the remaining skill requirements into two sets: business management skills and soft skills.

Business management skills, according to the group, included: project management, finance management, time management, presentation skills, planning skills, IT skills, and managing change. Much of this training can be sourced internally or by attending evening classes at local colleges.

The softer skills were more difficult to achieve through training, but training would at least deliver some of the underlying principles. Softer skills included: interpersonal skills, communication skills, negotiating, influencing, leadership, problem solving, analysis, relationship building, and listening skills.

Importantly, it was recognised that effective security managers are those who have the ability to communicate well with all levels of the business.

Security Professionals Gather in Lagos

Twenty five security professionals gathered in Lagos, Nigeria last week to attend the ARC Training Security Coordination and Management course. The course, held in cooperation with Cardinal Security Services, is one of a regular series of security education and training events held in Nigeria. Delegates from a wide range of businesses as well as from government agencies covered such subjects as risk management, security design and information protection. A group of them can be seen here practicing their skills in a business security simulation.

New Interim Chief for SIA

The Security Industry Authority (SIA) has gone outside the private security industry for its interim chief exec after the sudden exit of Mike Wilson as announced last Thursday, November 6, reports Professional Security online:
http://www.professionalsecurity.co.uk/newsdetails.aspx?NewsArticleID=10264&i

Chairman, Baroness Ruth Henig, has announced the appointment of Dr Bernard Herdan CB as interim Chief Executive of the SIA. Dr Herdan is expected to join the SIA on November 17 until the recruitment process for a permanent Chief Executive is completed. Until September 2008 he was Executive Director of Service Delivery at the Identity and Passport Service (IPS). Before this he was Chief Executive of the UK Passport Agency and was responsible in this position for the establishment and initial operations of the Criminal Records Bureau until it became a separate Agency in September 2003.

Examining the Nature of Terrorism

YouTube carries a very interesting Al-Jazeera English Service examination of the nature of terrorism through interviews with two internationally-renowned experts: Dr Jerrold Post (author of The Mind of a Terrorist) and Dr Louise Richardson (author of What Terrorists Want).

The link can be found at:

http://uk.youtube.com/watch?v=dTM_DrGlux0

Some of the difficult points addressed by the two experts were:

Defining Terrorism

Richardson: Terrorism is the deliberate targeting of civilians.
Post: The need to identify both the “target of violence” and the “target of influence”, which may be different.
Post: Terrorism should be a dispassionate term that refers to a particular type of tactic. We should be able to use the word terrorism even when we agree with the cause, if it describes the action, eg targeting civilians.

Terrorism and Human Rights

Post: The need to be careful how terrorism is dealt with so that we do not degrade the very human rights we are trying to protect.

Negotiating with the Adversary

Richardson: Advocates discreet negotiations with Al-Qaeda (Ayman Al-Zawahiri).

Suicide or Martyrdom?

Post: Al Qaeda strongly rejects that the notion that suicide and martyrdom are the same, asserting that suicide is weak, martyrdom is great.

Terrorist Profile

Richardson: Difficult to produce a terrorist profile since terrorists are essentially psychologically normal people who have chosen to pursue a cause in a violent manner.

Support

Post: There are 5,000 websites worldwide that promote the agenda of Al Qaeda.

Armed Hold Up Best Practice Tips

Delegates attending the ARC Training Special Risks Course in Prague during the period 13-14 November 2008 studied a range of complex security problems, including Managing the Risk of Terrorism, Anti-Illicit Trade Management, Malicious Product Tampering Response, Protecting People at Risk, Kidnap Risk Mitigation, and Armed Hold-Up.

Delegates learned that measures to reduce the risk of armed hold-up include:

General

1. Robbery is theft with the use of violence. The violence may be actual or threatened.
2. Some robberies take place without weapons. This is when injuries often occur to have-a-go-hero staff.
3. In most cases, the victims do not know the robbers prior to attack.
4. In many cases robbers score on stimulant-type drugs or alcohol before an attack. They will be nervous and scared. Under such circumstances they will probably behave with extreme violence, irrationally and the risk of a firearm going off is high.

Workplace Robbery Risk Mitigation

1. Keep the premises tidy and use mirrors for greater vigilance.
2. Don’t always assume that it will be company property that a robber will seek. He may be after cellphones and wallets of lone workers.
3. Ensure that back rooms are out of view.
4. Secure external exits to back rooms at all times (consistent with fire regulations), as this is an obvious surreptitious route of entry.
5. It is useful to keep a radio on in back rooms, to give the impression of others on site.
6. Greet all persons entering a retail facility. This may put off a robber.
7. Look for loiterers outside and inside. If inside, approach and offer assistance. If the situation looks dangerous, alert security.
8. Employees should be trained in armed robbery survival personal safety. Such seminars focus on psychologically surviving a life threatening scenario and provide advice on body language, hand positioning and movement, how to safely communicate with a robber etc. Delaying tactics should never be used as this may anger the robber and endanger life.
9. Armed robberies are usually over in less than 1 minute. Even robberies of banks usually take less than 2 minutes.
10. Instruct staff never to discuss security arrangements with friends or relatives.
11. Vet staff carefully. Robbers often collude with insiders. Sometimes this is through intimidation and threats.
12. Keep a minimum of working cash on site, especially at night when most robberies occur.
13. Use drop safes for larger bills.
14. Use specialist CVIT service to take accumulations of cash off site.
15, Post signs on doors making it clear that staff cannot open safes (time locks), that cash is regularly removed etc.
16. Note that very vulnerable times are at opening and closing. Try to have a second person present at these times.
17. Staff should not “cash up” in full view at the end of the shift. This could tempt a robbery.
18. Cash should be counted in a secure location.
19. Record the serial numbers of a few bills as it may later help police track down robbers.
20. Ensure site is equipped with CCTV that is capable of producing a good quality off-site recording of 120% of any attacker for identification and evidential purposes. But note that robbers are often not deterred by CCTV; their concern is not getting shot or caught at the time of the robbery.
21. Staff should be aware that their own personal safety and that of anybody else on the premises far outweighs any concern for the security of cash. Thus, they should cooperate with armed robbers and offer no resistance.
22. Note should be taken of any persons loitering suspiciously outside the facility. While this may not indicate an immediate threat, it may be useful in a post-robbery investigation.
23. There should be a means of escape from behind the counter without having to pass the robber. If this leads to a back exit door this should be secured from the inside and alarmed at all times.
24. Consider installing a personal attack button (PAB), but ensure the activation of this does not put employees or customers at risk. The alarm should not sound locally but monitored by a competent response authority. PABs should not be under-the-counter hand-operated as the robber will be alert to this. Consult CAS for advice.
25. Ensure that the pubic area of the facility is clearly visible from passers by, in order to deter the robber. Windows cluttered with posters and remote cash tills add to the robbers’ advantage.
26. Use doorbells.
27. At high risk facilities, consider “airlock “ doors, and bullet resistant glass between public and cash handlers.

Workplace Robbery In Progress Risk Mitigation

1. Staff must obey the instructions of the robbers without hesitation. When moving hands, especially if out of sight (below counter, in pocket etc), staff should always seek the permission of the robbers.
2. Customers should be instructed to obey the instructions of the robbers. Staff should be on the lookout for “heroes”.
3. Staff may experience the symptoms of nervous shock, such as pain in the legs and arms, trembling, difficulty of vision, sweating, dryness of mouth, weak and shaking knees etc. They should be made aware of this reaction beforehand and try to control the symptoms by deep breathing.
4. Firearms should always be assumed to be real and loaded.
5. Staff should alert robbers to any possible surprises, such as an employee in the back room.
6. Staff should be trained to take mental notes about the robber. (Age, physique, gait, hair, complexion, accent, clothes (especially footwear), hands, tattoos, weapons, nicknames. It is useful to work from head to foot taking mental “snapshots”.
7. Once the robbery has begun, the objective should not be to thwart the robber’s objectives, but to get him out of the facility as quickly as possible.
8. Staff should be instructed to speak only when spoken to.
9. If the robber’s demands cannot be met, staff should be able to offer an alternative.
10. The only occasion that warrants possible resistance is when robbers attempt to leave the premises with a hostage.

Post Workplace Robbery Actions

1. The premises should be locked as quickly as possible and the police called.
2. Customers should be requested to remain on site until arrival of the police. If they refuse, names and addresses should be taken.
3. Staff should write down immediately all they can remember about the attackers, including details of vehicle, and direction of travel.
4. Staff should keep all details of what has been stolen for the investigating officers, not the first responder police, who may talk to the media.
5. Staff should not disturb any physical evidence.
6. Staff will require special counselling to combat the later onset of post-traumatic stress disorder.

Internationally-Recognised Security Management Certification

The internationally recognised ASIS Physical Security Professional Certification programme has arrived in Nigeria! Over a dozen security managers attended an ARC Training five day review course in Lagos recently to prepare them for the examination to achieve this prestigious award.

The PSP certification is offered by ASIS International, the world’s leading security professional organisation. It requires candidates to have a detailed knowledge of security risk assessment, design and installation as well as other areas supporting the successful planning and implementation of physical security management systems.

ARC Training's preparation programme for this prestigious examiantion is a blend of distance learning, on-site training and self-study. It will terminate in a further review session early in 2009, followed by the final, independently adjudicated exam. Facilitated by ARC International’s Peter Horsburgh CPP, PSP, attendees can be seen here hard at work in preparation for their daily test.

For more information on how to bring this training to you, contact Janet.

Laptop Theft Reality Check – How Big is the Problem, What is the Impact, and What Can You Do about It?

Laptop theft has four main impacts, of which replacement cost is usually the most minor. The major impacts are disruption to the business; potential gain by an adversary of sensitive business information; and reputation damage or litigation due to loss of personal private client/employee data.

Key Points

1. The chance that a laptop will be stolen or lost during any twelve months is one in ten, according to a 2002 Gartner Group study.


2. Many large companies loose about 100 laptops a year. It only takes one laptop to fall into the wrong hands for a journalistic “coup”.


3. Because laptops are portable, they are highly susceptible to theft.


4. Researchers at Credant Technologies have determined that 25% of laptops are stolen from the office or the owner’s car. Another 14% are lost in airports or on airplanes.


5. In London every year thousands of laptops are left in taxis. Thousands more are stolen from UK hotels.


6. Worldwide, over one million laptops are stolen every year, according to the FBI.


7. The chance that a laptop will be stolen or lost during any twelve months is one in ten, according to a 2002 Gartner Group study.


8. The chance of recovering a stolen laptop is almost negligible. According to the FBI, for example, 97% of stolen laptops are never recovered.


9. Ponemon Institute’s 2006 U.S. Survey on Confidential Data at Risk concluded “both business and government organizations are not taking appropriate steps to safeguard sensitive or confidential information such as intellectual property, business confidential documents, customer data, and employee records.”


10. Estimates of the cost of a single laptop loss vary from $5,000 per incident to $5 million per incident.


11. In a 2005 survey by Credent Technologies, employees who had lost laptops were unproductive for two weeks before they were able to resume regular activities.


12. In a Ponemon study conducted in 2005, researchers found data breaches seriously affected corporate reputation, corporate brand, and customer retention. When notified of a breach, almost 20% of customers terminated their relationship with the company. Another 40% considered termination.


13. The loss of a laptop with confidential information is a privacy violation, which in turn can lead to civil liability.
    
    The ASIS Foundation has produced what is probably the best ever report on laptop theft and theft mitigation. The report can be downloaded from:
    
    http://www.asisonline.org/foundation/lostlaptop.pdf
    
    or contact David to obtain a copy by email.

Security Professionals Gather in the Czech Republic

Day 2 of the Security Risk Management Course in Prague, conducted by David Cresswell, discussed the concept of embedding into the business a security culture, rather than trying to impose upon business a security regime of “guards, gates and guns”.

One participant shared with the group an interesting initiative undertaken in his own organisation: the CEO had personally sent out an email to all employees designed to measure their company security awareness. Apart from the obvious objective, the email created two by-products. First, it further increased awareness through the way in which the questions were framed. Second, it demonstrated unequivocal top management support for the company’s security programme.

Seven delegates, representing a range of companies including telecommunications, mining, petrochemicals, guarding, technology and the Prague Municipality, are attending the three-day programme, which is delivered through translation into the Czech language in collaboration with ARC’s Czech partner, the Prague-based Orange Group a.s.

Meanwhile, Peter Horsburgh is in Nigeria conducting a one-week Security Coordination and Management Course, Phil Wood is in Dubai conducting Business Continuity and Crisis Management Training, and Janet remains in the UK to look after delegates attending the Investigating IT Misuse Course!

Gaining Recognition as a Security Management Professional

ARC has a wide selection of forthcoming courses that will allow you to demonstrate competence in security management. Each year the ARC International Academy trains literally hundreds of security managers from all over the world.

Security Management Stage 1 (17 – 28 November) is the “A to Z” of core security management skills. It is very interactive, fast paced and includes a challenging and engaging course project. It has been attended by hundreds of security managers from around the world, and many of the world’s top multinational companies consider it a benchmark in core-skills security management proficiency. Moreover, the course constitutes part of a work-based studies MSC with Middlesex University. For more details click here: http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1

Security Management Stage 2 (9 – 20 February) is intended for experienced security managers, typically those who have undertaken a core skills security management training programme, or certification such as the CPP. Picking up where Security Management Stage 1 finishes, it tackles the more complex issues in security management. The course constitutes part of a work-based studies MSC with Middlesex University. For more details go to: http://www.arc-tc.com/pages/university_acredited_sm.asp#sm2

Security Management Stage 3 (9 – 20 February) Kuala Lumpur, Malaysia is an advanced-level security management programme that focuses on the skills necessary to manage security at a strategic, regional level. Much emphasis is placed on broadening participants’ ability to contribute effectively to top-level management teams. If you are a CPP holder, this course offers an opportunity to earn all of your necessary recertification credits in one programme. For more details contact Janet.

Investigating and Interviewing Skills (3 – 6 November) is a course specifically prepared for security professionals investigating in a legal context based on English law. Delivered by full-time and vastly experienced investigators, the course is new for 2008 and already has received tremendous accolades, including this from an energy company security advisor: “An excellent course that met my needs very well…that is, to have sufficient understanding to conduct investigations, and to commission investigations by another party.” For details go to: http://www.arc-tc.com/pages/accredited_investigation.asp#f1

IT Security and Incident Response (12-13 November) is designed for security professionals who may be called upon to investigate an incident that involves the use of a computer in some way – an increasing factor in data loss incidents. The course, led by two full-time IT forensics investigators assumes no technical knowledge, but will equip the participant with the skills necessary to manage this type of investigation and, importantly, protect delicate digital evidence that might otherwise be corrupted. For details go to: http://www.arc-tc.com/pages/accredited_investigation.asp#f4

If the course you require isn't listed above, browse www.arc-tc.com for a complete list, or contact Janet to discuss your bespoke security, crisis management or business continuity management training requirement.

Best Wishes and Good Luck!

The staff of the ARC Training International Academy for Security Management sends wishes of good luck to the following security managers set to sit the CPP security management certification examination in Bangladesh.

Ahsan Habib; Masud Quader; Mashud Hasan; Nurul Bashir; Richard Jansen; Nurul Mannan; Aminul Islam; Abdullah Al Obaidi; Golam Murtaza; M Hasibur Rahman; Md Sagir Hossain Biswas; Raghu Bannerjee

We hope that the past six months of intensive preparation results in success for everybody.

Best wishes

David, Phil, Peter, Janet, Bev and Nicky.

White Powder Attacks Continue in the US – Where to Download Useful Advice

More than 30 threatening letters, most containing suspicious powder, were sent to financial institutions in eight US states and Washington, D.C, last week, according to USA Today:

http://www.usatoday.com/news/nation/2008-10-21-powder-banks_N.htm

For UK Government advice on how to proactively and reactively manage the risk of biological/chemical threats by post, go to:

http://www.hse.gov.uk/biosafety/diseases/anthrax.htm

If you are concerned about duty of care to employees and would like to turn this advice into concrete procedures for staff mail handling, and you don't have time to do it yourself, contact ARC Consultancy Services to be put in touch with an expert in this field.

Corporate Manslaughter

Good background notes on what the law states, and to whom it applies at:
http://www.justice.gov.uk/docs/manslaughterhomicideact07.pdf

Are You in Energy, Communications, Transportation or Utilities, or other Critical National Infrastructure? – This Free Publication Is for You

Critical infrastructures are understood as organizations and institutions of central importance for the country and its people whose failure or functional impairment would lead to severe supply bottlenecks, significant disruption of public security or other dramatic consequences.

Serious damage to the nation’s critical national infrastructure (much of which is in the corporate sector) may be caused by natural events, technical failure or human error, intentional acts of a terrorist or other criminal nature, and war.

A comprehensive new guide from the German government offers a management strategy to help operators of critical infrastructures, i.e. companies and government authorities, identify risks, implement preventive measures and deal with crises effectively and efficiently.

The guide can be downloaded by copying the following link into your browser or contacting David.

http://www.bmi.bund.de/Internet/Content/Common/Anlagen/Broschueren/2008/Leit
faden__Schutz__kritischer__Infrastrukturen__en,templateId=raw,property=publi
cationFile.pdf/Leitfaden_Schutz_kritischer_Infrastrukturen_en.pdf

In 2009 ARC will be offering two courses specifically to address security management in critical infrastructure:

Protecting Critical Infrastructure (17-21 August 2009) is intended for security managers who manage the security of critical infrastructure - typically, energy, communications, water, finance, food, health and transport sectors. It will examine the range of threats to designated critical infrastructure, including external physical attacks, sabotage, terrorism, IT-based attacks and insider-assisted attacks, and includes strategies for risk management.

Protecting Oil and Gas Infrastructure (24-28 August 2009) is intended for security managers or consultants in the oil and gas industry, or those seeking work in this sector. Drawing on case studies from around the world, it addresses some of the more complex risks associated with oil and gas operations in various environments and includes many practical exercises.

The courses assume a baseline knowledge level of security management, such as that addressed in the Security Management Stage 1 Course. For more information contact David.

Human Rights

Useful guidelines on the UK's Human Rights Act can be found at the following link:

http://www.justice.gov.uk/docs/act-studyguide.pdf

How To Plan an Investigation

If you want to read how to plan an investigation follow this link:

http://www.csoonline.com/article/221232/How_To_Plan_an_Investigation

But if you want to be able to plan an investigation, follow the this link:

http://www.arc-tc.com/pages/accredited_investigation.asp#f1

Glossary of Common CCTV Terms

Want to know your focal length from your focal plane? Click on: http://www.cohu-cameras.com/tech/glossary.html#ND%20Filter

Arm Staff to Keep Bandits at Bay, Says Sunday Times

Source: Sunday Times Online

http://business.timesonline.co.uk/tol/business/career_and_jobs/recruiter_forum/article4836584.ece

Firewalls, passwords and high-tech entry systems are all very well but they cannot stop someone from leaving documents on a train or lending their pass to a work-experience student. With all the attention being given to hacking, identity theft and computer-related security recently, it is easy to forget the key role that staff play in corporate security.

“People are beginning to realise that the data-security leakages we have read about in the press are never down to technology – they are always due to people screwing up,” said Martin Smith, chairman and founder of The Security Company (International). “So many things have gone wrong; all of them could be solved with management and training.”

Information and IT security will be covered in ARC's upcoming Security Management Stage 1 course. If you are interested in this business critical area of security, go to the ARC Website, or contact Janet or any of the team for further information.

Certifying Security Professionals around the World

The ASIS Physical Security Professional (PSP) certification is specially designed for anybody whose job entails the specification, project management or just the management of physical (electronic) security systems. Examination preparation is through study of a series of set books, usually over a period of several months. The examination itself comprises 120 multiple choice questions, with a pass mark of 80%. Upon passing the examination, the successful candidate is entitled to use the letters PSP after his or her name.

ARC Training has developed a unique preparation programme for the PSP examination, combining both distance learning assignments and intensive classroom study. Presently, Peter Horsburgh CPP PSP is in Lagos, Nigeria, conducting an in-house PSP Examination Review Programme for an oil sector client with 14 hopeful examination candidates in attendance. Next week he returns to the UK to work with a further 18 hopeful candidates attending ARC’s open PSP Review Programme, which is run on behalf of the ASIS UK chapter. If last year's results are anything to go by, all candidates should pass the examination under Peter's expert guidance.

Earlier this year, ARC MD David Cresswell went to Bangladesh to begin the preparation of 14 candidates, members of the embryonic new Dhaka Chapter, for the ASIS CPP examination.

If your organisation has a number of potential PSP or CPP candidates and is interested in on-site training for the PSP or CPP exams worldwide, contact Janet. Alternatively, if you would like to attend the open preparation courses in the UK contact Janet also.

Advice on How to Lose the Corporate Crown Jewels!

The latest edition of the BCS Information Security Now newsletter presents sixteen “recommendations” on how to loose your corporate crown jewels – your most treasured databases. With many officer workers admitting that company databases would be a top target for information theft if they were considering leaving the list makes a useful checklist, from which procedures can then be developed:

1. Employees able to access a database regardless of their need to do so, with sight of complete records including information that they do not necessarily need to see.

2. Unrestricted downloading of the data base to removable media.

3. Employees able to print individual records, or even the full database, in hard copy format.

4. Employees able to access records, in undefined quantities or for unlimited periods of time, providing the opportunity to make a written copy.

6. Records, or even the entire database, altered or deleted.

7. The full database, or individual files, emailed as an attachment.

8. The full database, or individual files, uploaded to an external storage facility/website or a hosted document storage and management solution.

9. Secure employment for the purpose of having unrestricted access to confidential data with criminal intent.

10. Existing employees being coerced into removing data for financial gain.

11. Ex-employees who have not had their access rights revoked.

12. Photocopy hard copies.

13. Over the shoulder screen theft from mobile workforce.

14. Writing down, or even sharing, passwords.

15. Loss of external or portable media (memory sticks, CDs, laptops, etc) that contain unencrypted information, often during travel.

16. Misplaced, or stolen, devices (laptops, BlackBerrys, etc) used as a back door to the corporate network.

80% of Organisations Suffer Data Breaches, Most from the Inside – Help is on Hand to Find the Culprits

If you still think nameless, faceless bad hackers are the biggest threat to your IT systems and the precious information they contain, think again: Three quarters of all data breaches are at the hands of insiders at the organisation - most inadvertent, but some malicious - according to a recent report from the US-based Poneman Institute.

The study, which was commissioned by Compuware, found that 75 percent of organizations in the US, UK, France, and Germany have suffered data breaches caused by accidental internal lapses, while 26 percent say they have experienced breaches from malicious insiders.

Over the period 12-13 November author, broadcaster and computer forensics investigator Ed Wilding will be leading the Investigating Computer Misuse Course at ARC Training. Tackling this delicate issue of dataloss, the programme is intended for those whose role may in some way involve the detection and investigation of internal crimes committed against or using company IT systems.

Assuming just a rudimentary “user-level” prior knowledge of IT systems, the course is presented in non-technical language and will be of great benefit to general security managers, consultants, investigators, HR managers, line managers and IT staff who seek to protect their organisation against this fast growing threat. Contact Janet or click on the following link:

http://www.arc-tc.com/pages/accredited_investigation.asp#f4

How to Spot a Liar – Detecting Deceptive Behaviour

Advice by a US investigations trainer (click here) includes how to set the scene of an interview:
It is a given that most employees who are brought into an investigative interview are going to be nervous, whether or not they have done something wrong. (Remember, they have also seen the cop shows on TV, and may have expectations, or if they have something to hide, seek to avert attention from themselves.) Asking simple questions like name, address, marital status, schooling and so on gives you a chance to analyze the subject’s truthful behaviour in this heightened state and establish your own authority. You should also take this opportunity to create some rapport with the subject and make a little conversation. Maybe you both went to the same school or live in the same town. “People who are alike, like." If you can get the subject to relax early on it will make any stressful or deceptive behaviour he or she exhibits later all the more clear.

Investigations methodology and interviewing techniques are two of the topics covered during the hugely popular Investigating and Interviewing Skills Course, 3-6 November 2008, 2-5 March 2009 and 26-29 November 2009. The course, which is based on English Law, is delivered by Angus D.I. Darroch-Warren BA (Hons) MSyI, Senior Consultant with Linx International corporate security services, a company very active in the corporate investigations field.

Launched a little over a year ago, the course is considered by many to be the best available short investigations course in the UK. For more information contact Janet.

Bomb Threats and Physical Security Planning

One of the characteristics often encountered when a terrorism campaign picks up momentum is a corresponding increase in malicious telephone bomb threats, usually made by so-called pranksters, including employees.

Advice at the following link, originally prepared by the US ATF, provides a good basic analysis of the problem and presents proactive and reactive steps to be taken to manage such situations.
Bomb Threats and Physical Security Planning

Bomb threats and physical security planning is one of the many subjects covered during the forthcoming university-accredited Security Management Stage 1 Course, 17-28 November. Attended by hundreds of security manager delegates, the course is the most popular of its kind in the world, and constitutes the first step en route to the MSc Work Based Learning (Corporate Security Management) from Middlesex University.

For details click in the following link http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1 or contact Janet.

Employee Has Laptop Stolen from Car – and Is Promptly Sacked!

A manager of Colchester University Hospital was recently sacked after a laptop containing hospital patient data was stolen from his car while holidaying in Edinburgh.

IT commentators argue that although the ex-employee was negligent in leaving the laptop in a vehicle, the real culprit was the hospital itself for not ensuring that the laptop’s hard drive contents were encrypted – a point that the Data Commissioner would probably agree on.

As the need for laptop encryption becomes more publicised, this type of incident will in the future exposure organisations not only to reputation damage but to fines, enforcement orders and litigation from those whose details have been negligently compromised.

Laptop security is one of many information security topics covered in the Information and IT Security Workshop, 24 November 2008. Contact Janet for details.

Fraudulent Emails - Is It a Scam or Is It Genuine? – Here Is Where to Find out.

Career opportunity scams, cheque overpayment scams, lottery win scams, advance fee fraud scams (419s) – advice on these and many other scams is provided on a special UK Government Office of Fair Trading Site http://www.consumerdirect.gov.uk/watch_out/scams/

Please disseminate this news to staff – perhaps as a “security moment” at the beginning of meetings.

Contingency Planning – Advice for Businesses on UK National Risk Register Site

The UK Cabinet Office’s National Risk Register site http://www.cabinetoffice.gov.uk/reports/national_risk_register.aspx has seven pages of contingency and business continuity planning advice for businesses. Contact ARC for information about in-house contingency and business continuity training services, or to book a place on the open Business Continuity Workshop on 17 February 2009.

Met Police Launch Interactive Crime Map for London – Check Your Borough Now!

A 50% 12-month increase in robberies against business in the London borough of Hounslow, while neighbouring Kingston has seen a drop of 35% over the same period. These are two of the findings of a new interactive London crime map launched by the Met Police http://maps.met.police.uk/