Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

RiskAlert

Man Makes Meth in his Car in Hospital Parking Lot

Hospital security cameras showed that a
33-year-old man was making meth in his car in the facility’s
parking lot before the vehicle became engulfed in flames.
The man was burned over 80 percent of his body and
later died of his injuries. The car, which was in the Horizon
Medical Center lot, was captured on security video that
showed the man mixing ingredients just before there was
fireball inside the car. A sheriff’s office detective working
security at Horizon requested assistance to put out the fire.
In examining the site, he noticed canisters and other possible
drug-related items in the car and called the drug task force,
according to news accounts



Use A Data-Driven Security Program to Transform Organization Security

Data-Driven Security

How to Target, Focus and Prioritize
The Security Program

  by Caroline Ramsey-Hamilton

Management has to have Metrics

Management of a security program is no different than management of cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved. Historically, however, security has been run by a few unique professionals, perhaps with a military or law enforcement background and the security program has existed in a vacuum, with few ways to measure it’s effectiveness and value to the organization, except to list what hasn’t happened!

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization. Many security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs.

Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Very recent improvements in security technology, camera technology and its integration with computer networks and information security has allowed a massive amount of data to be collected.  Everything from digital images, to incident reporting and tracking, and even internet-based reporting of technical vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be improved or implemented, based on their return on investment.

Security has never been more important to the organization. Many court cases recently have been decided on the basis of whether the organization was using ‘due care’ and utilizing every ‘reasonable’ security precaution. Existence of adequate security has become very important in premises liability cases and will likely become equally important in future litigation.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls. Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1. Determining the value of the assets of the organization, including the facilities, the personnel, products, production facilities, raw materials, transportation, vehicles, information technology equipment, data and information. In additional to quantifying present day replacement value, the sensitivity of various information assets and a determination of their criticality to the main mission of the organization must be determined.

2. Analyzing the Threat Level affecting the organization, including analyzing of incident report logs which would indicate how many potential intrusions have been attempted, as well as an analysis of physical intrusion indicators, such as missing badges, any security incidents, and any indications of industrial espionage which have been reported, either at the facility under review, or at any of the organization’s other facilities. Industry data on intrusions in similar companies or analogous agencies is also very helpful in determining threat level.

Many companies now use reports which quantify threat data, including statistics on criminal activity by exact location, by zip code (such as the Uniform Crime Index) as well as many information sources of weather data, such as NOAA (U.S. National Oceanographic and Atmospheric Administration, various international associations and government agencies.

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the receptionist to the CEO.  To ascertain the weaknesses in the way the employees comply with security, there are new electronic survey tools,( like Risk Watch®)  which measures security compliance against published standards such as FEMA 426, (How to Protect Buildings Against Terrorist Attacks). control standards.  New regulations, like Joint Commission, Behavioral Health and Workplace Violence (OSHA 3148) require such compliance-based
baseline assessment surveys.

4. Identifying potential categories of loss, which would include components like direct losses (damage/destruction), injury or death to either staff or patients/customers/vendors; theft of property or product,  theft of data/information,  and loss of an organization’s reputation. These loss categories are used to quantify the effect of threats on the organization because you can estimate the loss impact on various functions of the organization.

5. Safeguards (Controls) include all the possible controls that could protect an organization either by reducing the likely of a threat occurring, or reducing the amount of damage that the organization sustains from a threat that materializes. Controls are quantified by:

a. Life Cycle of the Control – How Long They are Good for.

b. Cost to Implement the Control to 100% in the organization

c. Indication of the percentage that the control is already implemented in the organization

By accumulating data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls.

Advantages of a Data-Driven Security Program

The primary advantage of a data driven security program is that it provides support for the security function within the organization by being able to illustrate directly how security not only protects the organizational assets, but also, how the security profile changes over time.

In addition, it becomes possible to benchmark the various plants and facilities against themselves, and against both domestic and international standards, including military standards for the Defense Industrial Base. For example, if a multinational company with facilities and networks around the world can analyze their security based on the principle of a data-driven security program, then they can instantly identify the areas or facilities that have problems and address them much more quickly and effectively than they could if they were depending on a fuzzy, quantitative assessment method. When an organization makes the decision to adopted a more disciplined approach to analyzing security risk, they must also use all the other typical management functions such as planning, development of a budget and incorporation of the plan into the organization’s overall planning.

After the initial baseline risk assessment, and using the input from the analysis, the organization can began to develop implementation strategies to address the vulnerabilities identified in the assessment. As each vulnerability is addressed, cost-effective mitigation strategies can be put in place.

At the same time,  the security plans and policies can be measured so that policy changes can be made, if necessary, or training and awareness programs can focus in the areas that need reinforcement with the organization.

The Security director, using his already established budget and implementation timelines for each safeguard, can then manage the improvements, using either internal staff or he can make the decision to outsource the additional controls (or their implementation).

These improvements can be tracked themselves, to establish how effective they are in their individual tasks, and also can be periodically re-assessed to see how the organization’s total security profile has improved.

The first benefits from a data driven security program emerge during this implementation phase because not only can you measure how much more effective the new security configurations are, but there is an additional value-added component of
re-acquainting the employees with the security program and increasing awareness across the organization.

To ensure continued value in the program, collection mechanisms such as automated incident response, threat reporting and vulnerability reviews must be automated. There are new security software programs that evaluate and analyze these types of data and can dramatically increase the effectiveness of a data-driven security program.

This type of data-driven security program creates a security program that becomes a baseline for management to quickly assess the security profile of the entire organization.  It makes it easier to provide a safe, and secure workplace for both management and employees, and may decrease the possibility of a workplace violence incident, theft or domestic or international terrorist attack.

This data-based concept of risk management creates a bridge between executive management and the security professionals in the organization who now have an avenue for open communication, discussion and consideration of the role of security throughout the organization.

 

About the Author

Caroline Ramsey-Hamilton is the founder of Risk Watch International, and a leading security risk assessment expert.  She was a Charter member of the National Institute of Standards and Technology’s Risk Management Model Builders Workshop from 1988 to 1995.  From 1996-1998, she served on the working group to create a Defensive Information Warfare Risk Management Model,  (DIWRM2) under the auspices of the Office of the Secretary of Defense.  She was also a member of the National Security Agency’s Risk Rating Workshop and the IBM Data Governance Working Group to create a Data Governance model for the nation’s largest banks.

She has developed specialized risk assessment programs for HIPAA, Information Security, FFIEC, GLBA, Sarbanes Oxley, and corporate security programs including working with The Clearinghouse, large investment banks, the Federal Reserve and a variety of other Federal agencies on Risk Assessment guidelines.   In addition, she is a member of the ASIS Physical Security Council, SARMA( the Security Risk Management Association) based inWashington, D.C.  Ms. Ramsey-Hamilton is certified in Homeland Security and Anti-Terrorism and recently received a lifetime achievement award from the Anti-Terrorism Accreditation Board and the Maritime Security Council.

Hamilton works around the world on critical risk issues including a new set of risk assessment guidelines for the Nuclear Regulatory Commission, a risk model for airport security and a risk model for medication error with Philadelphia Children’s Hospital.

She has completed Risk Assessments for over twenty-five U.S. government agencies including the Department of Defense, the Technical Support Working Group, and the Nuclear Regulatory Commission, and many healthcare organizations including Cleveland Clinic, HCA, Sheikh Khalifa Medical City, the University of Miami Medical Center and many more.  She has written several books and articles over twenty-five different publications.

www.caroline-hamilton.com

caroline.r.hamilton@gmail.com

 

 

TWEET: http://twitter.com/riskalert



Threat Modeling is the Exciting, Sexy Part of Risk Assessment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 



Why Violence in Hospitals is Increasing

Why Violence in Hospitals is Increasing

Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors. 

  1. Doctors are no longer thought of as “Gods”.  This means they are
          are more easily blamed when a patient’s condition deteriorates.
     
  2. Hospitals are now regarded as businesses.  This perception has been
           been aggravated by television in shows like a recent “60 Minutes”, as well as
           by the effects of the recession on jobs and the loss of health insurance.
  3. Lack of respect and resources (funding) for hospital security departments
         
    Rather than being seen as a crucial protection for the hospital staff and
          patients, many security departments are chronically underfunded and used
          for a variety of non- security functions, such as making bank deposits for
          the hospital gift shop. 
  4. ASIS Security Association issued it’s industry guidelines for Workplace
         Violence 
    Prevention in September 2011, in conjunction with the SHRM – the
         Society for Human Resources Management to address this issue.

    The federal government   issued a guidance document for dealing with violence issues in healthcare,   OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers.

To Learn more:  join my webinar on Thursday, January 12th at 12 noon Eastern time by
       Clicking on this link:  https://www2.gotomeeting.com/register/835835290.



No Way to Win an Election – A Risk Assessment

Watching the pandemonium that is the build up to the Iowa Caucus, you can follow the thread that pandering and trying to appeal to the lowest common denominator brings to the Iowa Caucus candidates.

They have taken what could have been an asset, and transformed it into the threat that each of the candidates seems to be fixated on –  that they will not be considered ‘enough of a social conservative’ and so will not win the caucus. 

So, by having a field of five (Paul, Newt, Santorum, Perry and Bachman) competing to be the most dogmatic, the most restrictive, the most anti-abortion, the most anti-immigrant, the most family-oriented, etc., they have actually pared down their own chances of winning.

Romney is running in the slightly more moderate vertical, which no one wants to compete in because it’s not such a knee-jerk distinction, which is why I left him out of this analysis.

In risk assessment terns, this means they have focused on addressing the wrong potential threat (not being conversative enough), and failed to address the real threat (losing the election or coming in dead last).

For the field of five, it turns out that by directly competing against each other, they energize their narrow social conservative vertical and that keeps all five of them alive, and the eventual  outcome is the splintering of that narrow field, which effectively prevents any one of them from anything close to a clear win.

It may be a great way to promote yourself for a later VP slot, or, who knows, maybe a future ambassadorship, but it’s NO WAY TO WIN AN ELECTION!

 



Why Bother with a HIPAA Risk Analysis Anyway?

People tell me all the time that their management doesn’t want them to do a risk analysis, even if it’s a requirement.  Sometime they say that they have no budget
to fix anything – so why bother?

Even if it’s a requirement, like new workplace violence assessments, or a federal law like the required HIPAA risk analysis, there are people who want to do it in 30 minutes in a spreadsheet, without conferring with other staff members, without bothering to do a walk-through of the facility, without management’s enthusiastic support.

Here is a list of good reasons to do a Risk Analysis for HIPAA, even if you are not sure about whether you need it or not:

1.   It’s a Federal law.   It’s possible that no one will know if you don’t do it, but
      what if you have a MassGeneral-style data breach next week?

2.   It saves the organization BIG BUCKS, by doing the cost benefit analysis so
      the IT department can implement controls that actually increase protection
      AND reduce potential threats at the same time.

3.   A Risk Analysis acts like a security awareness training program if you
      involve the entire hospital or healthcare staff.  Many times they aren’t
      aware of the policies and procedures, and having them answer the
      HIPAA compliance surveys is a great no-cost refresher cost.

4.   You can uncover REAL vulnerabilities and fix them right away.  For example,
      you may not know who’s taking your database home on their unencrypted
      laptop.   You may not know that only 20% of the hospital staff took time to
      take the online training!  This lets your IDENTIFY problems and FIX them.

5.   It instantly makes the security analyst/information security officer the
      SMARTEST person in the room.  You know understand everything about
      protection of medical records in your organization!

6.   Regulators are getting CASH BONUSES for finding problems.  Don’t let
      them vacation in the south of France because they found a vulnerability
      in your IT systems!

Start your risk analysis today – and I will make sure YOU get all the credit!



Starting a Hospital Security Risk Assessment

How to make sure your Security Department is Working for the Hospital.

Security Risk Assessment are not just Required by the Joint Commission – they are required in many states as a preventive measure to help prevent and reduce workplace violence.

The Risk Assessment also helps managers and administrators assess their security program, directly measure it’s effectiveness and helps determine
cost effective methods that can give you a great deal of protection for the lowest possible cost — something we call “bang for the buck”. 

The recent increase in violence comes as a surprise to doctors, nurses, managers and administrators, too.  Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

 1.  Doctors are no longer thought of as “Gods”.  This means they are
      are more easily blamed when a patient’s condition deteriorates.

 2.  Hospitals are now regarded as businesses.  This perception has been
       been aggravated by television in shows like a recent “60 Minutes”, as well as
       by the effects of the recession on jobs and the loss of health insurance.

3.  Lack of respect and resources (funding) for hospital security departments
  
.  Rather than being seen as a crucial protection for the hospital staff and
      patients, many security departments are chronically underfunded and used
      for a variety of non- security functions, such as making bank deposits for
      the hospital gift shop, driving the education van, etc.

The federal government  issued a guidance document for dealing with violence issues in healthcare,  called OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers.  You can download a copy at www.osha.gov/Publications/osha3148.pdf



Playing Footsie with the Haqqani Crime Network

I am a risk analyst and risk assessment expert, certainly not a diplomat.  In fact,  my friends might say I am probably really un-diplomatic most of the time.  I like the direct approach.

But watching the U.S. State Department and the Obama administration playing footsie with the Haqqani network in Afghanistan and Pakistan is worse than enduring waterboarding.  What a waste of American dollars — paying off these criminals to finance construction projects that Americans are doing to build up Afghani infrastructure.  

I have watched for years as the U.S. State Department props up brutal dictators, only to see them toppled overnight.  Of course, Mubarak and Quaddfi come to mind right away.

But to try and win a WAR, while paying off criminals and murderers who are launching attacks on our embassy, letting them run our relationship with Pakistan, is just wrong.

What has this got to do with risk assessment?  PLENTY – because the problem here is large amounts of unaccountable cash.  Cash passed out by the State Department, USAID and the intelligence services, theoretically, to ‘grease’ the skids and get something done, but instead, these wholesale PAYOFFS just finance and empower our enemies, while ruining the U.S. reputation and maddening the citizens who provide this money in the first place.

I would vote for anyone who could put REAL ACCOUNTABILITY back into the U.S. spending abroad.  As the Arab spring proved — this kind of diplomacy never works!



Did you know that Organized Crime now Runs Most Identity Theft rings and That They Already Have Your Personal CC Information?

A recent CNNMoney article looks at why cybercrime has gotten so pervasive and concluded that you have probably already been hacked!

Cybercrime and theft of personal identity elements like credit cards, bank accounts, passwords, etc. has moved from a kitchen industry populated by techy college students in countries like Bulgaria and Romania, to a dependable source of income for organized crime.

Similar to the way Russian crime gangs have infiltrated the shipping-port business, identity theft has become a commodity and they are stealing BILLIONS of dollars every year, including from the world’s largest corporations like Sony and Citigroup.

According to CNN Money, “These aren’t petty thieves. They’re committing breaches like the Sony attack that stole credit card information from 77 million customers and the Citigroup hack that stole $2.7 million from about 3,400 accounts in May. They’re organized, smart, and loaded with time and resources.

“It’s not like the Mafia, it is a Mafia running these operations,” said Karim Hijazi, CEO of botnet  monitoring company Unveillance. “The Russian Mafia are the most prolific cybercriminals in the world.”

The Russian mob is incredibly talented for a reason: After the Iron Curtain lifted in the 1990s, a number of ex-KGB cyberspies realized they could use their expert skills and training to make money off of the hacked information they had previously been retrieving for government espionage purposes. Former spies grouped together to form the Russian Business Network, a criminal enterprise that is capable of some truly scary attacks. It’s just one of many organized cybercriminal organizations, but it’s one of the oldest and the largest.

“The Russians have everyone nailed cold in terms of technical ability,” said Greg Hoglund, CEO of cybersecurity company HBGary. “The Russian crime guys have a ridiculous toolkit. They’re targeting end users in many cases, so they have to be sophisticated.”

Though credit cards continue to be a source of revenue for organized crime syndicates, there’s not much money in credit card theft, so crime rings go after large corporations and sensitive information that can be sold or used for blackmail.

Globally, data breaches are expected to account for $130.1 billion in corporate losses this year, according to the Ponemon Institute. Historically, about 30% of that total cost has been direct losses attributable to the breaches, which would mean about $39 billion will stolen in 2011.



Arming the Office – What Happens When We Let Employees Bring Guns to Work

One of my colleagues wrote to me so passionately about the terrible gun violence he witnesses every day, that I wanted to share it with all of you.  You can call it a ‘Guest Blog’ from the Field — a Hospital Security Director in a Major U.S. City.

The gun lobby had several recent legal “wins” for the gun rights advocates in Texas, Indiana, and Tennessee.   Apparently lawmakers and gun rights advocates find it a sane and reasonable  policy to open up the workplace to armed employees.

It t is also clear that our lawmakers are not satisfied with our current national gun carnage. Currently, we shoot to death about a 100 people a day in the United States, including 25 children killed every three days.  And this tally accounts for only those killed by guns.

This doesn’t include all those I see on a daily basis who are shot, crippled, maimed and ruined by the daily shooting gallery in the USA.   In order to continue to make money and sell more guns, the gun rights advocates, and  the legislators they have paid off, corrupted and stripped of reason,  are intent on even greater carnage and human tragedy.

Every day I witness the extreme becoming mainstream, and even commonplace.  
Guns are now finding their way into the workplace, brought into churches, brought into our colleges and universities. They are brought to hospitals, and shot off over highway bridges.

The logic is totally missing.  We are already a nation awash in fear and loathing.  We hate people  we don’t know and don’t understand.  The answer to this problem is NOT to arm EVEN MORE people and have guns readily available to everyone.

Obviously, the recent horrors of Arizona and the slaughter of innocent people in a Safeway parking lot,  has already been forgotten by security professionals and criminologists.  There is no condemnation or follow up  about a terminally troubled young man and the ease in which he purchased a semi-automatic pistol and 30 shot clips.

There has been no rallying cry to address the ease in which tormented and troubled and dangerous individuals on the margins of our society can easily obtain weapons of human mass destruction.   These realities are not relevant and cannot be discussed. And in today’s political climate to even MENTION this makes one a pariah, or a “liberal”, or a “communist”.

 I have been in the Security and Prevention profession for over 35 years, so I can easily dismiss the attacks from gun rights advocates and zealots.  And in fairness,  I have found many gun rights people to be in fact reasoned and decent and willing to engage in reasoned discourse.

What troubles me, and why I wanted to write directly to YOU,  is that the vast majority of professionals in the Security profession totally bypass, ignore and in fact, minimize the reality and tragedy that is our national gun slaughter.   As a profession,  we have done nothing to challenge these trends,  or address them, or at the very least,  debate the current flood of laws designed to turn American work places into armed camps.  

And this in my view is nothing less than a tragedy.




top