Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Caroline Ramsey-Hamilton

Holding Hurricane Sandy Survivors Hostage to House In-Fighting

Many, including Chris Christie, and Peter King,  are shocked and dismayed when the relief vote for New York and New Jersey was postponed until the new Congress assembles later this week.

The U.S. has historically had a great reputation for jumping in AS A WHOLE COUNTRY to help the victims and survivors whose lives and businesses have been ravaged and, in some cases, destroyed.  Many world leaders have commented on how the USA always pulls together in these emergencies.

According to the House, that’s no longer true.

The decision to take a budget fight to this level is NOT good politics.   These people, most of them property owners AND registered voters, are going into winter without the basic necessities, with houses that have not been repaired, with streets not repaired.  Sixty-eight days AFTER the disaster, these people cannot wait two more days, they can’t wait one more day.

A big country like the United States of America cannot hold its head up in the world, if we can’t help our own brothers and sisters who suffer these terrible events.

If this happened in New Orleans, I think you can imagine what the talking points would be.

As a group concerned about safety and security, we should be writing our congressmen and senators and tell them to stop playing games with federal disaster relief.



What do Benghazi and Newtown have in common? Flawed Security!

After the attack on the Benghazi mission and the tragic mass shooting at Sandy Hook Elementary, its apparent that what these two terrible incidents have in common is that security was not adequate.

In Benghazi, after the hearings and the pundits and speculation, the bottom line is that there was insufficient security.  In-place security controls were not sufficient to deter an attack, and the emergency controls were also not sufficient to recover and deal with the emergency attack.

In Newtown, at Sandy Hook Elementary, security was inadequate.  Security people often say that security is just as good as the weakest link, and despite adding new security controls, it was defeated because of the glass entry.  The shooter wasn’t allowed in so he simply broke the glass.  That slowed him up by 2 minutes, maybe. Also backup security controls were non-existent.  The shooter was observed and still there was no effective response.

There are three elements to security – DETER, DENY and RESPOND:

DETER – means to make the facility look too difficult to attack, and so the attacker thinks it’s too hard and goes away.

DENY – means that it is impossible for the attacker to get into the facility to launch an attack.

RESPOND/PROTECT means that after the attack is launched, the facility can defend itself, or to protect the individuals and/or property inside the facility.
Both Benghazi and Newtown did not deter, didn’t deny access, and didn’t have an adequate security response.

The Newtown shooting showed that this school, like many others across the country, had a false sense of security, because while some security elements were in place, the shooter easily entered the school, making the other elements irrelevant and  him to inflict mass casualties.

In both cases, the response was not adequate, it was ‘too little too late’.  And ‘too late’ means the attack can’t be stopped or contained.

The WHY is easy, because the security budget was inadequate.  These facilities did not have adequate risk assessments that could have demonstrated the critical assets contained within them.  What is more critical than classrooms of 6 year old children?  What is more critical than a State department facility with a U.S. ambassador inside?  Yet both didn’t have the protective security controls they deserved because their wasn’t enough budget for enough security.

Another element these incidents have in common is that they are both government facilities.  Yes, one was the Federal government and one was a local school district – but they both had the same problem of being short on budgets.  And when organizations are short on budgets, security is one of the first things to get their funding cut, or reduced.

Every facility needs a SECURITY risk assessment up front, how else can you allocate the funding and make sure that there is ENOUGH security in place to protect our most critical assets, our children?



Preventing Active Shooters – Schools Struggling to Find Solutions After Sandy Hook Shootings

We can control regular access to our facilities, schools and hospitals. We can have visitors sign into a visitors log.  We can take photos and ask for identification and lock the doors, but the Active Shooter doesn’t comply with any of these protocols and we have no control about when and where the Active Shooter may show up.

Here are some additional controls to consider if you need to improve your school or facility security.

1.  Put in Cameras that are actively MONITORED.  

For security experts, you already know this, but others might not know that cameras that just sit on the wall or ceiling only have 2 purposes:  (1)  To scare people into NOT doing something.  (2) To review after an incident happens and use to arrest someone.

Cameras can also be used to monitor what goes in – ACTIVE monitoring. This can be done in a facility, like a hospital, or company, and there are staff members looking at the camera visuals and watching for certain kinds of behavior.  This is also offered as a service.   Monitored cameras can alert police, check to see who’s entering the halls and actually respond and prevent Active Shooter incidents.

2.  Conduct regular training and drills for ALL STAFF and for all STUDENTS

People give lip service to training, but there’s nothing as effective as practicing for an active shooter.  It’s one thing to know where to go, or what to do, but it’s so much better to rehearse with a drill, have someone come in, unannounced and practice
moving to a safe area, practice locking down a school, hospital or facility.  This will expose all the weak areas, and make people more confident that they can deal with a bad situation and protect everyone.

3.   Have a clear NO WEAPONS – NO VIOLENCE Policy in place.

Policies are important because they say, “It’s a mandate, it’s a requirement” and that means most staff will comply with it.
No Weapons signs should be posted at all entrances.  Any violence should be reported and punished immediately.  This has a deterrent effect, as well as giving you the legal ground to stand on if an incident does occur.  It also makes staff and students feel safer.

4.   Know EXACTLY what the response time from the police department, in case an incident occurs.  

You can time your drills, you can have a conference with local law enforcement to trim down their response times.  You can pro-actively provide law enforcement and first responders with the building floor plans, or a digital map of the building.  These preparations shave crucial minutes off the actual response time in case an incident does occur.

Think about how many people a shooter can kill in ten minutes, more than 2 children a minute.  Every second counts so step up and add these four controls into your security control plans.

 

 

 

 



Assessing School Security Takes on New Dimensions after Sandy Hook Tragedy

After 30 years of security risk assessment experience and working with hundreds of schools, hospitals, facilities, I have to say that schools have not taken school security seriously.

Obviously there are the social pressures including mental health screening, proposed assault weapons bans, gun owner screening, etc., but these are the thing that won’t change overnight. EVEN IF THEY ARE LEGISLATED, it takes time to implement, and
implementation may not be perfect.

TODAY IS THE DAY TO DO A SCHOOL VIOLENCE ASSESSMENT – not tomorrow, not after new gun laws, not after the holidays — TODAY.

There are indicators you can look for to see if your school is at risk of an active shooter incident. And ways to be prepared if the unthinkable happens and an active shooter comes to your school.

Strong, simple access control is the most effective solution, and yes, this may mean that
a plain glass front door or window is not enough. Glass is easily broken, and yes, it means that all staff must be a little more accountable, and it probably means a red phone or connection to the local police.

There is a simple school risk assessment program that will give guidance on what you need to do TODAY, what controls you need to implement, what threats are most likely to occur. These can be accessed on the www.riskandsecurityllc.com website.

Some things are preventable, some aren’t. But lockdown drills, alarm systems, and active monitoring of cameras are just a few of the 60 controls every school should have in place to protect our precious children.

 

About Caroline Ramsey-Hamilton

Caroline Ramsey-Hamilton is a leading expert in assessing risk in different areas, including security risk assessments, workplace violence and security for hospitals, cybersecurity, nuclear security, and also measuring compliance with security standards like FEMA 426-428, Joint Commission, HIPAA and OSHA. She is currently working on a universal set of easy security tools that will make it easy to assess risk in a variety of companies, agencies and business. Her company, Risk & Security LLC, works with more than 500 clients around the world using a program that standardizes site surveys and assessments and makes it easier to compare facilities and measure their level of security. Caroline is a member of the ASIS Physical Security Council, the ASIS Information Technology Security Council, the Security Assessment Risk Management Association (SARMA), and a Board member of the IAHSS (International Assoc. for Hospital Safety & Security) in Florida. She received the Distinguished Service award from the Maritime Security Council, and the ATAB Distinguished Service award in 2011. You can reach Caroline at caroline-hamilton@att.net or thru her web site at www.riskandsecurityllc.com She posts breaking security & risk alerts at www.twitter.com/riskalert.

 



School Security Threat Assessment Program helps Schools Identity Weaknesses in Security after Sandy Hook Shootings

School Security Threat Assessment Program helps Schools
Identity Weaknesses in Security after Sandy Hook Shootings.

Boca Raton, Florida,  Dec. 17, 2012

 

Schools around the U.S. have found it difficult to put strong security controls in place because of lack of funding and resistance by parents and staff, who, unfortunately, saw physical security controls as too restrictive.

After the recent tragedy in Newtown, CT, it is critically important that every school do a security threat/risk assessment to see where their own vulnerabilites may be.

To address the situtuation and make it easier to do a simple, effective school security asssessment,  Risk and Security LLC
has announced a new School Security app, which can run on a tablet, smart phone or laptop.

The Risk-Pro for School Security© app is available for only $ 495.00 for non-profit healthcare organizations ($595.00 for others), and comes with an on-line user guide and free training.

The program is looks at the entire school,  addressing areas like access control, entry controls, and incident response.  The program was developed by Caroline Hamilton with the National Institute of Justice and Eastern Kentucky University to create an easy way for schools to use FEMA 428, How to have Safe Schools.

The web 2.0 program, Risk-Pro for School Security©,  is affordable and simple to use.  It includes fully-updated threat databases, and automated web-surveys  based on security requirements from FEMA 428.

“With 3-year old twins in my family, I was high motivated to make sure they are safe at their pre-school, and have fielded calls from dozens of security professionals who are worried about their children’s school security posture.   The Risk-Pro©  model has been used for easy software applications with the Department of Defense and over fifty hospitals, health plans and government agencies.
About Risk & Security  LLC

Risk & Security  LLC is a security risk assessment and risk analysis company with over 30 years of combined expertise in security risk.  It specializes in consulting on risk assessment projects and global application development of risk solutions.  Risk & Security partners with security companies around the world to provide state-of-the-art security expertise to analyze risk and recommend cost-effective countermeasures.

The team of risk and security experts is led Caroline Ramsey-Hamilton, who has created more than 18 security assessment software programs, and conducted more than 200 specialized security risk assessments in a variety of environments, including companies in the United States and around the world.

 

 

For more information:  caroline@riskandsecurityllc.com or

caroline@riskandsecurityllc.com



Maybe we’re just tired of “Serious”.

After watching the Sunday political shows, every journalist asks, “Why is the media so focused on the Petraeus Investigation?”

I have a defense for this:  we’re all tired of the REALLY IMPORTANT STUFF.

After the election, which felt like it lasted over a year, and then the worry about the impending disaster of the fiscal cliff (please, don’t say “PHYSICAL CLIFF”), maybe everyone is exhausted by the urgent and important issues and would just like a good old fashioned sex scandal. And we got one!

An amusing, lightweight story, where the main players are stereotypes themselves, the attractive, social-climbing women, the glamorous jet-setting generals, who take time out of fighting terror to send out sexy emails, is a delight after all the serious reporting of the last four months.

I think we should be able to enjoy it a little, and as Mr. Bennett said in Pride & Prejudice, ” For what do we live, but to make sport for our neighbors, and laugh at them in our turn?”.   And it’s the General’s turn!



Why the State Department Needs Better Threat-Risk Assessments

Obviously, the tragedy in Libya this week focused the world’s attention, not just on the bodies of our countrymen returning home, but made me wonder about the risk assessments and threat assessments that are routinely done in these extremely sensitive locations.

Unfortunately, the threat assessments tend to be more political forecasting and less about the reality of the situation on the ground.  One problem with these simple manual threat/risk assessments is that they take too long to complete.  Maybe they spend a few days looking at the physical controls, and then a week writing up a report, and much of it may rely on anecdotal incidents or reports of questionable value.

That’s why I am a believer in automating these threat/risk assessments, and in a potentially dangerous area like the whole country of Libya, they should be at least weekly, or bi-weekly, or even daily when tensions are running high.  It allows you to get a quick assessment in less than 30 minutes, and allows for quick updating, which is critical in situations like this week.

And no, I don’t believe a threat/risk assessment would necessarily PREVENT a terrible tragedy like the death of an American Ambassador, but I do think that having these updated assessments allows for safeguards to be continuously checked, measured and improved, and also may expose weaknesses that can be exploited by a terrorist group when the opportunity presents itself.

The practice of running continual assessments is not used very often, but when it is, it’s very effective because when the situation goes south, you already the blueprint of what to do right in front of you, and it allows better decision support under such stressful conditions.

The information-sharing done by different groups can be wrapped up in the risk assessment and combined, so that maybe a higher threat condition can be identified, in time to relocate, leave the country, or whatever else it takes to protect the lives of our diplomatic staff.

 



Why the HIPAA Risk Analysis should be finished by December 31, 2012

The federal regulators from the U.S. Department of Health and Human Services are from the Office of Civil Rights.  They think that breaches in patient information protection is a violation of the patient’s civil right!   Regulators commonly assess fees for non-compliance and some are as high as $4 milion dollars.

Because the OCR just came out with new Audit Guidelines this summer (email me and I’ll send you a copy), we all can see that the visits to healthcare organizations are still speeding up, and even more rules are coming this fall as they reconcile the HIPAA Security Rule with the HIPAA Privacy Rule with the Breach Notification Rule.  I call this:  MEGA HIPAA!

Because the current HIPAA rules have been in place for over ten years, and because the new Rules may be much more complex, it makes sense to finish your 2012 HIPAA Risk Analysis for either Security or Privacy, or both, before December 31, 2012.

My experience with federal regulators and auditors leads me to believe that a HIPAA Security Risk Analysis that is finished before the end of this calendar year will go a long way in reassuring regulators that there is, at least, a formal process in place to assess the risks to patient medical information.

A new software program is based on my original free Data Collection Guide,and can be used to complete these important security rules at a fraction of the cost of older, out-of-date risk analysis programs. Or do it on a spreadsheet.

Remember, you can also use it in your Meaningful Use Risk Assessment.  A two-for-one.

My advice:  Take the easy way out.  Finish the Risk Analysis!

 

 



After Aurora – Where Do We Go From Here?

Having written several articles on gun violence and remembering exactly where I was after Columbine, I know that very few security professionals are interested in restricting access to firearms.

But clearly this is terrorism.  This is murder.  All the outcry about abortion, and protecting fetuses, and there’s not even a peep when 12 young people are gunned down, having done nothing to deserve such a vicious fate.

So what we are talking about is HOW TO PROTECT THE PUBLIC from acts of terrorism and murder.

Anyway this could have been prevented?

1.  Now we know he was under a psychiatrist’s care, he should have flunked the assault rifle purchase test.

2.  If the theatre had true locking back doors, and alerts when they were propped open, he could not have
come back inside with his arsenal.

3.  If the back door had cameras and was monitored, he could have been caught, or at least, the public address system could have warned the patrons in the theatre.

Since none of these things were done, a terrible tragedy took place.

I think we are safer with cameras everywhere and active, real-time monitoring of those cameras.  I’m all for controls like panic alarms (which should be as common as fire alarms), and for annual security assessments.

Maybe we can learn something.



A Terrible Day in Colorado – Terrorism by Twenty-Something

Just saw that now 71 people were shot at the Aurora, Colorado theatre, and 12 have died, including children.

This is exactly the kind of incident that I used to think would wake everyone up to the dangers of NOT doing annual security reviews, and  NOT allowing everyone on the planet to stock their attic with automatic assault rifles, and instead, we are at an intersection in the national dialogue where talking about assault rifles, OR security controls, is something people would rather ignore.

Whether it’s the hospital security administrator who thinks posting a simple “NO WEAPONS” sign is too much security, to the facilities who deny the security officers any weapons bigger than a purse-size pepper spray, they are actually ENABLING security incidents of this type.

I heard these officials in CNN saying, “It’s not terrorism”!   It certainly IS terrorism.  It’s just domestic terrorism, but it shows you how easy it would be for a terrorist to walk into the US, buy some AK-47s and walk into a regional mall, a batting cage, a mega-church, a hospital, a sports arena, and proceed to kill dozens of innocent people in just a few minutes.

With 71 shot, and 12 dead, it is more deadly than your typical IED in Afghanistan!  It’s more deadly because their is human ‘intelligence’ (and I use the word loosely) behind the attack.  Instead of a simple detenation event, the shooter can choose victims, look them in the eyes and then kill them.

This is an intentional event by someone so lost that he didn’t even put up any resistance to police.  Why should he, he’s already made his statement and now has his 15 minutes of fame.   That is 5.5 people killed or injured for each 1 minute of fame.

If you are reading this today, you should do a quick risk assessment of your organization and make sure your staff are developing situational awareness, watching and evaluating what is going on around them.  It may make the difference between life and death someday.




top