Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

risk assessment

Chemical Security Programs Affected by Government Shutdown

CFATS is an essential defensive program to monitor the security of the chemicals used in the U.S. CFATS stands for the Chemical Facility Anti-Terrorism Standards. The program is run by the Department of Homeland Security and is vitally important because chemicals can be used in bombs and chemical attacks.

To avoid giving terrorists and possibly drug dealers access to the raw materials that are used in the manufacture of chemicals, chemical facilities, like manufacturing plants, distribution centers, etc., are supposed to be actively monitored by security personnel who are trained in chemical security.

Fertilizer chemicals were purchased to blow up the Oklahoma City Murrah Federal Building. Chemicals are in every medication you take, including sensitive heart medication, and other pharmaceuticals that mean life or death to those to take them.

Rep. Bennie Thompson (D-Miss.) said in a statement to Global Security Newswire Friday that the incident at a fertilizer plant in West, Texas, “brought into focus the need to secure dangerous chemicals against accidental or malicious release or detonation.

Imagine if a terrorist was able to insert a poisonous ingredient in a statin manufacturing plant – over 15 million Americans now take statins to reduce their cholesterol.   Or imagine a poison ingredient put into pool chemicals, or something like putting water into jet fuel. Think catastrophe!

In fact, CFATS was just geared up because of a Presidential Executive Order issued in August, 2013, after the deadly blast in West, Texas that killed 14, most of them firefighters.  The order instructed federal agencies to review safety rules and create new strategies for plants that store hazardous materials. The order also included a review of potential new guidelines to improve storage and handling of ammonium nitrate, the explosive material that caused the West. Texas fertilizer plant explosion in April 2013.

Already this week, chemical companies that had DHS inspections scheduled for this week received notice that the site visits would be postponed indefinitely. Likewise, the review of security plan documents is also expected to be frozen, as DHS employees who normally do this work have been furloughed.

A critical meeting scheduled for this week, which included industry leaders, DHS, EPA and Occupational Safety and Health Administration officials  was canceled as a result of the government shutdown, which creates prolonged uncertainty for industry regarding what new regulations they might have to comply with and whether companies will have another opportunity to weigh in on possible changes.

Now the program has been shutdown and critical employees furloughed.

Chemical security is a critical chokepoint because of the potential for major disasters, whether accidental or intentional.

Security programs should be immune from political shutdowns that threaten the safety and security of the entire country.

 

 

 



Capitol Hill Security Incident Scares Congress- Could it Happen To You?

The Capitol Hill Security Chase and Shooting yesterday gave a bad scare to everyone – including Senators, Congresspeople, tourists, furloughed federal employees and staff who still have their jobs.

The atmosphere on Capitol Hill was already so toxic that almost everyone jumped to the (incorrect) conclusion that it was
a disgruntled voter, and so there was shock when:

1.  It was a young WOMAN
2.  There was a 1 year old child in the back seat
3.  The driver of the car was not armed and mentally ill, (probably schizophrenic).

Where are you going today on a beautiful Fall Friday?  Almost anywhere you’re planning to go has had a
major security incident in the past three years…. whether it is:

A school
A movie theatre
A mall
A hospital
The office
A public building
A hair salon

And if a security incident did happen where you were, are you confident you’d know what to do?

That brief incident at the Capitol showed how in literally one minute, the situation goes from what
passes for normal at the Capitol, to total chaos, fear and terror.   The situation was handled correctly.

The communications systems were in place to send out a quick “Shelter In Place” order, and to keep
people updated.   The poor tourists and staff who were walking in the area were laying on the ground,
hiding behind trees, and had no idea what was going on – so they probably experienced the greatest fear.

The Capitol Hill police, the first responders, were probably not expecting to have the driver be a woman
with no political agenda, if you see a car trying to rush a barracide, the logical assumption is that they
have an explosive device and are trying to get closer to the target, but that was no true in this case.

So before you venture out for the weekend, keep these tips in mind, write them down and keep them in your purse or wallet.

1.  Be Situationally Aware – note where you at all times, how close a door is, or an alternate route for
your car when you’re in traffic.

2.  Spend 30 minutes deciding how you would react in an emergency shooter situation, and make a plan,
like deciding to use your car keys as a weapon, or keeping pepper spray in your purse.

3.  Remember to turn the sound off on your cell phone, if you’re caught in a developing security incident.

4.  If police are on the scene, follow their directions quickly and exactly.

5.  Have a local emergency number pre-set in your phone so you can call for help.

As they find out more about the Capitol Hill incident, this will probably be catalogued as an isolated incident,
which took place at a very inappropriate time, and a very inappropriate place, but it’s another wake up
for everyone.

Everything can change in a New York minute — be ready, just in case it changes for you!

 

 



Has it Been Only Two Weeks since the Navy Yard Shootings?

 

When i wrote my blog about the Shootings at the Washington Navy Yard on September 16th, I got some nasty notes about “Why did you have to write about this so soon after it happened?”

Well – I guess the fact that after about 15 days, no one can even remember the incident (8 people shot to death); the name of the shooter (Aaron Alexis), or much of the details.  It seems that people have decided that it was a mentally distributed person, so couldn’t have been prevented.  This is completely wrong.

One of the issues that security directors have is how to make their organization aware of the active shooter threat without terrifying them.  How do you get a large group of people out of the “It can’t happen here” mindset?   One of the main ways to bring an issue back home is by using the incident as a security awareness notice.

Write a “Lessons Learned” email and send it to everyone in the organization.  Follow it up with a purse and wallet card with reminders on what to do when faced with an Active Shooter situation.

NavyYard-smallKeep everyone informed on what happens after the incident – how the injured are doing, and more importantly, what changes the organization has made to ensure that it won’t happen again.

Try doing a simple threat-risk assessment to illustrate to management what the chances of having an active shooter incident actually are, based on the industry, the region, and the number of problems/complaints that employees have expressed in the past.

Don’t let anyone forget that this can happen to any organization, no matter how well funded, or how secure they think they are.  Remember, if it could happen in a DOD military facility – it could happen to YOU!



Navy Yard Shooting Highlights Effect of Cuts to Navy Security

Security professionals around the entire were shocked and dismayed when they turned on the news and saw the historic Washington Navy Yard locked down, surrounded by emergency vehicles, and looking for an active shooter.

All the shock, the outrage, the Defense Department reaction, the involvement of the overlapping law enforcement jurisdictions, has apparently been already forgotten by the public, moved to the virtual ‘old story’ pile by the latest news of a mall shooting in Kenya, meeting at the UN, and the politics as usual in Washington DC.

If you graph it online, you can see the dramatic spike and then the dramatic drop-off in interest by the general public. This highlights what the security community has to deal with, in the context of a 24 hour news cycle.

My perspective on the event was personal because one of my very best friends was in Building 197 that day, a former navy commander, now a contractor, who went to work at 5 am that morning, and finally returned home at 9 pm that night.  Unlike many shootings, the PCs, smartphones were all up and operational during the event, so people were instantly able to communicate with friends and relatives as the event unfolded.

NavyYard-smallRumors ran rampant that it was terrorism related, that there were three shooters, then that rumor switched to two shooters and eventually to only one shooter, Alexis Aaron, a mentally disturbed young man who had previous events of gun violence and yet had a top secret security clearance at the time of the shooting.

If we took a poll three weeks ago and asked people which facility would they judge to be the safest, the results
would probably look something like this:

1. Military Base in the U.S.
2. Hospital
3. Regional Mall
4. Police Station

Unfortunately – this is more like a list of the places where a shooting is more likely to take place.  As all the work in workplace violence statistics shows, a domestic Military Base has been the site of two mass shootings in only the last 4 years.  This includes the twelve killed and eight wounded at the Washington Navy Yard, as well as the thirteen killed and twenty injured at the Fort Hood shooting in late 2009.  That’s an average of 6 killed each year, and 8 injured, and doesn’t take into account any random shootings, training-related injuries, only the mass shootings.

Hospitals have increased in violent incidents every year for the last ten years, and we just witnessed a mass shooting at a Kenyan Mall.

However, the hospital and the mall are both completely OPEN, they want people to come in, they don’t control access at all.
This is what is so surprising about the Navy Yard shootings, the lack of security, lack of enough armed guards, lack of current background checks, lack of metal detectors, lack of retina scanners, and every other usual form of security control.

Speculation is that the key controls were missing because of budget cuts, which means that the Navy made the decision to reduce security controls, instead of cutting other, less critical programs.  The incident makes a strong case for examining the potential Return on Investment for security controls!

Even if the shooter’s background check was “current”, it certainly had not been updated based on his own recent events, and brushes with the police, and, of course, the anger and mental health problems appears again, and is shrugged off as too tough to manage and track.

However, it is a wake up call for the U.S. Navy, the Department of Defense, the U.S. Capital Police, and a variety of other organizations who “Secure” the Washington DC Capitol zone, and it leads to more questions than answers.

Already, the questions are starting about what controls SHOULD be in place for all military bases, and, naturally, re-examining the background check process and how it could be updated and improved.

Let’s not forget this time.

 

 

 

 



Last-Minute HIPAA Compliance Tips

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you
have done everything you could possibly do, to be in full compliance with every
part of HIPAA:

1. Finish a current HIPAA Risk Analysis – CHECK

2. Rewrite Business Associate agreements – CHECK

3. Rewrite Policies & Procedures – CHECK

4. Get PHI off the office copiers – CHECK

5. Gather Documentation in one place – CHECK

6. Start HIPAA Security Awareness Program – CHECK

7. Update HR Sanctions Policies – CHECK

8. Finalize Contingency Plans – CHECK

9. Add more encryption – CHECK

10. Implement Plan for Smartphones & Mobile Devices – CHECK

11. Have staff sign new Affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the OCR
regulators are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the
automated network controls you have implemented.

2. A record of every application, every database, etc. that hold PHI, are used to create,
manage, or share PHI, in both electronic and paper form.

2. Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3. A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring
Binders.

4. List of all HIPAA controls that are currently in place and verification documents.

5. Copies of all Business partners agreements and contracts

6. A notarized statement signed by the Board Director, CEO or Administrator formally
stating the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules.

7. Copies of recent employee surveys validating their stated compliance with all HIPAA
Security, Privacy, and Omnibus Rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.
It says “PREPARED” in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?

For More Information, Contact Caroline Hamilton at caroline@riskandsecurityllc.com



My Pool got Hit by Lightning – Are You Next?

My swimming pool got hit by an adjacent lightning strike!   The lightning strike hit a tree about 6 houses down from my home in Maryland.  I heard the lightning strike at the time (midnight), and I still remember that it was so loud the beagles dived under the bed.

But the next morning, when I woke up, I looked out from my 2nd floor window and saw something that looked like two fried eggs floating in the pool.  It took me about 2 minutes to realize that they were the pool lights, floating in the pool, still tethered by the electrical lines.

The lightning strike was so sharp and close that it broke the lights out of their plaster enclosures and now there they were, fully electrified, floating right in the water.  It took me eight calls to find someone who would come and fix the lights, turn off the electricity and get the lights out of the pool.

If a lightning strike could do that from 6 houses away, what could it do to a person? Because it’s Lightning Safety Week, I looked up some interesting stats from the National Weather Service – check out these stats:

Your chance is being struck by lightning in your lifetime is 1 in 3000!

From 2006 – 2012, about 2300 people were struck by lightning and 238 people were struck and killed by lightning in the US.

2/3rds of the deaths were to people enjoying outdoor leisure activities.

82% of all fatalities were to men.

70% of the lightning deaths occurred in the months of June, July, and August.

Only 10% percent of people struck by lightning actually die, but 70% of those that survive

a lightning strike have serious long-term effects from the strike, including fear, depression and debilitating physical injuries.

STAY SAFER THIS SUMMER, and teach these tips to your kids, too.

  • Get out of pools, away from beaches, lakes or ponds.

  • Never stand by a tall tree during a lightning storm

  • Drop or get away from metal objects like golf clubs, umbrellas, etc.

  • Get indoors or into your car if you can’t get inside.

  • Stay indoors for 30 minutes after the last flash you see.

 

And have a wonderful, active summer?



NSA Hearings on the Hill

NSA is answering questions this morning about their mega data collection of phone call destinations, before the House Intelligence Committee.

Having worked with NSA for years, I decided to watch the hearings and hear what General Keith Alexander had to say.   Of course, I have a family history with congressional hearings.

For myself, I’m in total agreement with NSA that they should be LISTENING, COLLECTING and ANALYZING intelligence so we can know what is happening all over our complex world and be in a position to prevent catastrophic attacks by those terrorists using their religion like a free pass to kill, maim and attack.

My father died over ten years ago, but one of my favorite memories of him is that is, while he was suffering from cancer, he never missed a Congressional hearing.  He sat with a TV Tray in front of him, with a stack of monogrammed notepaper, envelopes and stamps.

As the hearings progressed (I especially remember him watching Iran-Contra), he would write to each of the congressmen and senators, telling them how he judged their questions, writing to them about mistakes he thought they made.  This was true democracy in action.  From his pen right to the powers-that-be.    And he took his responsibility in this very seriously.

I hope everyone starts watching, learning and taking their role in our democracy as seriously!  An attention-seeking junior technician is having his 5 minutes of fame, and I hope that the great work of the US intelligence community is not going to be slowed down or damaged by his thoughtless disclosures. He should start writing letters to HIS elected representatives.

 



Oklahoma Tornado, Boston Bombing, Young Soldier Killed – It’s time to do a Security Risk Assessment!

More Tornado victims will be buried this week.   Including many children who died at their schools because the school district didn’t spend the extra $3000 to have a storm cellar/safe room available.

One month ago, we watched as victims of the Boston Marathon Bombings were buried.

Yesterday, we watched an Islamic Jihadist savagely kill a  young British soldier with knives.

What other events do we have to witness before we start taking security assessments seriously?   How many more grieving parents do we have to watch crying on TV and, in my opinion, the casualities did not need to be so high and the aftermath so catastrophic.

If you group all these disasters together, you can that at the root of each one, is the feeling that, “IT CAN’T HAPPEN HERE”…..    Britain, for example, has tolerated mosques preaching hate, thinking that nothing like the knife attack could happen in civilized London.

In Moore, Oklahoma, people thought, “we already had a major tornado, so IT CAN’T HAPPEN AGAIN”!  Well, surprise – it happened again.  While forecasters cannot dictate the exact path of a tornado, they can get close, and with just fifteen minutes advance warning, there is  time to get everyone into storm cellars, safe rooms and underground shelters.  BUT IF THERE IS NO SHELTER AT A SCHOOL…….

Many obvious solutions-controls-safeguards were missed in these recent tragedies because proper, formal security risk assessments weren’t done effectively.  If they had been done, perhaps the London police could have picked up someone who touted murder and hate.

If a risk assessment had been done in Moore, OK, maybe the high risk of a tornado would have allowed the schools to all add the safe rooms they needed, and in Boston, the older brother Boston bomber, should have been in jail already for his participation in a previous murder – or at least actively monitored based on his facebook postings.

The clues are all there, and, looking backwards, you can see the pieces that SHOULD HAVE BEEN ENOUGH TO PROMOTE some kind of action to either:

        1. Eliminate the threat  or, 

              2. Reduce the severity of a potential threat in case it occurred.

Security risk assessments gather the numbers and the information organizations need to make better choices about how to protect people’s lives, facilities, and organizations.  I hope these events will prompt more Security Directors to take an objective and unbiased look at their own organizations, and the controls they have in place, before you end up on CNN!

 



The Active Shooter – What’s the Right Response? Run Out or Lock Down?

I got to sit in on a security group discussion yesterday.  It includes both security directors and local law enforcement and It was interesting to see how both groups approached the active shooter scenario differently.   Which way is the best?  Is there a best?

For law enforcement officers at both the state, city and county level, they want all doors to be unlocked so that all the occupants of a facility, or a hospital, can get out and run for safety as quickly as possible.   They say that means more people will survive, not get shot, and it works with the natural human reaction to run away from danger.

Some of the active shooter experts in the room said that active shooter situations should be treated like fire drills, because people are used to fire drills, and they know what to do, because they practice fire drills more frequently than active shooter drills.

For the Security Directors, especially of hospitals, they wanted to be able to lock down if there was an active shooter call in their facility.  They felt that there were problems in evacuating quickly, and some were concerned about leaving bed-ridden patients behind while the clinical staff run out of the building.  So they advocated locking down all doors instantly.

While the heated discussion continued for almost three hours – at the end there was no “BEST” solution.  Each Security Director or Manager will have to decide for themselves which approach is right for their organization.  The important thing is to think it through in advance, prepare people in advance, and take advantage of the great materials that are available to help organizations prepared.


Get more information including videos, training materials, on line courses and more at
http://www.dhs.gov/active-shooter-preparedness.



Benghazi Hearing Demonstrates Attack Uncovered A Fatal Lack of Coordination & Funding for Embassy Security

Just two weeks ago, we were talking about the lack of coordination between DHS agencies and known intelligence on the brothers responsible.

Now we have the Benghazi Senate hearings, and here is the same problem again – lack of coordination between different parts of the State Department, and with the Defense Department, AND with the CIA and the intelligence community.

Add to this, the appalling cuts in funding for diplomatic security, and a flawed process about what needs to be done about security and protection to our embassies around the world.

“In these tight budget times, the committee has had to make some tough choices to prioritize funding.”, said a GOP aide in The Hill article (GOP cuts to embassy security draw scrutiny), by Alexander Bolton on September 18, 2012.   In spite of the uncertainly of the Arab Spring, the demonstrations every Friday in streets from Bahrain to Tunesia, the embassies had their budgets cut.

Of course, security experts are used to this, security doesn’t directly generate revenue, and it is often one of the first functions on the chopping block.  However, to cut funding to the critical embassy functions in this volatile environment, is obviously a very bad decision on the part of the GOP.

For example, the security risk assessment which are routinely done on these embassies are not done on a systematic basis.  As a risk expert, these security risk assessments should be done WEEKLY, and they should be automated so they can instantly be compared to environments in other embassies, and comparisons made by month, by year, and trends can be tracked.

If we can’t afford to do these assessments and just as important, if we can’t afford to fix the problems that assessments reveal, then we should not have embassies in these places.

The security risk assessments that are done properly must also include complete threat assessments.  “We need to develop a paradigm for managing risk“, said Gregory Hicks, a Foreign Service Officer who testified today on Capitol Hill.

These paradigms for managing risk already exist and they have been totally ignored by the State Department, which makes it almost impossible to get a clear, unfiltered view of the security situation at any embassy, at any point in time.

At least both sides of the political aisle agree, we do not want this to happen again!  Benghazi is not a political problem, it is a massive security failure problem!

 




top