Category Archives: accountability

Data-Driven Security: The Best Way to Improve Security for Anything, Anywhere

Posted on by 0 Comments

How can you improve your security program?  Are we talking about a seaport?  A church?  A manufacturing facility?  A gas pipeline?  An office building?  Corporate Headquarters?   Zoo?  Hospital?  Bank?  Clinic?  City Hall?  Harbor?  Stadium?  Government Agency?

It doesn’t matter what you need to protect — if you decide it is a critical asset, it needs good, continually improving security, and
an on-going assessment program is the fastest, easiest way to get it.

If wonderful, dedicated you, (as the security pro), don’t know what’s working and what’s not, how can you improve the overall program, unless you wait for an “precipitating event”, like a THEFT, like an ASSAULT, like a FLOOD, or a HURRICANE, or a POWER LOSS, and then you immediately start working on that and making sure THAT particular disaster doesn’t happen again!
Meanwhile, everything else is slowly losing energy due to lack of constant attention.

And so let’s say you are the Super Bowl, and the power went out!  Terrible. Inexcusable.  And you’re busy getting a 2nd or 3rd backup generator to make sure THAT POWER LOSS never happens again.

This problem with this model – fixing what’s broken and ‘learning from experience’ is that it’s always a day late.  You’re always chasing after something that already happened.

Instead, you can  set up a program so that you use to continually evaluate the current condition, assess the risk, and then improve the security controls, based on THAT RISK ASSESSMENT.

Tony Robbins used to call it CANI

  • Constant And Never-ending Improvement.  You can accomplish this by setting up regular assessments and then adjusting or tweeking the security controls to adjust to the new, or more aggressive threats.
    “Regular” assessments can be monthly, quarterly, semi-annually, annually, bi-annually, whatever schedule suits you and the organization.   The idea is that by continually reassessing your last improvement,and changing the threats and risk level,
    you can create a dynamic, data-driven security program that improves the security profile dramatically, without having to
    suffer through another triggering event!
    The concept of CANI – Constant And Never-ending Improvement can breathe life into your security program, you can use it to improve your health, your fitness level, your guitar playing, your _______________________.
    You fill in the rest!

 

 

Another School Shooting Means We Learned Nothing from Newtown

Posted on by 0 Comments

Almost one month and two days since the tragic school shootings at Sandy Hook Elementary, where 20 young first-graders were shot by a crazy person with an assault rifle.

That day was one of those moments that you never forget, it’s seared in your brain and you probably know EXACTLY where you were when you heard the news start to trickle out.  I was at Toys R Us with my son and we were buying presents for his young twins.  I was checking Twitter and I saw a brief mention of another shooting.  At first it said, 3 individuals and possibly children, then 5 individuals,  then 12 children and by the time our shopping trip was over, so were the lives of 26 people, mostly innocent little first-graders. And it was only a week before Christmas.

As a security person who’s done lots of security assessments, you can’t help thinking, “What went wrong?”  “What could have prevented this atrocity?”  And there are dozens of potential solutions and who knows what might have made a difference.

Then there’s the day that President Obama signed 23 Executive Orders to tighten up background checks on potential gun owners,  keep track of who purchases guns, requiring federal agencies to make more background-check data available, requiring federal law enforcement to trace guns recovered in criminal investigations, and providing more training for police, first responders and school officials.  During his announcement, he said, “Let’s do the right thing!”.

We all want to do the right thing, but what IS the right thing, the one thing that will make a difference and significantly reduce gun violence in America?

These Executive Orders are a great start, but we all know the push-back that will come from Congress and the gun lobby, who still want to sell guns, even after they see a photo of a little girl shot, not once, but eleven times.

This was also a big wake up call for schools.  The public schools, colleges and universities seem to wake up every ten years and worry about security, and then they quickly forget and back into worry about academics instead of security and gun violence. Teachers want to TEACH.  Teachers often say, “Security is not my job, my job is to teach and I shouldn’t have to do anything else”.

But SCHOOL SECURITY has to be a process, not just a quick fix.  All security has to be a process.  The process starts with a clear policy.  There has to be an approved policy, whether that policy is a federal guidelines, like FEMA 428, “Primer to Design Safe Schools”, or whether it’s a security policy that mets a schools specific needs.  Without a policy, you have no place to start.

There have to be procedures written up, announced, handed out in 3-ring binders, and accompanied with education and training including drills.

There has to be training and education so people know what to do in an emergency, where to do, who to call, and how to respond.

There have to be annual security risk assessments to gauge the current threats, and measure the effective controls, and make the security program a process of continual improvement.

Without the foundation of policy, procedures, training, education and security assessments, it’s not a security program, it becomes just a grab bag of solutions that may or may not work.

For example – here are just a few of the point solutions we heard about today, endorsed by their own lobby groups:

  • Arming teachers with more guns.
  • Banning all guns on campuses.
  • Securing the school perimeter with chain link fences.
  • Doing more and better background checks.
  • Adding cameras which are constantly monitored.
  • Have an armed School Resource Officer on every campus.
  • Security Awareness courses for teachers.
  • Security awareness training for parents.
  • Giving teachers panic alarms.
  • Improving mental health services.
  • An assault weapons ban.
  • Banning high capacity gun clips.

If it was your children’s school or college, which of these elements would you choose?

Schools are a great leveler of our culture.  Everyone has personal experience with schools.  Everyone went to school once, and many have children in schools, or friends in schools, or know staff and teachers who work in schools, so schools are like a touchstone.  But you could also say “Hospital”, or “Train Station”, or “County Offices” or “Movie Theatre” and to protect these things, there has to be a security program in place.

We, as the security community, are the guardians of society.  We protect things of value.  And nothing has more value than our children.  Security has many other names like safety and emergency planning, and disaster recovery and loss prevention and risk management and violence prevention and information protection, just to name a few.

As a global security community, we should make our voices heard in this great debate, because we have the experience to know what works and what doesn’t and your voices are needed now, more than ever.

This is also a time where the public discussion of security breaks through the chatter and focuses attention on something that is critically important to everyone.   Security professionals have always networked and learned from each other’s experience.

Let’s talk to each other more about what works and share this with the rest of the country.

They need us.

About the Author, “Caroline Ramsey-Hamilton is a leading expert in assessing risk facilities security, workplace violence and security for hospitals, cybersecurity, nuclear security,  and also measuring compliance with security standards like FEMA 426-428, Joint Commission, HIPAA and OSHA. She has developed security programs with the National Security Agency, the U.S. Department of Defense and the National Institute of Justice, the Department of Homeland Security and many other agencies, and has developed a school security risk program with Eastern Kentucky University.

Caroline is a member of the ASIS Physical Security Council,  the ASIS Information Security Security Council, and on the Board of the South Florida chapter of  IAHSS (International Association for Hospital Safety & Security) She received the Distinguished Service award from the Maritime Security Council, and the Anti-Terrorism Accreditation Board’s  Distinguished Service award in 2011. You can reach Caroline at caroline@riskandsecurity or thru her web site at www.riskandsecurityllc.com.  She posts breaking security & risk alerts at www.twitter.com/riskalert.

What do Benghazi and Newtown have in common? Flawed Security!

Posted on by 0 Comments

After the attack on the Benghazi mission and the tragic mass shooting at Sandy Hook Elementary, its apparent that what these two terrible incidents have in common is that security was not adequate.

In Benghazi, after the hearings and the pundits and speculation, the bottom line is that there was insufficient security.  In-place security controls were not sufficient to deter an attack, and the emergency controls were also not sufficient to recover and deal with the emergency attack.

In Newtown, at Sandy Hook Elementary, security was inadequate.  Security people often say that security is just as good as the weakest link, and despite adding new security controls, it was defeated because of the glass entry.  The shooter wasn’t allowed in so he simply broke the glass.  That slowed him up by 2 minutes, maybe. Also backup security controls were non-existent.  The shooter was observed and still there was no effective response.

There are three elements to security – DETER, DENY and RESPOND:

DETER – means to make the facility look too difficult to attack, and so the attacker thinks it’s too hard and goes away.

DENY – means that it is impossible for the attacker to get into the facility to launch an attack.

RESPOND/PROTECT means that after the attack is launched, the facility can defend itself, or to protect the individuals and/or property inside the facility.
Both Benghazi and Newtown did not deter, didn’t deny access, and didn’t have an adequate security response.

The Newtown shooting showed that this school, like many others across the country, had a false sense of security, because while some security elements were in place, the shooter easily entered the school, making the other elements irrelevant and  him to inflict mass casualties.

In both cases, the response was not adequate, it was ‘too little too late’.  And ‘too late’ means the attack can’t be stopped or contained.

The WHY is easy, because the security budget was inadequate.  These facilities did not have adequate risk assessments that could have demonstrated the critical assets contained within them.  What is more critical than classrooms of 6 year old children?  What is more critical than a State department facility with a U.S. ambassador inside?  Yet both didn’t have the protective security controls they deserved because their wasn’t enough budget for enough security.

Another element these incidents have in common is that they are both government facilities.  Yes, one was the Federal government and one was a local school district – but they both had the same problem of being short on budgets.  And when organizations are short on budgets, security is one of the first things to get their funding cut, or reduced.

Every facility needs a SECURITY risk assessment up front, how else can you allocate the funding and make sure that there is ENOUGH security in place to protect our most critical assets, our children?

Preventing Active Shooters – Schools Struggling to Find Solutions After Sandy Hook Shootings

Posted on by 0 Comments

We can control regular access to our facilities, schools and hospitals. We can have visitors sign into a visitors log.  We can take photos and ask for identification and lock the doors, but the Active Shooter doesn’t comply with any of these protocols and we have no control about when and where the Active Shooter may show up.

Here are some additional controls to consider if you need to improve your school or facility security.

1.  Put in Cameras that are actively MONITORED.  

For security experts, you already know this, but others might not know that cameras that just sit on the wall or ceiling only have 2 purposes:  (1)  To scare people into NOT doing something.  (2) To review after an incident happens and use to arrest someone.

Cameras can also be used to monitor what goes in – ACTIVE monitoring. This can be done in a facility, like a hospital, or company, and there are staff members looking at the camera visuals and watching for certain kinds of behavior.  This is also offered as a service.   Monitored cameras can alert police, check to see who’s entering the halls and actually respond and prevent Active Shooter incidents.

2.  Conduct regular training and drills for ALL STAFF and for all STUDENTS

People give lip service to training, but there’s nothing as effective as practicing for an active shooter.  It’s one thing to know where to go, or what to do, but it’s so much better to rehearse with a drill, have someone come in, unannounced and practice
moving to a safe area, practice locking down a school, hospital or facility.  This will expose all the weak areas, and make people more confident that they can deal with a bad situation and protect everyone.

3.   Have a clear NO WEAPONS – NO VIOLENCE Policy in place.

Policies are important because they say, “It’s a mandate, it’s a requirement” and that means most staff will comply with it.
No Weapons signs should be posted at all entrances.  Any violence should be reported and punished immediately.  This has a deterrent effect, as well as giving you the legal ground to stand on if an incident does occur.  It also makes staff and students feel safer.

4.   Know EXACTLY what the response time from the police department, in case an incident occurs.  

You can time your drills, you can have a conference with local law enforcement to trim down their response times.  You can pro-actively provide law enforcement and first responders with the building floor plans, or a digital map of the building.  These preparations shave crucial minutes off the actual response time in case an incident does occur.

Think about how many people a shooter can kill in ten minutes, more than 2 children a minute.  Every second counts so step up and add these four controls into your security control plans.

 

 

 

 

Assessing School Security Takes on New Dimensions after Sandy Hook Tragedy

Posted on by 0 Comments

After 30 years of security risk assessment experience and working with hundreds of schools, hospitals, facilities, I have to say that schools have not taken school security seriously.

Obviously there are the social pressures including mental health screening, proposed assault weapons bans, gun owner screening, etc., but these are the thing that won’t change overnight. EVEN IF THEY ARE LEGISLATED, it takes time to implement, and
implementation may not be perfect.

TODAY IS THE DAY TO DO A SCHOOL VIOLENCE ASSESSMENT – not tomorrow, not after new gun laws, not after the holidays — TODAY.

There are indicators you can look for to see if your school is at risk of an active shooter incident. And ways to be prepared if the unthinkable happens and an active shooter comes to your school.

Strong, simple access control is the most effective solution, and yes, this may mean that
a plain glass front door or window is not enough. Glass is easily broken, and yes, it means that all staff must be a little more accountable, and it probably means a red phone or connection to the local police.

There is a simple school risk assessment program that will give guidance on what you need to do TODAY, what controls you need to implement, what threats are most likely to occur. These can be accessed on the www.riskandsecurityllc.com website.

Some things are preventable, some aren’t. But lockdown drills, alarm systems, and active monitoring of cameras are just a few of the 60 controls every school should have in place to protect our precious children.

 

About Caroline Ramsey-Hamilton

Caroline Ramsey-Hamilton is a leading expert in assessing risk in different areas, including security risk assessments, workplace violence and security for hospitals, cybersecurity, nuclear security, and also measuring compliance with security standards like FEMA 426-428, Joint Commission, HIPAA and OSHA. She is currently working on a universal set of easy security tools that will make it easy to assess risk in a variety of companies, agencies and business. Her company, Risk & Security LLC, works with more than 500 clients around the world using a program that standardizes site surveys and assessments and makes it easier to compare facilities and measure their level of security. Caroline is a member of the ASIS Physical Security Council, the ASIS Information Technology Security Council, the Security Assessment Risk Management Association (SARMA), and a Board member of the IAHSS (International Assoc. for Hospital Safety & Security) in Florida. She received the Distinguished Service award from the Maritime Security Council, and the ATAB Distinguished Service award in 2011. You can reach Caroline at caroline-hamilton@att.net or thru her web site at www.riskandsecurityllc.com She posts breaking security & risk alerts at www.twitter.com/riskalert.

 

School Security Threat Assessment Program helps Schools Identity Weaknesses in Security after Sandy Hook Shootings

Posted on by 0 Comments

School Security Threat Assessment Program helps Schools
Identity Weaknesses in Security after Sandy Hook Shootings.

Boca Raton, Florida,  Dec. 17, 2012

 

Schools around the U.S. have found it difficult to put strong security controls in place because of lack of funding and resistance by parents and staff, who, unfortunately, saw physical security controls as too restrictive.

After the recent tragedy in Newtown, CT, it is critically important that every school do a security threat/risk assessment to see where their own vulnerabilites may be.

To address the situtuation and make it easier to do a simple, effective school security asssessment,  Risk and Security LLC
has announced a new School Security app, which can run on a tablet, smart phone or laptop.

The Risk-Pro for School Security© app is available for only $ 495.00 for non-profit healthcare organizations ($595.00 for others), and comes with an on-line user guide and free training.

The program is looks at the entire school,  addressing areas like access control, entry controls, and incident response.  The program was developed by Caroline Hamilton with the National Institute of Justice and Eastern Kentucky University to create an easy way for schools to use FEMA 428, How to have Safe Schools.

The web 2.0 program, Risk-Pro for School Security©,  is affordable and simple to use.  It includes fully-updated threat databases, and automated web-surveys  based on security requirements from FEMA 428.

“With 3-year old twins in my family, I was high motivated to make sure they are safe at their pre-school, and have fielded calls from dozens of security professionals who are worried about their children’s school security posture.   The Risk-Pro©  model has been used for easy software applications with the Department of Defense and over fifty hospitals, health plans and government agencies.
About Risk & Security  LLC

Risk & Security  LLC is a security risk assessment and risk analysis company with over 30 years of combined expertise in security risk.  It specializes in consulting on risk assessment projects and global application development of risk solutions.  Risk & Security partners with security companies around the world to provide state-of-the-art security expertise to analyze risk and recommend cost-effective countermeasures.

The team of risk and security experts is led Caroline Ramsey-Hamilton, who has created more than 18 security assessment software programs, and conducted more than 200 specialized security risk assessments in a variety of environments, including companies in the United States and around the world.

 

 

For more information:  caroline@riskandsecurityllc.com or

caroline@riskandsecurityllc.com

Maybe we’re just tired of “Serious”.

Posted on by 0 Comments

After watching the Sunday political shows, every journalist asks, “Why is the media so focused on the Petraeus Investigation?”

I have a defense for this:  we’re all tired of the REALLY IMPORTANT STUFF.

After the election, which felt like it lasted over a year, and then the worry about the impending disaster of the fiscal cliff (please, don’t say “PHYSICAL CLIFF”), maybe everyone is exhausted by the urgent and important issues and would just like a good old fashioned sex scandal. And we got one!

An amusing, lightweight story, where the main players are stereotypes themselves, the attractive, social-climbing women, the glamorous jet-setting generals, who take time out of fighting terror to send out sexy emails, is a delight after all the serious reporting of the last four months.

I think we should be able to enjoy it a little, and as Mr. Bennett said in Pride & Prejudice, ” For what do we live, but to make sport for our neighbors, and laugh at them in our turn?”.   And it’s the General’s turn!

Why the HIPAA Risk Analysis should be finished by December 31, 2012

Posted on by 0 Comments

The federal regulators from the U.S. Department of Health and Human Services are from the Office of Civil Rights.  They think that breaches in patient information protection is a violation of the patient’s civil right!   Regulators commonly assess fees for non-compliance and some are as high as $4 milion dollars.

Because the OCR just came out with new Audit Guidelines this summer (email me and I’ll send you a copy), we all can see that the visits to healthcare organizations are still speeding up, and even more rules are coming this fall as they reconcile the HIPAA Security Rule with the HIPAA Privacy Rule with the Breach Notification Rule.  I call this:  MEGA HIPAA!

Because the current HIPAA rules have been in place for over ten years, and because the new Rules may be much more complex, it makes sense to finish your 2012 HIPAA Risk Analysis for either Security or Privacy, or both, before December 31, 2012.

My experience with federal regulators and auditors leads me to believe that a HIPAA Security Risk Analysis that is finished before the end of this calendar year will go a long way in reassuring regulators that there is, at least, a formal process in place to assess the risks to patient medical information.

A new software program is based on my original free Data Collection Guide,and can be used to complete these important security rules at a fraction of the cost of older, out-of-date risk analysis programs. Or do it on a spreadsheet.

Remember, you can also use it in your Meaningful Use Risk Assessment.  A two-for-one.

My advice:  Take the easy way out.  Finish the Risk Analysis!

 

 

After Aurora – Where Do We Go From Here?

Posted on by 0 Comments

Having written several articles on gun violence and remembering exactly where I was after Columbine, I know that very few security professionals are interested in restricting access to firearms.

But clearly this is terrorism.  This is murder.  All the outcry about abortion, and protecting fetuses, and there’s not even a peep when 12 young people are gunned down, having done nothing to deserve such a vicious fate.

So what we are talking about is HOW TO PROTECT THE PUBLIC from acts of terrorism and murder.

Anyway this could have been prevented?

1.  Now we know he was under a psychiatrist’s care, he should have flunked the assault rifle purchase test.

2.  If the theatre had true locking back doors, and alerts when they were propped open, he could not have
come back inside with his arsenal.

3.  If the back door had cameras and was monitored, he could have been caught, or at least, the public address system could have warned the patrons in the theatre.

Since none of these things were done, a terrible tragedy took place.

I think we are safer with cameras everywhere and active, real-time monitoring of those cameras.  I’m all for controls like panic alarms (which should be as common as fire alarms), and for annual security assessments.

Maybe we can learn something.

A Terrible Day in Colorado – Terrorism by Twenty-Something

Posted on by 0 Comments

Just saw that now 71 people were shot at the Aurora, Colorado theatre, and 12 have died, including children.

This is exactly the kind of incident that I used to think would wake everyone up to the dangers of NOT doing annual security reviews, and  NOT allowing everyone on the planet to stock their attic with automatic assault rifles, and instead, we are at an intersection in the national dialogue where talking about assault rifles, OR security controls, is something people would rather ignore.

Whether it’s the hospital security administrator who thinks posting a simple “NO WEAPONS” sign is too much security, to the facilities who deny the security officers any weapons bigger than a purse-size pepper spray, they are actually ENABLING security incidents of this type.

I heard these officials in CNN saying, “It’s not terrorism”!   It certainly IS terrorism.  It’s just domestic terrorism, but it shows you how easy it would be for a terrorist to walk into the US, buy some AK-47s and walk into a regional mall, a batting cage, a mega-church, a hospital, a sports arena, and proceed to kill dozens of innocent people in just a few minutes.

With 71 shot, and 12 dead, it is more deadly than your typical IED in Afghanistan!  It’s more deadly because their is human ‘intelligence’ (and I use the word loosely) behind the attack.  Instead of a simple detenation event, the shooter can choose victims, look them in the eyes and then kill them.

This is an intentional event by someone so lost that he didn’t even put up any resistance to police.  Why should he, he’s already made his statement and now has his 15 minutes of fame.   That is 5.5 people killed or injured for each 1 minute of fame.

If you are reading this today, you should do a quick risk assessment of your organization and make sure your staff are developing situational awareness, watching and evaluating what is going on around them.  It may make the difference between life and death someday.