Gaining Recognition as a Security Management Professional

ARC has a wide selection of forthcoming courses that will allow you to demonstrate competence in security management. Each year the ARC International Academy trains literally hundreds of security managers from all over the world.

Security Management Stage 1 (17 – 28 November) is the “A to Z” of core security management skills. It is very interactive, fast paced and includes a challenging and engaging course project. It has been attended by hundreds of security managers from around the world, and many of the world’s top multinational companies consider it a benchmark in core-skills security management proficiency. Moreover, the course constitutes part of a work-based studies MSC with Middlesex University. For more details click here: http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1

Security Management Stage 2 (9 – 20 February) is intended for experienced security managers, typically those who have undertaken a core skills security management training programme, or certification such as the CPP. Picking up where Security Management Stage 1 finishes, it tackles the more complex issues in security management. The course constitutes part of a work-based studies MSC with Middlesex University. For more details go to: http://www.arc-tc.com/pages/university_acredited_sm.asp#sm2

Security Management Stage 3 (9 – 20 February) Kuala Lumpur, Malaysia is an advanced-level security management programme that focuses on the skills necessary to manage security at a strategic, regional level. Much emphasis is placed on broadening participants’ ability to contribute effectively to top-level management teams. If you are a CPP holder, this course offers an opportunity to earn all of your necessary recertification credits in one programme. For more details contact Janet.

Investigating and Interviewing Skills (3 – 6 November) is a course specifically prepared for security professionals investigating in a legal context based on English law. Delivered by full-time and vastly experienced investigators, the course is new for 2008 and already has received tremendous accolades, including this from an energy company security advisor: “An excellent course that met my needs very well…that is, to have sufficient understanding to conduct investigations, and to commission investigations by another party.” For details go to: http://www.arc-tc.com/pages/accredited_investigation.asp#f1

IT Security and Incident Response (12-13 November) is designed for security professionals who may be called upon to investigate an incident that involves the use of a computer in some way – an increasing factor in data loss incidents. The course, led by two full-time IT forensics investigators assumes no technical knowledge, but will equip the participant with the skills necessary to manage this type of investigation and, importantly, protect delicate digital evidence that might otherwise be corrupted. For details go to: http://www.arc-tc.com/pages/accredited_investigation.asp#f4

If the course you require isn't listed above, browse www.arc-tc.com for a complete list, or contact Janet to discuss your bespoke security, crisis management or business continuity management training requirement.

Best Wishes and Good Luck!

The staff of the ARC Training International Academy for Security Management sends wishes of good luck to the following security managers set to sit the CPP security management certification examination in Bangladesh.

Ahsan Habib; Masud Quader; Mashud Hasan; Nurul Bashir; Richard Jansen; Nurul Mannan; Aminul Islam; Abdullah Al Obaidi; Golam Murtaza; M Hasibur Rahman; Md Sagir Hossain Biswas; Raghu Bannerjee

We hope that the past six months of intensive preparation results in success for everybody.

Best wishes

David, Phil, Peter, Janet, Bev and Nicky.

White Powder Attacks Continue in the US – Where to Download Useful Advice

More than 30 threatening letters, most containing suspicious powder, were sent to financial institutions in eight US states and Washington, D.C, last week, according to USA Today:

http://www.usatoday.com/news/nation/2008-10-21-powder-banks_N.htm

For UK Government advice on how to proactively and reactively manage the risk of biological/chemical threats by post, go to:

http://www.hse.gov.uk/biosafety/diseases/anthrax.htm

If you are concerned about duty of care to employees and would like to turn this advice into concrete procedures for staff mail handling, and you don't have time to do it yourself, contact ARC Consultancy Services to be put in touch with an expert in this field.

Corporate Manslaughter

Good background notes on what the law states, and to whom it applies at:
http://www.justice.gov.uk/docs/manslaughterhomicideact07.pdf

Are You in Energy, Communications, Transportation or Utilities, or other Critical National Infrastructure? – This Free Publication Is for You

Critical infrastructures are understood as organizations and institutions of central importance for the country and its people whose failure or functional impairment would lead to severe supply bottlenecks, significant disruption of public security or other dramatic consequences.

Serious damage to the nation’s critical national infrastructure (much of which is in the corporate sector) may be caused by natural events, technical failure or human error, intentional acts of a terrorist or other criminal nature, and war.

A comprehensive new guide from the German government offers a management strategy to help operators of critical infrastructures, i.e. companies and government authorities, identify risks, implement preventive measures and deal with crises effectively and efficiently.

The guide can be downloaded by copying the following link into your browser or contacting David.

http://www.bmi.bund.de/Internet/Content/Common/Anlagen/Broschueren/2008/Leit
faden__Schutz__kritischer__Infrastrukturen__en,templateId=raw,property=publi
cationFile.pdf/Leitfaden_Schutz_kritischer_Infrastrukturen_en.pdf

In 2009 ARC will be offering two courses specifically to address security management in critical infrastructure:

Protecting Critical Infrastructure (17-21 August 2009) is intended for security managers who manage the security of critical infrastructure - typically, energy, communications, water, finance, food, health and transport sectors. It will examine the range of threats to designated critical infrastructure, including external physical attacks, sabotage, terrorism, IT-based attacks and insider-assisted attacks, and includes strategies for risk management.

Protecting Oil and Gas Infrastructure (24-28 August 2009) is intended for security managers or consultants in the oil and gas industry, or those seeking work in this sector. Drawing on case studies from around the world, it addresses some of the more complex risks associated with oil and gas operations in various environments and includes many practical exercises.

The courses assume a baseline knowledge level of security management, such as that addressed in the Security Management Stage 1 Course. For more information contact David.

Human Rights

Useful guidelines on the UK's Human Rights Act can be found at the following link:

http://www.justice.gov.uk/docs/act-studyguide.pdf

How To Plan an Investigation

If you want to read how to plan an investigation follow this link:

http://www.csoonline.com/article/221232/How_To_Plan_an_Investigation

But if you want to be able to plan an investigation, follow the this link:

http://www.arc-tc.com/pages/accredited_investigation.asp#f1

Glossary of Common CCTV Terms

Want to know your focal length from your focal plane? Click on: http://www.cohu-cameras.com/tech/glossary.html#ND%20Filter

Arm Staff to Keep Bandits at Bay, Says Sunday Times

Source: Sunday Times Online

http://business.timesonline.co.uk/tol/business/career_and_jobs/recruiter_forum/article4836584.ece

Firewalls, passwords and high-tech entry systems are all very well but they cannot stop someone from leaving documents on a train or lending their pass to a work-experience student. With all the attention being given to hacking, identity theft and computer-related security recently, it is easy to forget the key role that staff play in corporate security.

“People are beginning to realise that the data-security leakages we have read about in the press are never down to technology – they are always due to people screwing up,” said Martin Smith, chairman and founder of The Security Company (International). “So many things have gone wrong; all of them could be solved with management and training.”

Information and IT security will be covered in ARC's upcoming Security Management Stage 1 course. If you are interested in this business critical area of security, go to the ARC Website, or contact Janet or any of the team for further information.

Certifying Security Professionals around the World

The ASIS Physical Security Professional (PSP) certification is specially designed for anybody whose job entails the specification, project management or just the management of physical (electronic) security systems. Examination preparation is through study of a series of set books, usually over a period of several months. The examination itself comprises 120 multiple choice questions, with a pass mark of 80%. Upon passing the examination, the successful candidate is entitled to use the letters PSP after his or her name.

ARC Training has developed a unique preparation programme for the PSP examination, combining both distance learning assignments and intensive classroom study. Presently, Peter Horsburgh CPP PSP is in Lagos, Nigeria, conducting an in-house PSP Examination Review Programme for an oil sector client with 14 hopeful examination candidates in attendance. Next week he returns to the UK to work with a further 18 hopeful candidates attending ARC’s open PSP Review Programme, which is run on behalf of the ASIS UK chapter. If last year's results are anything to go by, all candidates should pass the examination under Peter's expert guidance.

Earlier this year, ARC MD David Cresswell went to Bangladesh to begin the preparation of 14 candidates, members of the embryonic new Dhaka Chapter, for the ASIS CPP examination.

If your organisation has a number of potential PSP or CPP candidates and is interested in on-site training for the PSP or CPP exams worldwide, contact Janet. Alternatively, if you would like to attend the open preparation courses in the UK contact Janet also.

Advice on How to Lose the Corporate Crown Jewels!

The latest edition of the BCS Information Security Now newsletter presents sixteen “recommendations” on how to loose your corporate crown jewels – your most treasured databases. With many officer workers admitting that company databases would be a top target for information theft if they were considering leaving the list makes a useful checklist, from which procedures can then be developed:

1. Employees able to access a database regardless of their need to do so, with sight of complete records including information that they do not necessarily need to see.

2. Unrestricted downloading of the data base to removable media.

3. Employees able to print individual records, or even the full database, in hard copy format.

4. Employees able to access records, in undefined quantities or for unlimited periods of time, providing the opportunity to make a written copy.

6. Records, or even the entire database, altered or deleted.

7. The full database, or individual files, emailed as an attachment.

8. The full database, or individual files, uploaded to an external storage facility/website or a hosted document storage and management solution.

9. Secure employment for the purpose of having unrestricted access to confidential data with criminal intent.

10. Existing employees being coerced into removing data for financial gain.

11. Ex-employees who have not had their access rights revoked.

12. Photocopy hard copies.

13. Over the shoulder screen theft from mobile workforce.

14. Writing down, or even sharing, passwords.

15. Loss of external or portable media (memory sticks, CDs, laptops, etc) that contain unencrypted information, often during travel.

16. Misplaced, or stolen, devices (laptops, BlackBerrys, etc) used as a back door to the corporate network.

80% of Organisations Suffer Data Breaches, Most from the Inside – Help is on Hand to Find the Culprits

If you still think nameless, faceless bad hackers are the biggest threat to your IT systems and the precious information they contain, think again: Three quarters of all data breaches are at the hands of insiders at the organisation - most inadvertent, but some malicious - according to a recent report from the US-based Poneman Institute.

The study, which was commissioned by Compuware, found that 75 percent of organizations in the US, UK, France, and Germany have suffered data breaches caused by accidental internal lapses, while 26 percent say they have experienced breaches from malicious insiders.

Over the period 12-13 November author, broadcaster and computer forensics investigator Ed Wilding will be leading the Investigating Computer Misuse Course at ARC Training. Tackling this delicate issue of dataloss, the programme is intended for those whose role may in some way involve the detection and investigation of internal crimes committed against or using company IT systems.

Assuming just a rudimentary “user-level” prior knowledge of IT systems, the course is presented in non-technical language and will be of great benefit to general security managers, consultants, investigators, HR managers, line managers and IT staff who seek to protect their organisation against this fast growing threat. Contact Janet or click on the following link:

http://www.arc-tc.com/pages/accredited_investigation.asp#f4

How to Spot a Liar – Detecting Deceptive Behaviour

Advice by a US investigations trainer (click here) includes how to set the scene of an interview:
It is a given that most employees who are brought into an investigative interview are going to be nervous, whether or not they have done something wrong. (Remember, they have also seen the cop shows on TV, and may have expectations, or if they have something to hide, seek to avert attention from themselves.) Asking simple questions like name, address, marital status, schooling and so on gives you a chance to analyze the subject’s truthful behaviour in this heightened state and establish your own authority. You should also take this opportunity to create some rapport with the subject and make a little conversation. Maybe you both went to the same school or live in the same town. “People who are alike, like." If you can get the subject to relax early on it will make any stressful or deceptive behaviour he or she exhibits later all the more clear.

Investigations methodology and interviewing techniques are two of the topics covered during the hugely popular Investigating and Interviewing Skills Course, 3-6 November 2008, 2-5 March 2009 and 26-29 November 2009. The course, which is based on English Law, is delivered by Angus D.I. Darroch-Warren BA (Hons) MSyI, Senior Consultant with Linx International corporate security services, a company very active in the corporate investigations field.

Launched a little over a year ago, the course is considered by many to be the best available short investigations course in the UK. For more information contact Janet.

Bomb Threats and Physical Security Planning

One of the characteristics often encountered when a terrorism campaign picks up momentum is a corresponding increase in malicious telephone bomb threats, usually made by so-called pranksters, including employees.

Advice at the following link, originally prepared by the US ATF, provides a good basic analysis of the problem and presents proactive and reactive steps to be taken to manage such situations.
Bomb Threats and Physical Security Planning

Bomb threats and physical security planning is one of the many subjects covered during the forthcoming university-accredited Security Management Stage 1 Course, 17-28 November. Attended by hundreds of security manager delegates, the course is the most popular of its kind in the world, and constitutes the first step en route to the MSc Work Based Learning (Corporate Security Management) from Middlesex University.

For details click in the following link http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1 or contact Janet.

Employee Has Laptop Stolen from Car – and Is Promptly Sacked!

A manager of Colchester University Hospital was recently sacked after a laptop containing hospital patient data was stolen from his car while holidaying in Edinburgh.

IT commentators argue that although the ex-employee was negligent in leaving the laptop in a vehicle, the real culprit was the hospital itself for not ensuring that the laptop’s hard drive contents were encrypted – a point that the Data Commissioner would probably agree on.

As the need for laptop encryption becomes more publicised, this type of incident will in the future exposure organisations not only to reputation damage but to fines, enforcement orders and litigation from those whose details have been negligently compromised.

Laptop security is one of many information security topics covered in the Information and IT Security Workshop, 24 November 2008. Contact Janet for details.

Fraudulent Emails - Is It a Scam or Is It Genuine? – Here Is Where to Find out.

Career opportunity scams, cheque overpayment scams, lottery win scams, advance fee fraud scams (419s) – advice on these and many other scams is provided on a special UK Government Office of Fair Trading Site http://www.consumerdirect.gov.uk/watch_out/scams/

Please disseminate this news to staff – perhaps as a “security moment” at the beginning of meetings.

Contingency Planning – Advice for Businesses on UK National Risk Register Site

The UK Cabinet Office’s National Risk Register site http://www.cabinetoffice.gov.uk/reports/national_risk_register.aspx has seven pages of contingency and business continuity planning advice for businesses. Contact ARC for information about in-house contingency and business continuity training services, or to book a place on the open Business Continuity Workshop on 17 February 2009.

Met Police Launch Interactive Crime Map for London – Check Your Borough Now!

A 50% 12-month increase in robberies against business in the London borough of Hounslow, while neighbouring Kingston has seen a drop of 35% over the same period. These are two of the findings of a new interactive London crime map launched by the Met Police http://maps.met.police.uk/

Demonstrating Competence in Security Management

ARC has a wide selection of forthcoming courses that will allow you to demonstrate competence in security management.

Security Management Stage 1 (17 – 28 November) is the “A to Z” of core security management skills. It is very interactive, fast paced and includes a challenging and engaging course project. It has been attended by hundreds of security managers from around the world, and many of the world’s top multinational companies consider it a benchmark in core-skills security management proficiency. Moreover, the course constitutes part of a work-based studies MSC with Middlesex University. For more details click here: http://www.arc-tc.com/pages/university_acredited_sm.asp#sm1

Security Management Stage 2 (9 – 20 February) is intended for experienced security managers, typically those who have undertaken a core skills security management training programme, or certification such as the CPP. Picking up where Security Management Stage 1 finishes, it tackles the more complex issues in security management. The course constitutes part of a work-based studies MSC with Middlesex University. For more details go to: http://www.arc-tc.com/pages/university_acredited_sm.asp#sm2

Security Management Stage 3 (9 – 20 February) Kuala Lumpur, Malaysia is an advanced-level security management programme that focuses on the skills necessary to manage security at a strategic, regional level. Much emphasis is placed on broadening participants’ ability to contribute effectively to top-level management teams. If you are a CPP holder, this course offers an opportunity to earn all of your necessary recertification credits in one programme. For more details contact Janet.

Investigating and Interviewing Skills (3 – 6 November) is a course specifically prepared for security professionals investigating in a legal context based on English law. Delivered by full-time and vastly experienced investigators, the course is new for 2008 and already has received tremendous accolades, including this from an energy company security advisor: “An excellent course that met my needs very well…that is, to have sufficient understanding to conduct investigations, and to commission investigations by another party.” For details go to: http://www.arc-tc.com/pages/accredited_investigation.asp#f1

IT Security and Incident Response (12-13 November) is designed for security professionals who may be called upon to investigate an incident that involves the use of a computer in some way – an increasing factor in data loss incidents. The course, led by two full-time IT forensics investigators assumes no technical knowledge, but will equip the participant with the skills necessary to manage this type of investigation and, importantly, protect delicate digital evidence that might otherwise be corrupted. For details go to: http://www.arc-tc.com/pages/accredited_investigation.asp#f4

Fof detailed information on any course, contact Janet.

Global Risks 2008

Each year the World Economic Forum publishes a report which looks at the key global risks in the coming years. In Global Risks 2008, the Global Risk Network has focused on four emerging issues which may fundamentally shape not only the year ahead, but the decades to come. These issues – systemic financial risk, food security, supply chains and the role of energy – are all central to the functioning of the world economy and to the well-being of global society. The risks associated with them cannot be eliminated. But they can be better understood and better managed. Read on here:

Global Risks Report

Helping to Avoid Information Loss

How much information is leaving your company because your people are leaking it inadvertently? Despite all the technology available to protect information, careless staff are the biggest threat to its integrity and a major contributor to dollar loss. Procedures and awareness can do much to mitigate this risk and this article from the UK Sunday Times illustrates some of the issues: Arm staff to keep bandits at bay

Information and IT security will be covered in our upcoming Security Management Stage 1 course. If you are interested in this business critical area of security, go to the ARC Website, or contact Janet or any of the team for further information.

Laptop Stolen – Or Did You Leave it in a Black Cab?

London taxi passengers have left more than 60,000 hand-held devices in the back of black cabs during the past six months, a survey has found. Some 55,843 mobile phones and 6,193 other devices, such as laptops, were forgotten, Credant Technologies found. This revelation calls into question the authenticity of claims by 15,000 visitors to London each year that their laptops have been stolen. After all, few employees would be brave enough to admit that they neglectfully left a laptop in a cab!

New devices - including mobiles, MP3 players and memory sticks - have the capacity to store tens of thousands of documents or pictures and millions of contacts and emails, making them a target for identity theft criminals and hackers.

A survey by credit reference agency Equifax in April suggested 16% of its customers stored PIN numbers on their mobile devices while 24% recorded birthday dates – making it easy for ID thieves to clone identities.

Investigations Challenges of the Future

As organisations become increasingly reliant on IT systems, the systems themselves often become the tools for, or the scene of, internal crimes. The investigative challenges for the regular security professional are challenging, to say the least. Do you take people with a strong investigative background, and train them in computer forensics - or do you take people who have strengths in computer forensics, and try to train them in investigative skills? This is one of the many problems addressed in an on-line article on CSO Online, entitled Investigations: Merge Ahead, which looks at how physical and digital investigations are increasingly merging.

The 2-day IT Security and Incident Response Course is an intensive programme intended for those whose role may in some way involve the detection and investigation of internal crimes committed against or using company IT systems. It provides a thorough understanding of the value of effective response measures in handling such incidents.

Delivered by Ed Wilding, author and practicing IT forensics investigator, the course is presented in non-technical language and, thus, is of great benefit to general security managers, consultants, investigators, line managers and IT staff. It combines theory-based lectures and discussions with a unique one-day investigative simulation.

The next programme is scheduled for 12-13 November 2008. For details click here.

http://www.arc-tc.com/pages/accredited_investigation.asp#f4

For the CSO online article, click here.
http://www.csoonline.com/article/448666/Investigations_Merge_Ahead?page=1

Al Qaeda Interested in Bombing Public Buildings

The Department of Homeland Security (DHS) has issued an analytical "note" to U.S. law-enforcement officials cautioning that al-Qaeda terrorists have in the past expressed interest in attacking public buildings using a dozen suicide bombers each carrying 20 kilograms of explosives. The intelligence is based on recently discovered information about Al Qaeda training sessions conducted some year ago, so there is no reason to assume the threat is specific to this time.

ARC Analytical Comment: The London bombings of 2005 demonstrated how suitably radicalized individuals, with limited technical skills, can manufacture home-made TATP high explosive devices using readily available ingredients. And there is no shortage of vulnerable “public” targets which can be attacked in this way. A reasonably strong person should be able to carry a load of 20kg in a backpack without raising suspicion, and would blend in very well in a tourist environment, such as a major European city.

The effect of detonation of such a charge in a confined space, such as the ground floor lobby of a building, would be significant. Although unlikely to cause building collapse, there would be major loss of life, damage and injury beyond the immediate area of detonation, and significant damage to building management systems. Building security services, which are often located in or near a lobby, would also be paralyzed. It is likely that the lobby would be unusable as an emergency escape route for surviving building occupants.

In addition to considering proactive antiterrorism measures, those responsible for building safety and security should consider the following reactive components of a facility terrorism emergency response plan:

1. Evacuation via non-planned routes
2. First aid and rescue capacity in the event of security staff being killed or injured
3. Dispersal upon evacuation, rather than assembly (assembly presents a target for a secondary suicide attacker)
4. Floor wardens trained and exercised in the above
5. Road and transportation (fire and ambulance) gridlock if several coordinated attacks are concentrated in one locality

Information Security Focus: Information Security Breaches Survey

Many of your countries already have personal identification cards, and there can be no doubt that they are a most useful element of a contiguous national security programme. However, there are many who see the collection and retention of personal information involved in identity card programmes as an infringement of civil rights and personal privacy. This report, from the UK’s Financial Times, illustrates the problems which can arise and the levels of public resistance to such initiatives – set against the background of several recent cases of loss of personal information by government departments.
FT Report 26 Sep 08

On a separate note, the UK Department for Business Enterprise and Regulatory Reform has recently published its annual Information Security Breaches Survey. This survey looks at a representative cross section of the business community and indicates their reported ability to deal with information and IT security breaches. Whilst the situation seems to be improving – there is a long way to go! Please email Phil if you would like a copy of this report.

Information security and related issues are discussed during Security Management Stage 1 – the next course is in November – go to the ARC Website, or contact Janet or any of the team for further information.

Kidnap Rescue and Response – A Success This Time

The recent kidnap and spectacular rescue of 11 Europeans by a combined special forces unit in Egypt has engendered media interests and reports worldwide. This, from the UK’s Times, is an example: Kidnap

However, the quotation from the report to note is: ‘A Sudanese official said that the hostages had been abandoned before the rescue mission was begun…’ For many hostages, the most critical time is when law enforcement agencies attempt rescue – it is at this stage where fatalities often occur. However, with some training and awareness, potential hostages could reduce their vulnerability considerably.

Kidnap response is covered during ARC’s Security Management Stage 3 Course, as a 1-day workshop or as a bespoke, in-house course. Contact Phil for details

Nuclear Terrorism Focus: Edging Closer to Catastrophe

The likelihood that terrorists will detonate a nuclear weapon poses the greatest risk to world security, surpassing proliferation threats from Iran and North Korea, according to a United Nations atomic chief.

“There is a lot of interest on the part of extremist groups to obtain nuclear material,'' Mohammed El Baradei, director-general of the International Atomic Energy Agency, said at a scientific forum on 30 September in Vienna during the annual conference of the 145 nations in the IAEA. ``It's the No. 1 security threat right now.'' Read about it here.

This latest assessment adds further weight to the general view that this threat is real and highly possible given a certain set of circumstances. Although most will ignore this threat because it is too terrible to contemplate, if you are informed about the effects of such attacks, your chances of business recovery may increase. ARC covers Protection Against Explosive Devices (PAED), CBRN, terrorism and business continuity (all issues related to this subject) during various course and workshops. Contact Janet or go to ARC's website for details.

Information Loss

Just as delegates attending the ARC Security Management Stage 1 programme in Delhi were highlighting the problems of information loss and the risks posed by uncontrolled portable media , the UK’s leading intelligence service, MI6, have provided a good illustrative example. One of their operatives allegedly sold a digital camera with classified images still held on the memory card!

‘Media reports said the Nikon digital camera was put up for sale on Internet trading site eBay and sold for just 17 pounds ($30.64). Its memory had names of al Qaeda members, fingerprints and suspects' academic records as well as pictures of rocket launchers and missiles, the Sun newspaper reported.’

So, if these crack international intelligence gatherers can get it so wrong, what are the chances of your organisation’s employees protecting all of your information adequately? Think about it – any gaps that you need to plug? Ask ARC Training for advice on how to control portable media.