Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Threat Assessment

Thinking about a Model for Workplace Violence Prevention

Since I posted my blog yesterday – I got a big reaction, which ranged from those who thought there was no need for any standards on workplace violence prevention and believes that people will should help each other.  “Work place violence cannot be stopped by legislation! Good feelings cannot be legislated!  They are stopped by a community who cares!”, one reader commented.  

Obviously, people like Omar up in Manchester, Connecticut might have been treated in a more caring manner, with as much dignity as you can give to someone stealing beer on camera, but I could not disagree more with this statement.   I’m hot on standards – and these days, more than ever, people need lots of direction on how to do their job and how to apply security-related concepts.

Have you done any hiring lately?  Some people we’ve interviewed need to have every part of their job written down for them.  There seems to be less incentive to solve a problem that is not directly in the job description.   That’s one argument for setting some kind of minimum standard for companies, to assist them in dealing with the workplace violence increase. 

Standards make life easier for everyone because you don’t have to constantly reinvent the wheel – wheels now come in standard sizes, too.   

One of the reasons it is an attractive idea to create a standardized program for WV is because it is usually totally preventable.  Many of these people leave an enormous trail of clues that they are considering something drastic – including detailed plans in writing on Facebook.   Another reader pointed out that California does have a workplace violence prevention standard.  I checked and found it here:  http://www.dir.ca.gov/dosh/dosh_publications/worksecurity.html

The Cal/OSHA policy includes this little nugget, “The demographic profile of victims of fatal workplace assaults indicate that the majority are male. However, even though the overall fatal workplace injury rate for women is substantially lower than it is for men, homicides represent the leading cause of death for women in the workplace.”  WOW.

Cal/OSHA also offers a resource guide – The Model Injury and Illness Prevention Program for Workplace Security (a nice term).     Like everything else related to security, the actual workplace violence incident is usually a slow escalation over time.  That’s exactly why it is possible to deter, or prevent it – because there are signs everywhere, and lots of coping strategies you can learn.

I worked on a project in Thailand where a manager from a big box store had been fired and humiliated.  His revenge was to call in bomb threats – FOR A YEAR.  Only when those were totally ignored did he actually bring a bomb into the facility and yes, it went off, and yes, it killed a young security guard.

But, they had ONE YEAR to take him seriously and get help for him.  Many of these incidents also have a long wind up before the actual incident is triggered.

WHY SHOULD WE CARE?  I totally buy the argument that more people are killed from industrial injuries and lightning and car accidents, than in a WV incident, but these things are usually hard to predict or detect in advance.  Think about it – the fall off the ladder, the accidental electrocution, the surprise car crash — all more random and UN-preventable.

Workplace violence IS usually preventable, in all the stages.  From the first stage when the employee starts to feel that they have been unfairly treated, right through to how to handle an insanely angry person who happens to be packing.

That’s why training is so important, because it can prepared employees to deal with an incident, and it may even help them recognize and deal with their own issues.  Here’s another note from Cal/OSHA,The cornerstone of an effective workplace security plan is appropriate training of all employees, supervisors and managers. Employers with employees at risk for workplace violence must educate them about the risk factors associated with the various types of workplace violence and provide appropriate training in crime awareness, assault and rape prevention and defusing hostile situations. Also, employers must instruct their employees about what steps to take during an emergency incident.”

Who wants to write me and help develop a National Standard for Workplace Violence Prevention?   Let me know at caroline.r.hamilton@gmail.com.



Workplace Terror in Manchester, Connecticut

Yesterday a tragic story unfolded in Manchester,  Connecticut.   You probably already know that nine people were killed when an employee who was being fired, came back in with his hand gun,  started shooting and, after calling his mother, killed himself. 

This incident is part of a bigger and growing trend to more workplace violence incidents – not only in companies in general, but in hospitals to an even greater degree.  The Manchester incident also illustrates again some of the basic tenets of preventing workplace violence incidents. 

Patrick Fiel, Public Safety Advisor for ADT Security, commented, “The industry standard is to not  terminate employees in open areas where other individuals may be working.   Firings are always touchy situations and should be conducted in an isolated areas, even off-site, away from the work areas.”  

“Many companies have crisis plans in place, and also conduct security risk assessments annually  to prevent this kind of incident.   A comprehensive security assessment  might have saved nine lives by setting up procedures for the termination; and additionally, by making sure employees knew what to do when he did draw his gun.” 

I have been reviewing workplace violence incidents in healthcare and find that they have skyrocketed since the recession started.   Violence against supervisors, managers and also nurses and other healthcare workers has spiked significantly.

 It is surprising to read the following statement on the osha.gov web site:

There are currently no specific standards for workplace violence. However, this page highlights Federal Registers (rules, proposed rules, and notices) and standard interpretations (official letters of interpretation of the standards) related to workplace violence.

Section 5(a)(1) of the OSHA Act, often referred to as the General Duty Clause, requires employers to “furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees”. Section 5(a)(2) requires employers to “comply with occupational safety and health standards promulgated under this Act”.”

It might be time for OSHA to develop some workplace violence prevention standards.  Many of the ones we use in our risk assessments are related to standard security safeguards – such as having a written termination policy; making sure that if  worker at one location is fired, that all other locations are notified so he can’t just go to another office and cause an incident. 

Much of the statistical data we found on the OSHA website were at least six years out of date, which makes it harder to track current trends in workplace incidents, unless you catalog the media-reported events and run an analysis on them.  The U.S. Bureau of Labor Statistics reported  “Mass shootings receive a great deal of coverage in the media, as we saw with the Orlando, Fla. office shootings in November 2009 and in the shootings at the manufacturing plant in Albuquerque, N.M. in July 2010.  Out of 421 workplace shootings recorded in 2008 (8 percent of total fatal injuries),  99 (24 percent) occurred in retail trade.  Workplace shootings in manufacturing were less common, with 17 shootings reported in 2008.  Workplace shooting events account for only a small portion of nonfatal workplace injuries.” from http://www.bls.gov/iif/.

It makes me wonder if the workplace violence statistics from 2008 until now may be such a large increase, that has been either underreported or even held from publication!

According to a report by the National Institute for Occupational Safety and Health — “State of the Sector/Healthcare and Social Assistance” — published in 2009, health care workers are more than three times as likely as workers in other industries to be injured by acts of violence.

“Health care workers are at risk for verbal, psychological and physical violence,” the report says. “Violent acts occur during interactions with patients, family, visitors, coworkers and supervisors. “Working with volatile people or people under heightened stress, long wait times for service, understaffing, patients or visitors under the influence of drugs or alcohol, access to weapons, inadequate security, and poor environmen­tal design, are among the risk factors for violence,” the report continues.

In the current economic environment, the physical security (facility) risk assessment can be used as an important tool in making sure that basic industry standards for preventing workplace violence incidents; or limiting the damage they can do – especially for making sure the staff are protected from violent incidents by their co-workers.

The security assessment can be followed by the creation of specific, detailed crisis plans that make sure people know what to do when the unthinkable happens at work.  One of the reasons that workplace violence incidents are so upsetting to all of us is because the person KNEW the people he was killing.  He probably knew their spouses and met their children at a company picnic.  It makes the violence more personal and scary, a whole different thing than falling off a ladder.   And it reminds us all that it COULD happen here!



The Oil Rig Disaster and Risk Assessment — And Accountability Issues with Politicians

“Drill, baby, drill.”   We have heard that before – being from California and being a tree-hugger, I didn’t think that was a great idea, especially since I know our oceans are already struggling, but I did not expect something this bad to happen.

The politicians who were so busy expanding oil leases and the profit-rich oil companies who are raking in billions,  don’t spend much time on assessing the potential risks AND the potential losses for a catastrophic oil spill.

Maybe we should require them to do REAL risk assessments on the total possible impact of an oil disaster.    It would not be an environmental impact statement, which downplays the risk by putting in lots of scientific jargon and ASSUMES that proper safety controls and contingency plans are in place.  But obviously that either was not done;  or it was not accurate, or it was done and burned so no newsperson would ever see the smoking document (or should I say, the oily document).

If we go back to the classic risk model – we are by listing the assets at risk:

  1. The Cost of the Original Rig and Drill Equipment – $500,000,000
  2. The Value of the Lives of the 11 workers who died –    25,000,000
  3. The Value of the Oil itself, with replacement value
    (5 million gallons at  $2.00 per gallon = $10 million dollars)
  4. BP’s Reputation as a good company – $2 million
  5. Gulf Fishing and Shrimp Industries Value – $2.5 billion dollars for

Just Louisiana – add in Alabama, Mississippi and Florida and quickly     the bill runs up to $10 billion dollars.

  1. Value of Summer Beach Tourist Business in the Gulf – $20 billion
  2. Value of lives of 20,000 – 50,000 shorebirds; 10,000 turtles; 0ther assorted marine mammals, birds, and fish   – $25 million.

So we have a resource worth about $33.5 billion dollars – that is potential loss estimate.

What we will lose if a threat materializes?    Keep in mind, for comparison purposes, that BP had recently doubled it’s profits from $3 billion to $6 Billion a quarter,  which calculated out to about  $24  Billion Dollars a Year.

Next we factor in the likelihood of a threat occurring.  Reviewing the frequencies of and problems problems with oil rigs, and oil spills, we find:

There are an average of about 2000 oil spills a year of various degrees.

There are an average of 1 million gallons spilled each year (going back 7 years).

(Already you can start to get a idea of how terrible this spill is.)

Next we list all the problems (vulnerabilities) that could or would have made it more likely to have a disaster occur,  you will recognize many of these from the latest news conference

  1. New,  untried technology
  2. No recovery plan if secondary shut offs fail
  3. Difficulty of working on deep ocean
  4. No reliable oil containment systems have ever been developed

SO – if British Petroleum is making $24 BILLION A YEAR and because of this spill, BP loses about $1 billion dollars. That’s not a bad Return.

The problem comes in with the $30 Billion dollars that is borne and felt, not by BP, who goes on to drill somewhere else, but by the citizens of the affected states and the whole United States due to the incalculable environmental damage.

The last thing we look at in a risk assessment model is the potential controls that could have been put in place to reduce the likelihood of the threat materializing, and the cost of those controls that could either reduce the threat, or, and even more important in this case, minimize the damage if the threat occurs anyway.

What controls could have been improved in this model?

Development of effective oil capping techniques BEFORE a disaster

Better training of oil rig workers

Better fire controls which might have saved the rig from sinking.

Accountability Increased for the Materials Management Service (MMS)

Tougher Regulations for Oil Companies

Better oil containment tools

Better oil absorption tools

Regular drills so that workers are better prepared in an emergency like this.

I’m still here watching the news coverage but I have learned why this happened – because BP was making so much money, it just didn’t have that much to lose from a disaster.  So it avoided improving its technology and spending money on controls that might have helped.

And the former and current U.S. administrations are to blame for not requiring accountability from the MMS.  And the rest of us, including the bluefin tuna, the birds, the jellyfish, the crabs, the shrimp, bottlenose dolphin, sperm whale, dozens of varieties of sharks, manatees, oysters, warblers, terns, swallows, egrets, plovers, sandpipers, pelicans,  loggerhead turtles, Ridley’s turtle, diamondback terrapins, and alligators.

According to the Louisiana Department of Wildlife and Fisheries,   here are the numbers of species that will be affected:

445 species of fish,

45 species of mammals

32 species of amphibians and reptiles

134 species of birds,
and the ocean itself, and all of us.



BLUES ON THE BORDER – WILL SECURITY FINALLY GET A BREAK?

Arizona finally did it.  They called DHS’s bluff, and actually DID SOMETHING about the US-Mexican border.  it has nothing to do with racial profiling and nothing to do with discrimination — it has everything to do with America’s security against terrorism.

Everyone who is so shocked, appalled and worried – shouldn’t be.   Everyone wants to prevent the next 911, they want to keep out drug traffickers….. and you cannot get that done with an open border to our south. 

I say it over and over – PLEASE QUOTE ME – you can’t have homeland security with an open border!  You can NEVER have homeland security unless you have security at the border first. This is a key risk assessment vulnerability that anyone doing a formal assessment would spot immediately. 

What good is having a checkpoint on the I-5 interstate in San Ysidro if illegals can avoid the border crossings and run right into the U.S.? 

Look at strictly as a cost issue – looking at the real numbers helps… 

  • Cost of maintaining our phony border controls   $100 Million Dollars for 2010

(from the total ICE (U.S. Immigration & Customs Enforcement) budget of  $5.7 Billion Dollars). 

  • The Drug Enforcement Agency (DEA) says that since 2005, 15% of domestic arrests are arrest of illegal aliens!
     
  • Budget for DEA to combat Drug Traffic from Mexico   – over $25 Million Dollars (just to add an additional 128 agents along the southwest border). 
     
  • The Southwest Border Initiative Virtual Fence Project – $800 Million dollars
  •  The Secure Fence Act – over $7 Billion dollars 

AND OUR BORDER is still wide open.    Federal agents trying to police the border do not have the proper support and are discouraging from killing murderous drug dealers and human trafficking mules.   

If you look even farther – take the entire budget of the Department of Homeland Security, which is  $55 Billion dollars.   This money can largely be considered as wasted, if there is no control over our border with Mexico.  

You see it all the time at companies out in rural areas – they have a chain link fence around the back of the property, but the fence has a 14 foot gap in it, and all it does is concentrate the intrusions right through the gap in the fence.  It does not deter crime, it cannot prevent theft – because the fence is not secure, there is an open gap.  

That analogy works with our borders, too.  If you wanted to get into the U.S. illegally, would you choose to drive thru the checkpoint at El Paso?  Through San Ysidro?  Fly in from Mexico City and have to show a passport?   NO – you would breach the border and just walk across someone along the thousands of miles of unsecured border. It is a no-brainer, even for a terrorist.

As a risk assessment expert, I am personally thrilled that Arizona has pushed the envelope and passed a bill that at least attempts to find a solution to our horribly expensive and totally ineffective southwest border controls.  It might galvanize enough people to actually get something done about this open border policy. 

Remember, you cannot have a secure country without securing the borders.



Risk Assessment: Too much emphasis on PROCESS hampers rescue efforts in Haiti

From the night that CNN showed Dr. Sanjay Gupta staying up all night to attend to patients in a field hospital, because the UN thought it was unsafe for their doctors and medical staff, you can’t help but feel like the security threat there has been used to avoid taking any chances — while the Haitian people are having to absorb all the risk!

Even Anderson Cooper said, from his position in the ground, that the security fears were overblown and other doctors have corroborated this! So why is the UN using security as a cover….

The UN is an organization that often favors PROCESS over ACTION. I can understand that they are used to having convoys attacked in dangerous areas like Cambodia and Ethiopia — but this is Haiti…. we know Haiti… no rocket launchers in Haiti — no political goals on display in Haiti. Just poor, starving, sick people with no homes, no resources, no medical facilities, no food, and no water.

As a risk person, I just wonder if they actually did a quick 1 hour risk assessment on this disaster which would have pointed out that the risk of slow, un-action is much worse in this case – than the risk of a security incident.



Fireworks Ignite After Latest Airline Terrorism Incident

It was a surprise to see the biggest news on Christmas was that a Nigerian terrorist managed to get on a plane coming to Detroit from Amsterdam with some sort of explosive strapped to his leg.

AND – the alleged terrorist was on the NO-FLY LIST. Just think about this for a moment. A recent paper from the Naval Postgraduate School on Homeland Security estimated that the costs of the no-fly list, since 2002, range from approximately $300 million (a conservative estimate) to $966 million! And after spending over $300 million, the terrorist is able to get right on the plane, WITH EXPLOSIVES STRAPPED ON, and fly to the U.S.

Besides being a risk expert, I was mom who didn’t let her boys have toy guns. So imagine my shock at THINKING (to myself) that maybe we should let certain
Cleared passengers fly PACKING.

The passengers on the flight under discussion are the ones who subdued the perp, and I have a feeling that US airlines passengers would all be happy to take over their own security while flying the un-friendly skies.

Despite spending billions on patting down the grannies and business travelers along with 9 year old girls – someone can still board a plane and fly right into the U.S. with
explosives strapped on.

A simple risk formula applied to this entire passenger screening program shows that the entire TSA passenger screening program is too expensive for the results they are getting. The biggest cost waster is the idea that every single air traveler is treated exactly the same way. This is the elephant in TSA’s conference room. Every traveler is NOT the same. The most simplistic metrics show that:

1) Terrorists are more likely to be men.

2) Women over 60 are not likely to blow anything up.

3) Small children and federal employees are unlikely to be
Smuggling in explosive devices.

As the noted expert, Stephen Flynn, pointed in his book, America the Vulnerable, this policy creates huge cost, creates inefficiency and does not stop the dedicated terrorist.

Instead of being run as a gigantic stimulus program for the underemployed, TSA should sharpen it’s focus and began to start a true profiling program. A profiling program doesn’t have to target certain groups or type of individuals, but it should work towards automatically EXCLUDING the large groups of people who are unlikely to be a threat; let them opt for “cleared” status by completing a background check, and if these many individuals were automatically cleared, it would leave the TSA screeners more time to MORE RIGOROUS checks on potentially dangerous individuals, and ENSURE THAT PEOPLE ON THE NO-FLY LIST — DO NOT FLY!

Sounds obvious doesn’t it, but instead, the U.S. budget is being squandered on thousands of unnecessary screens, while the potential targets are not getting the indepth, and in-airport screenings they need to have.

These inane policies are not just indefensible – they are dangerous – and the latest incident just proves the point.



Hurricanes and Risk – Unexpected Consequences

Murphy’s Law states that anything that can go wrong — will go wrong.  Natural disasters like earthquakes, power outages and hurricanes always seem to prove that this old axiom is still true.

Many people are allergic to change and when their environment starts to change drastically, as it will in a natural disaster — say a hurricane. And when the environment and familiar patterns start to break down, people get anxious, anxiousness turns into nervousness and in a state of anxiety, bad decisions are made.

The continual push to have emergency responders train, train and train some more, the importance of doing drills and testing emergency plans reflects the importance of people feeling COMFORTABLE and FAMILIAR with the disaster operations and steps toward recovery.   Almost every requirement, whether it is for a physical security standard like FEMA 426 (How to Protect Buildings from Terrorist Attacks), to a bank standard like the FFIEC (Federal Financial Institutions Examination Council) the requirements requires disaster plan testing, and training for the personnel who will be affected by the disaster. The better and more frequent the testing and training, the better the plan will perform during an actual disaster.

Stories keep making the rounds about the South Street Seaport outage in lower Manhattan, and the emergency vehicles who raced to the scene and found there was no electricity to plug into. 

If we put aside the original disaster, then you will often find peripheral activities that are thrown off and do not behave as planned.  When I first moved to the DC area, we had a major power outage in the high rise office I off the beltway.  No problem — the building manager had a diesel generator up on the roof.  But he had stored the diesel fuel in the basement, and it was about 88 degrees that day.  He managed to carry the fuel up the 16 flights of stairs to the waiting emergency generator, but he was hot and tired and when he poured the diesel, he slopped it over the side and it spilled down the outside the building and then soaked into the walls, and we had diesel leaking out of the electrical outlets!   If you ever drive by the “Darth Vadar” building right at Route 50 and the Beltway — you can still see the stain on the building.

So when hurricanes are heading west, north and east, all at the same time, it’s a good idea to encourage your associates to breathe deeply, calm down, and take extra time to make sure that things get done correctly. 

One of my friends is leaving Brownsville to get away from Hurricane Ike as I am writing this.  And I had Hurricane Hanna visiting Annapolis less than a week ago.

Stay safe.



School Security Assessments & Children

My children are out of schools now, but I am always shocked at what I see on CNN’s Nancy Grace Show — all the terrible people who are snatching little girls on their way home from school.  And what about the janitorial staff in some schools who don’t take time for the routine background check and find later that these men just rotate through the different schools looking for young victims.

I have been discussing this with some of my ASIS friends who do these types of assessment and they agree that  sometimes it seems like the school management is not interested in a REAL security assessment, but instead just wants to punch the ticket so they can say it’s been done. 

Conversely, they also find organizations who want to justify an expensive camera system, but totally ignore the basics….One of my friends wrote to me and said, “I have  yet to see a school that has not spent a few thousand on detection systems to  protect a few thousand dollars of computers but nothing on educating the staff  and students on how to respond to critical events in conjunction with the  first responders”.  

He continued…. “ 99% of all of the school vulnerability assessments I have performed shows
is this:  CCTV and Access Control systems are truly useful tools,  but they follow the principle of responding after the horse has left the barn, when they should be putting time and smaller amounts of money into such  things as fencing and meaningful emergency exercises to prevent and mitigate  the threats.  Dependence upon electronics is lulling the schools into a  false sense of security – the real assets aren’t the computers – the real  assets are the kids and staff.  An effective true vulnerability risk assessment would show the way to making more informed decisions”.

The same thing happens to organizations who want to spend money on fancy, shiny, IT stuff, instead of doing boring things like:

1.  Making sure the staff gets enough training.
2.  Making sure that security plans are updated annually.
3.  Updating the background checks.

Controls that cost less than $1000 are usually ignored for big purchases like digital color camera systems.  We had one incident I remember where the organization had already paid for and installed the fancy camera system, but no one was available to do the monitoring!

Training in how to use new systems is also another area that often gets neglected and it is probably the SINGLE, MOST IMPORTANT PART of any new system.   More than one organization didn’t keep using the new visitor management system because the staff never took the training and didn’t understand how to use it.  Without that training, you might as well save your money.

And while we’re on schools – I actually got a letter from a big inner-city school district, and it was on letterhead and it said, “We regret that we cannot do a security risk assessment but we feel that if we identified particular risks, we might be liable if we did not fix them in a timely manner.”

YES – if you identify a terrible security problem and don’t fix it – you could be held responsible – but what if you have three teachers killed, or three students – Security shouldn’t just be about liability.  It should actually FIX something.

One of the more successful schools assessment projects I have seen lately is down in Florida, where one of the schools is involving parents, as well as staff, in the school security program.  There are online security guides that parents have to view, and they actually track it to make sure the parents are taking the online security training.  

I got re-interested in the schools when I saw an HBO documentary on a Baltimore school that was having problems complying with the No Child Left Behind legislation, it’s called “Hard Times at  Douglass High”. It outlined many of the problems that large city schools have to face, and although the documentary didn’t focus on security, security is always an issue.

Again, it’s the risk assessment that can give a school, whether it’s a public school, private school, magnet school or charter school a good overview of the security controls they have in place and what they need to do to improve.   By setting up a program that REGULARLY assesses the school’s security profile, and does a cost benefit analysis on potential controls, the school will go a long way in protecting the interests of the students, the staff and the parents.



The Latest Risk – Data Center Theft

In November of 2007, a co-location data center with state-of-the-art technological controls in place on all of its equipment was broken into for the fourth time. The burglars simply took a masonry saw and cut out a section of the concrete wall. According to a letter from officials — the night manager was repeatedly tazered and struck with a blunt instrument. After violently attacking the manager, the intruders stole equipment belonging to the data center and its customers and at least 20 data servers were stolen.

So does this mean that we have crossed the threshold where the information is more important than the equipment on which it resides? Even more amazing is that this particular co-location center has experienced more than FOUR break-ins! That’s certainly some kind of record.

My theory is that whenever the economy takes a downturn, robbery, burglary and other petty crimes start going up. White collar crime also starts to increase as employees start feeling that their job may not be secure as they thought – and start helping themselves to whatever the company has given them access to, maybe paperclips, maybe something more interesting.

There’s so much talk about “convergence”, the fusion of physical and information security. I think it is still typical in most companies to handle these two types of security completely separately and when the crime rate is increasing, that’s when you have to make sure that the correct physical controls are in place. In the same vein, the background checks on key personnel should be done more often and certainly should be done for all new employees.

A time-honored mantra for security people has always been “the insider threat is always worse than the outsider threat”. You can see the logic in this immediately, because the trusted insider has access to lots of information and with the use of a thumb drive or memory stick, its easy to get information out of a facility. Many organization ban thumb drives for this reason, but they are also not searching the purses, gym bags and other paraphernalia an employee may bring to work.

Data breaches disclosed by Hannaford Bros Supermarket Chain, GE Money, and Georgetown University are just some of the 167 breaches reported during the first quarter of 2008, up 1/3 over the previous quarter, according to the non-profit Identity Theft Resource Center (ITRC). This is more double the first quarter of 2007 (which was 76 breaches). It is an easy theft with a big upside and you can just sell the information to a sort of electronic fence so you don’t have to do much yourself.

Many of the investigations I have been involved with have uncovered employees doing another kind of theft – capacity theft. They are running their own businesses on the organizations boxes, basically stealing capacity and storage, plus the loss of their time and energy while they are engaging in these practices. This can extend from running sex rings which we have seen in state government data centers as well as a recent incident with Congress, to taking the client lists and selling them to spammers.

So with the external environment making lots of people think they could use a few extra bucks, it is probably a good time for improving access control systems, doing background checks on a more frequent basis, and generally improving the facilities security of your data center. Of course, it goes without saying that you should be doing your risk assessments on a more frequent basis.

Besides doing the security checks, a side benefit is that if you publicize the fact that you are doing an assessment, employees will back off their extracurricular activities on your systems. Once again — the risk assessment is a win-win.

Visit RiskWatch.com for more Information



Threat Assessments & the Maryland Storms

June 4, 2008, Annapolis, Maryland

Threat Assessments are one of the key areas of a security risk assessment.  Whether it’s information technology or physical security — having good threat information is a major component of any risk assessment.

Threat data is also very difficult to get and to keep updated.  Part of the problem is that if you look at ‘current’ threat data — you will find that this year, for example, we have had an unusual amount of rain and an unusually high number of storms and ‘conditions that are favorable for tornado (tornadic  sp?) activity in Maryland.

Take yesterday for example.  I had to take one of my beagles to the vet.  As I got into my car, my son called to say there was a very severe storm with a possible tornado heading toward us.   (He is in Virginia so he gets the storms first).  I actually saw the storm in my rear view mirror as I headed across the 4 mile Bay Bridge and rode out the storm in the vet’s office.  All my power was out when I finally got home and hundreds of trees were down.  There was so much flooding that I had to take off my shoes and pull up my dress to get to my car in the parking lot of the vet’s office.

So with these storms, tornados, rain and flooding, should I increase my threat of storms, flooding and water damage?  NO.  In this case, as in others (like hurricanes), as a risk analyst, you are looking at long term trends.  Remember 2005?  It was the busiest hurricane season on record,  with 27 named storms and 11 federal disaster declarations and the unforgettable trio – Katrina, Wilma and Rita?  Everyone thought this was the signal of a new problem with hurricanes, but 2006 was quiet.  In fact,  no hurricanes made landfall in the U.S. in 2006; and in 2007 there was only 15 named storms.

What insurance companies have known for years is that these things occur in cycles, and if you change your disaster plans to focus on hurricanes, next year you may instead get wind, or wildfires.  So the smart risk assessor will look at 20 or even 50 year cycles, and will normalize those cycles into an annual number and that annual number will be a better predictor of what actually happens year by year.

For a risk assessment, I always look at what is called an “All-Hazards” threat approach.  Even for an IT risk assessment, you need to look at the statistics for natural disasters, and related crime stats, as well as IT threats such as disclosure, viruses, malware, phishing, etc.  The impact of a hurricane or flood on a data center is just as damaging, if not more damaging, than a virus brought in by an employee.

There are several threat sources you can refer to, if you are attempting to create your own threat matrix for a risk assessment.  In the U.S., the National Weather Service (www.noaa.gov), has good threat data for natural phenomena, and the FBI publishes good crime data — the uniform crime reports (http://www.fbi.gov/ucr/ucr.htm).  For looking at IT threat data, there is a wide variety of sources including the CERT at Carnegie Mellon (www.cert.org).

Of course, the best, and most localized is either from your internal data, or from industry data.  This includes incident response tracking, incident reports, penetration and scanning test results which can be combined to give a good overall threat profile for your organization to in the risk assessment.  The threat assessment probabilities are going to contribute to the risk calculation by seeing what level of protection different assets need according the threats that can impact them. 

Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software.  Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop.  In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler.  Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications.  Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.

Add to Technorati Favorites




top