Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Corporate Security

Hotel Bombing in Jakarta – A Dangerous Trend

The hotel bombings yesterday were a bad sign. According to an article this morning in USA TODAY, both hotels had been assessed by iJet, a security and intelligence company based in Annapolis, and had received high ratings, said iJet president Bruce McIndoe. The fact that Friday’s blast didn’t do more damage shows those measures were effective, McIndoe said.

“(With) the new security procedures, all they could do is get suicide bombers in and blow out some windows,” he said. “You can’t stop it — there’s no 100% foolproof way. But they’ve minimized the impact. It was a fairly sophisticated operation. (The terrorists) put a lot of time and effort into this, with very little outcome (in terms of ) death and destruction.”

McIndoe is correct that there wasn’t a catastrophic loss of life in these bombings and the damage was relatively minimal. I started to review some of my hotel experiences and see how much security COULD you put into an international business hotel. If the bombers took the bombs right up their rooms in their suitcases — there are a couple of obvious next steps.

1. All luggage gets turned over to hotel staff at the curb, or entry area, and
then is screened in an anteroom before it is taken up to the room by the hotel security staff. That seems to be a relatively easy program to implement, and would dramatically improve security.

2. Bring in the x-ray scanners and all visitors go thru the metal detector and have luggage, briefcases and shopping bags inspected upon entering the hotel. This would be more expensive and intrusive, but probably more effective and just one more travel inconvenience to get used to.

We have a model developed for hotel and casino security. The hotel/hospitality model is a little more complicated than your average business facility because it has more than one purpose. What I mean is that a business is usually set up to conduct business — but a hotel/casino has several lines of business including overnight room business; gambling; shops; restaurant business and also meeting business. All these have different objectives and they are influence the other business lines.

The maids, maintenance personnel, engineers, waitresses, cooks, etc., are all local elements that could potentially be used to gain access for terrorism purposes. Everyone has a cousin somewhere that may use family ties to get access to even a secure facility. The stowaways that get into ships, are almost always the result of the exploitation of family ties.

Better background checks conducted on hotel personnel may be another area that needs work, and would probably improve the hotel’s bottom line because other areas such as cash-handling and letting friends access empty rooms could also be improved at the same time.

Having stricter access controls and luggage/package controls at hotels would just extend the aggravation of current airport security programs right to your next hotel. Let’s hope it doesn’t come too soon.



Building a Model for Security Governance, Risk and Compliance

I recently began to think about how to integrate security seamlessly into an organization — without having security activities and processes pigeonholed into a stovepipe like physical security (the 3 Gs, guns, guards and dogs); or in the rarified atmosphere of the IT Department.

Other business processes are already thought of as an integral part of a business.  Think personnel, finance, shipping, sales.  All basic parts of any organization, including government agencies (which are another kind of business), have these different categories but security is never mentioned as one of these basics.

Of course, my readers know that none of the other pieces would get very far without good, or even great security.  You can’t run an organization without locks on the doors.  You can’t run a network with security controls or it would just collapse into a heaping pile of spam within a few hours and become totally useless.

So if we wanted to integrate security and use the risk assessment process to do it — what are the pieces we would integrate?   One night over dinner with other security people, we started to build a security model, which could then by assessed and each category would have steps which could be combined to create THE PERFECT INTEGRATED SECURITY GOVERNANCE MODEL!!

I am open to suggestions about other aspects but here’s the list of the ones we started off with:

1.  Access Controls

2.  Accountability

3.  Budget/Fiscal Responsibility

4.  Compliance

5.  Information Technology

6.  Investigations

7.  Measurement/Evaluation

8.  Personnel Management

9.  Policies & Procedures (Ps & Ps)

10. Risk Assessment & Management

11.  Security Planning

12.  Training and Awareness

In the model I’m proposing, each of these areas could by quantified into a 5-step program with zero meaning no progress in that area, and five meaning it has been integrated into the organization as a standardized, budgeted process.

Send me an email if you’d like to see a graphic of the model.  The point of a model is to get an idea of where you are on the pathway to integration of the security model into the business process.  For example, you could find out that you doing great on access control and technology, but not so good on accountability or awareness.  Then you could put more emphasis, or resources into those deficient areas.

If you’ve ever read this blog before, you know that my mantra is, “if you can’t measure it — you can’t manage it” (quote by the late, great Dr. Peter Drucker).

While listening to talk radio people discussing the problems of AIG, I heard another great line, “Companies that are ‘to big to fail’ … are probably ‘to big to manage’.   And that’s probably right, because those companies, with tentacles out into industries all over the world, are probably ALSO TOO BIG TO MEASURE!

So having metrics applies to all these corporate processes and managing security using metrics must be an idea whose idea has come.   Often the security departments in companies are isolated from the C-level and may not be included as often as other corporate or department managers are.    This is why the breakdown occurs that leads to weakness in compliance with regulations, which can destroy the entire organization, or, if you’re a bank, can lead at a CDO (Cease and Desist
Order).

Often these twelve critical security elements are absolutely essential to the running of the organization and that is why it is important to create a management model to measure how they are working in YOUR organization!



A New Model for Assessing Corporate Security

Corporate Security — that is, what the federal government calls “Physical Security” has long been treated as a uneducated stepchild by the information technologists.  The old perception that Corporate Security is just about guns, guards and dogs is just not true anymore.   Instead, physical security has taken full advantage of the computer revolution to create security controls that run on computer networks and do amazing things like creating electronic perimeters inside hospitals (for visitor management); ID visitors and track vehicles and biometrically identify individuals.

Corporate security directors I have known are invariably smart, savvy and computer literate.   Here’s a look at the difference between the OLD physical security operations and the NEW corporate security organizations.  The OLD PS operations usually operated out a guard shack or basement office and the main activity was badging in security guards and checking badges.  The NEW PS operations are run out of a high tech command and control center and the Security Directors often have authority for not only security but also Risk and often, information security.

These Security Directors are very conscious of how to improve their department’s performance and they are getting involved with benchmarking and automating many of their functions, including their security risk assessments.  Not like the old site surveys you see on TV, where the person is walking through the dark high rise in the middle of the light, flashlight flashing. 

We have been working on a model that could easily show the main areas of corporate security and a model a company could use to track exactly where they are in the process of creating an optimum security organization.  We call it the “Corporate Security Governance Model” and it tracks twelve elements of security through five levels:

        1.  Just Starting (Incomplete) – No Commitment of resources to perform and manage this function.  No corporate sponsorship or awareness of it’s importance to the organization.       

        2.  Performing – Rudimentary start to incorporate this element into the security program.  Function may have been done once, but there is no repeatability or management commitment.

        3.  The organization has assigned a manager to create a process for this security element.  Funding  is available and management has been briefed.

        4.   The element is recognized formally in the corporate policy and has been funded. Training has been introduced and metrics identified.

        5.   The element has become part of the company culture as policy and has training and funding which occur automatically.

There are a nine elements which are tracked across the five levels above.   We need to add three more — so please send me your comments on what those should be.

As of today, here are the different elements:

1.  Access Control
2.  Compliance (Regulatory)
3.  Information Technology
4.  Loss Prevention
5.  Materials Management (looking for a better phrase for this)
6.  Personnel
7.  Policies and Procedures
8.  Risk Assessment & Management
9.  Training and Awareness

Each of these elements will be explained with the actions to be performed, or improved, at least level and the idea will be that a corporate security organization will work toward getting all 5’s across the board.  

What elements are we missing?   Please post your comments or email me directly at:  chamilton@riskwatch.com and I will send you a copy of the model, which is a work in progress.

I think a model like this can be populated and automated so that an organization can get a fast 10 minute read that gives a snapshot of the security governance of the organization under review.

The next step is creating fixes for each of the steps so that it makes moving along the continum easier and faster.




top