New Standard Published – Chief Security Officer

In its drive to improve the standard of security across private and public organisation, ASIS International has just published a new Chief Security Officer (CSO) US Standard. This document builds on ASIS’ previous CSO Guidelines and provides the background and guidance necessary to support security operations in the dynamic business environment and to protect against equally dynamic threats. We will post the PDF on our website resources page soon but in the meantime, if you would like a copy, it is available for free download from ASIS:
CSO 2008

Information Focus – Port Cyber Security

Many people see maritime security as a physical loss prevention and protection issue. However, like any other business activity, there is significant potential for theft and other adversary activity using IT systems. The range of cyber threats has been highlighted in an article recently published by Continuity Central. Port Cyber.

ARC addresses IT as well as maritime and transport security during various courses in 2009. Contact Janet for information.

Biometrics – Does Your Knowledge Measure Up?

The use of biometric technology continues to grow in importance for access control and tracking systems. Measurements of fingerprints and hand geometry led to iris and retinal scans with face recognition growing in popularity. But did you know that everyone’s tongue is different? And did you know that your body odour can be used for biometric access control? The future of access control may involve unwashed employees lining up to stick out their tongues before logging onto their IT systems!
An interesting CNN article can be accessed through this link: CNN Biometric Report

New Report on Disaster Protection

We reported last month on the inevitability of a pandemic in the future and highlighted some of the worrying facts about avian flu in particular. Many organisations and public authorities are addressing the risks and threats associated with pandemics and are also looking at other public health issues which need to be managed. One such organisation is the ‘Trust for America’s Health’ which has released a 2008 Report entitled ‘Ready or Not’, covering a range of bio-related public health issues and if you haven’t thought about this and the potential effect on you and your business, it’s worth reading. Read the report here Bio 2008 and contact us if you would like to discuss pandemic, CBRN or BCM planning and training.

New Malware Threats Approaching

In a reflection of the rapidly developing and evolving nature of IT threats, a recently published internet article from Messagelabs lists the 5 new malware threats for 2009. These threats include ‘mash-up malware’, social network phishing and new botnets. As the criminals continue to develop their expertise, the risks continue to grow for home and business users. Read the Messagelabs article here: 2009 Malware, and go to the ARC website for resources on IT security: IT Resources

Are You Vulnerable to Fraud?

As an already worried financial world is rocked by yet another allegedly massive fraud, have you considered your own vulnerabilities? Fraud tends to be carried out by those who are normally considered to be trustworthy or work in specialised roles without oversight or management. People who are fraudulent are normally extremely competent in their area of specialisation and, because they know their own management systems so well, can effectively cover their tracks. The impact of fraud can be not only damaging but can destroy companies completely if the scale of the activity is large enough. So, is it time that you had a good look at your own organisation’s processes and what exactly goes on in vulnerable areas? If you want to know what to look for and the types of fraudulent activities that can go on, ARC conducts various workshops and programmes which cover their symptoms and treatment. Contact Janet for details.

Are Your Financial Transactions Secure?

Business transactions, whether between corporate organisations or between individuals and retailers, are part of everyday life. Also, the means of making these transactions have become simpler and more user–friendly over recent years. Unfortunately, the ways in which these activities are carried out are also criminal-friendly. The incidences of intrusion into personal and corporate information, identity theft and fraud are on the increase and becoming difficult to effectively combat. Organised criminal gangs and terrorist groups have the intent, means and opportunity to make effective intrusions and to capitalise upon lax security and will strike wherever there are gaps in protective measures. Are you at risk? Follow this link Transaction Security Report to look at a report on transaction security issues and make up your own mind.

Business Travel Security Focus

Currently, Greece is in a state of chaos due to ongoing civil unrest. Although the country has a long ‘tradition’ of street protest, these latest riots are far more serious than any in the past. Greece has in recent years been a safe place to visit either for business or leisure but the last week has proven the case that serious unrest can often flare up without warning. There have been many cases of worldwide travellers being caught up in similar unrest but there are precautions that can be taken if it happens to you or your staff. ARC is running courses and workshops throughout 2009 which cover business travel security and protection of at-risk personnel. For more information on this critical subject, either go the ARC website or contact Janet

Technology – Friend or Foe?

In March this year we covered on this blog the use of satellite imagery by activists in the UK. The recent Mumbai attacks may have been the latest incidence of this effective, and increasingly advanced, tool being used by adversary groups. Satellite mapping allows close detail surveillance of terrain, topography and infrastructure and also allows distances and dispositions of personnel to be checked with a good degree of accuracy.

Also, the increased availability and capability of Voice over Internet Protocol (VoIP) communications, satellite phones and GPS navigation systems provide such groups with technological agility which greatly enhances their ability to reach targets and communicate with each other.

For most businesses, it must now be assumed that any potential adversary can and will make use of satellite mapping services in their assessment of a site’s weaknesses and strengths. The challenge for the security professional is to ensure that they can optimise protection whilst accepting the fact that they are under satellite surveillance. But remember – although satellites can photograph fences and barriers, approach and escape routes, they cannot assess your security awareness programmes and the effectiveness of your personnel in implementing security procedures. If you can strengthen those, perhaps you can negate the effectiveness of the ‘eye in the sky’!

See a NY Times report on the issue here: NY Times

How to Reduce Information Risks

Protecting businesses against information loss is becoming more difficult as technology continues to develop and employees try to keep pace with increasing security risks. Organisations and companies world-wide face the same problems, regardless of business sector and, of course, mismanagement of information has the potential to result in catastrophic losses. Ernst and Young have recently published their 10th Global Information Security Survey which identifies trends and measures in place to prevent information loss. The report is available here: Ernst and Young 2008

If you would like to know more about this subject, ARC’s 2009 programme of courses deals with the range of information threats and provides detailed guidance on how to protect your business. Further details are available in the ARC 2009 brochure 2009 Brochure or from Phil

An Essential Physical Security Resource – Now Available

Physical security is a wide subject area and there are many resources available for this area of security, upon which many managers quite rightly place a great deal of emphasis. However, it is often difficult to find a ‘one-stop’ resource where all of the major subject areas are treated together. The US Army Physical Security Manual, however, is an excellent source of all things physical security related and discusses not only the hardware required but a systems, design and planning approach to optimise asset protection. This resource is now available from the ARC website via this link: US Army Physical Manual

The Manual is one of the resource documents for the ASIS PSP™ certification. In the New Year, ARC will begin the first of its 2009 preparation programmes for the examination. For further information, go to the ARC website http://www.arc-tc.com/pages/asis_cpp_psp.asp#asis2
or contact Phil

Chemical Plant Security – Alternative Thinking

Chemical plants are dangerous places and make an attractive target for terrorist attack. However, there are ways - apart from closing down operations – of reducing significantly the potential after effects of attacks. By changing processes, logistic arrangements and implementing alternative ways of working, risks and their impact can potentially be mitigated. An interesting report by the Center for American Progress is available via this link: Chemical 101

UK Law Guidance Online

Law and regulation can be confusing; and few legal systems are as complicated as that of the UK. For those UK-based security professionals who need to understand the Law, help is at hand online. The Criminal Justice System website provides authoritative guidance and resources concerning UK Law and its implementation. Follow this link to access, for example, the site's guide to Magistrates’ Courts: CJS Magistrates

How To Implement Security Awareness Programmes.

Companies and organisations spend huge amounts of money each year on security and asset protection measures. How would you like to maintain high levels of security and perhaps spend a little less of your budget?

A good method is to raise the levels of security awareness amongst employees – of course, this can be difficult if there is resistance or apathy amongst the workforce. The US National Security Institute has produced an excellent guidance document, ‘Improving Security from the Inside Out’, which provides analysis of awareness training methodologies and recommendations along with checklists for implementing programmes.

The NSI report is available here: NSI Report

Our upcoming 2009 programmes and courses promote the value of security awareness within vulnerable organisations and we emphasise the positive results that can be achieved throughout all of our training activities. If you would like to know more, please contact Janet, and get your employees' heads out of the sand!

Security Managers – Protectors against Risk or Sources of Competitive Advantage?

The role of security managers has developed in recent years from that of ‘company policeman’ to a more proactive and business-friendly role. There is considerable weight behind the argument that security professionals should not only know their own specialisation, but also be able to operate with, and speak the ‘language’ of other business departments.

In 2006, Demos, a UK ‘think-tank’, published Rachel Briggs’ and Charlie Edwards’ pamphlet The Business of Resilience, which consulted business leaders globally and drew the conclusion that security professionals have the potential to contribute far more to business if they can move away from thought processes which focus only on security.

ARC’s Security Management Stage 3 Courses, which will run in the UK from 11th to 22nd May and 21st September to 2nd October 2009, deal with the themes from The Business of Resilience and ask delegates to critically appraise their own contributions and assess areas in which they could maximise the value of security to their businesses. If you are interested in maximising your own potential or that of your security managers, contact Janet.

You can download a PDF of Briggs’ and Edwards’ report here:

The Business of Resilience

Request for Post-Graduate Assistance

Those who have worked with us know that ARC champions academic development in the security profession and it is important that academic research is based upon reliable information. In keeping with that spirit, can you help with the following request?

‘Dear Participant,

I thank you in advance for taking the time to complete this questionnaire. The survey is purely for research purposes and is a very important element of my Post Graduate studies in Security Management. The information you provide will be confidential, however the outcome of the research can be made available to you if you so wish. My details should you wish to contact me are:
Mobile: 0044 79 58 046 285 and
Email: ddaniead@aol.com.

I would also be extremely grateful if the questionnaire could be completed on or before 15 December 2008.

You can follow this link to my questionaire: http://www.surveymonkey.com/s.aspx?sm=vQayWtY3kAIafniu9s8npA_3d_3d

Danie Adendorff (MSyl)’

Protect Your Assets - Anti-Piracy Insurance

The recent high-profile piracy incidents at sea have prompted a reaction from consultancies and insurance companies in order to mitigate the impact of losses. By introducing piracy risk insurance, it is hoped to cover many potential problems, including damage to ships, loss or harm to cargo, terror attacks and kidnap and ransom.

The UK’s Times newspaper has published an article on this latest development in the war on piracy – read it here: The Times - Piracy

Lack of Security Awareness Costs Financial Organisations

A new report by ENISA -the European Network and Information Security Agency - has found that thefts of customer information and the costs associated with security incidents are on the increase. ‘Information Security Awareness in Financial Organisations’ assesses the risks facing financial organisations and provides guidance on implementing security awareness programmes, recommendations and case studies.

You can download a copy of the report from the ARC website by following this link: ENISA Report

If you would like to learn about countering such risks, ARC will be offering a range of Information Security courses and workshops throughout 2009; download the new brochure here or contact Janet for more information.

Quick Links to the Law

The ARC web resources page now has quick links to some of the main pieces of UK legislation affecting the security manager. Click on the link below to be taken to the list:

http://www.arc-tc.com/pages/resources_publications.asp#L

International Terrorism and Critical Infrastructures

The threat of international terrorism and the increasing number of natural disasters pose a growing challenge for the protection of critical infrastructures, many of which are operated by the private sector. And information technology, which has pervaded all areas of life and economic activity, brings new vulnerabilities.

The German Government has produced an excellent guide in English on the protection of such infrastructures. The guide can be accessed via the ARC website by clicking on the link below:
Protecting Critical Infrastructures - Risk and Crisis Management. A guide for companies and government authorities

In 2009 ARC Training will be offering two new courses on the protection of critical infrastructure:

Protecting Critical Infrastructure, 17-21 August, is intended for security managers who manage the security of critical infrastructure - typically, energy, communications, water, finance, food, health and transport sectors. It will examine the range of threats to designated critical infrastructure, including external physical attacks, sabotage, terrorism, IT-based attacks and insider-assisted attacks, and includes strategies for risk management. For details click on the link below:
http://www.arc-tc.com/pages/other_accredited_sm.asp#s5

Managing Security Risks in the Oil & Gas Sector, 24-28 August, is a sector-specific programme intended for security managers or consultants in the oil and gas industry, or those seeking work in this sector. Drawing on case studies from around the world, it addresses some of the more complex risks associated with oil and gas operations in various environments and includes many practical exercises. Participants should have a baseline level of security management knowledge, such as that covered in Security Management Stage 1. For details click on the link below:
http://www.arc-tc.com/pages/other_accredited_sm.asp#s1

For details on any ARC course, or to discuss an on-house requirement, contact Janet.

The Human Rights Act 1998 – Are you Bound by It?

The UK Human Rights Act 1998 is based on the European Convention on Human Rights. The Act makes it unlawful for a public authority in the UK to act incompatibly with the Convention rights and allows for a case to be brought in a UK court or tribunal against the authority if it does so.

Privatised utilities such as water, gas and electricity companies have functions that will probably count as "public" under the Human Rights Act. If a body of this type has breached Convention rights, a claim under the Act is possible only if the act or decision complained about is in the public sphere. If it is a wholly private matter (for example where such a person, body or company is acting as an employer or in a commercial capacity), a claim under the Human Rights Act will not be possible.

For a detailed explanation of the guide, click below:
A Guide to the Human Rights Act 1998

Corporate Social Responsibility Focus

The International Finance Corporation (IFC) publishes a set of Performance Standards to manage social and environmental risks and impacts and to enhance development opportunities in its private sector financing in its member countries eligible for financing. The Performance Standards may also be applied by other financial institutions electing to apply them to projects in emerging markets.

On a recent ARC Training on-site course, the CEO of a leading oil and gas company addressing security management delegates underscored his belief that within the context of oil and gas operations in developing countries corporate social responsibility and security management we “two sides of the same coin”.

To download the standards go to:
http://www.arc-tc.com/pages/resources_publications.asp#C
and scroll down to the heading Corporate Social Responsibility.

The relationship between Corporate Social Responsibility and security management will be one of the topics covered in detail in the new Managing Security Risks in the Oil & Gas Sector, 24-28 August. Click on
http://www.arc-tc.com/pages/other_accredited_sm.asp#s1

For details on any ARC course, or to discuss an on-house requirement, contact Janet.

New EU Study on Countering Information Security Risks

ENISA, the EU agency for information security, has published a new study on how to counter information security risks with a focus on the financial sector staff awareness.
To access the report, go to:
http://www.enisa.europa.eu/pages/02_01_press_2008_11_26_financial_markets.html

Panel Warns Biological Attack Likely by 2013

The United States can expect a terrorist attack using nuclear or more likely biological weapons before 2013, reports a bipartisan commission in a study being briefed Tuesday to US Vice President-elect Joe Biden.

"The United States should be less concerned that terrorists will become biologists and far more concerned that biologists will become terrorists," the report states. The report is due for release today.

Click on the link below for the full story:

http://www.usatoday.com/news/washington/2008-12-02-terrorist-attacks-report_N.htm

Shared Destinies: Security in a Globalised World

The Institute for Public Policy Research is the UK’s leading progressive think-tank. Its Commission on National Security has just released its latest report in which it warns:

“There is a pressing need to do more to prevent and prepare for violent conflict, state failure, nuclear proliferation, bioterrorism and global pandemics."

Contact David for a copy of the report, or sign up for a copy at http://www.ippr.org/security/publicationsandreports.asp?id=636&tid=2656