Reposted from asisonline.com

​Sexual harassment allegations involving high-profile public figures have appeared in the news repeatedly this year, spurring broad debate on the prevalence of the problem, as well as the potential effectiveness of different prevention measures. 

Although their views may differ regarding the value of different prevention components, many security professionals seem united on a core issue: harassment is a serious workplace issue both in the United States and around the world, and it is one that deserves more attention and more prevention programs.

“Unfortunately, most people do not consider sexual harassment as a workplace violence issue, but this is a serious mistake,” the ASIS International Crime and Loss Prevention Council said in a white paper, Sexual Victimization, issued last year. “…It is imperative that we in the security industry each gain a greater awareness of the prevalence of this crime.” 

One preventative measure that has attracted recent attention is the use of company phone hotlines for anonymously reporting incidents of workplace harassment. The harassment hotline concept came into focus after intense media coverage of harassment allegations made against prominent Fox News broadcaster Bill O’Reilly by several female coworkers and program guests. The allegations eventually led Fox News to terminate O’Reilly’s contract in April 2017. 

O’Reilly said that the allegations were spurious, and he maintained that no complaints against him had ever been reported on the company’s harassment hotline. But some experts say that a lack of hotline calls is never surprising and does not accurately reflect frequency of incidents. 

Brian Lee, practice leader at CEB (now part of Gartner), a consultancy specializing in workplace incidents, says that, on the one hand, hotlines or “helplines” can be a valid component of an overall safe workplace programs. “But they are certainly not as helpful as people would want,” he adds. In part, this is because many companies employ a hotline for legal reasons, but do not publicize the actual phone number, which is sometimes embedded in a corporate policy handbook. “If you poll their employees, many have no idea what the number is, or how to get it,” Lee explains.

Another reason for low hotline use is that some employees suspect that the hotline isn’t truly anonymous, even if it is billed as such. Media reports of cases like the Wells Fargo fake account scandal of 2016, in which supposedly anonymous reports were still used for retaliation against whistleblowers, “have a chilling effect” on hotline use, Lee says.  

In addition, the hotline can feel too impersonal, like taking a complaint and “dropping it in a box somewhere,” says Stephen Hollowell, CPP, vice chair of the ASIS International Crime and Loss Prevention Council and a member of the ASIS International Healthcare Council. Hollowell helped prepare the Sexual Victimization white paper. 

A recent CEB global study on workplace misconduct seems to support Hollowell’s view. Only about 7 percent of respondents reported that they had used a hotline to file a complaint, compared with 68 percent who reported the incident to their direct managers. “The use of helplines tends to be much lower than people think,” Lee says. “It is far from the most popular way [of reporting].”

But unlike hotlines, other components of workplace safety programs have been shown to be effective, says Hollowell, who is an advocate for treating harassment with the same seriousness as other incidents of workplace violence. One such component is harassment training for all employees, which starts with orientation but does not end there. 

“You don’t just do it one time in orientation and then forget about it,” he says. Companies should provide periodic updates. Hollowell was involved in one organization that used the company’s weekly internal magazine to remind people that they should not hesitate to speak to their manager or call the firm’s helpline to report an incident. 

Experts often say that there are two main reasons why many harassment incidents go unreported: fear of retaliation, and previous demonstrated inaction by the company. Given this, a rigorous prevention program should address both these concerns, Hollowell says.

To do this, managers should make clear that the company’s workplace is one free of harassment and violence, and that this ethos is reflected in the procedures for reporting complaints. Hollowell uses his own program as an example: if a complaint is reported to a supervisor and the supervisor does not take action, the employee is encouraged to take the complaint to the supervisor’s supervisor, or to another department like human resources or security. “We make it very clear,” he says. Additional action will take place immediately, if the complaint is valid, he adds. 

Another point that should be made clear is that whistleblowers are protected. If an employee is penalized by a manager for filing a complaint in any way–such as by being assigned extra work or by having privileges taken away–“we make it very clear you need to come forward and make us aware of it,” Hollowell explains. “That could lead to [the manager’s] termination.” 

However, it is also a workplace reality that, occasionally, false harassment allegations are made. This is one reason Hollowell does not like anonymous reporting—it makes it easier for disgruntled employees to target certain people, such as a coworker or supervisor they hold a grudge against, with false complaints.   

Given the possibility of false claims, impartial investigations are crucial, Hollowell says. Investigators take a “just the facts” approach, sticking to exactly what happened, and following wherever the facts lead. “If you start assuming, you’re not following the facts,” he says. Finally, keeping people informed of procedures and policies is crucial. “Transparency really is the watchword,” he adds. 

For many years, harassment prevention programs would emphasize that company leaders needed to set a good example in their behavior, because the tone at the top was key. “But increasingly, that is just table stakes now,” Lee says. More firms are realizing that a coworker’s behavior is just as important as a manager’s behavior. “Employees are far more influenced by what they see around them than what they see at the top,” he adds. 

Indeed, that philosophy is at the heart of a recommendation made recently by the U.S. Equal Employment Opportunity Commission (EEOC) Select Task Force on the Study of Harassment in the Workplace. In a report issued last year, the task force cochairs recommended exploring an “It’s On Us” campaign for U.S. workplaces.

“It’s On Us” is a social movement first created in 2014 by the White House to prevent sexual assault on college campuses. The campaign urged everyone on campus to be an active part of the solution, not passive observers. Launching a similar campaign in workplaces across the country would be “an audacious goal,” and not easy, the EEOC task force concedes. 

“But doing so would transform the problem of workplace harassment from being about target, harassers, and legal compliance,” the task force argues, “and make it one in which coworkers, supervisors, clients, and customers all have roles to play in stopping harassment.” ​

See Original Post

Reposted from helpnetsecurity.com

All organizations, regardless of how well they think their walls are fortified, will at some point fall victim to an attack. How they respond to the attack could mean the difference between recovering with minimal loss to shutting the organization down.

In this podcast recorded at Black Hat USA 2017, Susan Carter, Sr. Manager Threat Intelligence and Incident Response Services at NTT Security, talks about how to select a suitable incident response program for your organization, and outlines the options organizations have to help them prepare for that imminent attack or breach.

Here’s a transcript of the podcast for your convenience.

Joshua Corman, founder of I am the Cavalry and Director of the The Cyber Statecraft Initiative, stated in a recent keynote that for all vulnerabilities disclosed anywhere, commercial databases currently track only 80% of those vulnerabilities. CVEs tends to have 60% of that 80%. So, when an organization is making a risk decision, they’re doing it with a blind spot of about 50%.

All organizations today, regardless of how well they think their walls are fortified, will at some point fall victim to an attack. It’s almost guaranteed because of the statistics from Joshua Corman, and it’s only going to get worse. How the organization responds to the cyber attack could mean the difference between recovering with minimal loss to shutting the organization down.

Not only can the financial impact of an attack due to downtime, lost business, cost of mitigation and cleanup and possible regulatory fines be astronomical; other facets such as loss of intellectual property and reputation are hard to put a price tag on. Just one catastrophic critical incident of security concern could shutter an organization for good.

The U.S National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack. In my experience, the only way to insure survival of an attack today is to invest in a solid incident response program, and that investment needs to include talent, time and money.

The organization needs to ensure they have an incident response program that is championed by a C-Level executive. This will ensure visibility to other C-level execs, assurances that understanding the importance of the program from above it is a priority, and that an investment of some kind is promised to ensure a successful program.

In my opinion, organization have a few options to help them prepare for that imminent attack or breach. All three options have different degrees of commitment and investment with slightly different results, depending on the organizations size and funding commitments.

First, this may be the only option for a smaller organizations with limited funding. Realizing the importance of having a plan of action in case of critical incident is half the battle. These organization usually have a very small in-house IT staff, if any, so it’s prudent to contract in advance with and third party incident response for on-demand retainer services.

With the assurance that expert help is just a phone call away, and that help can be reached 24/7, is of upmost importance. Many of these providers, like NTT Security, may have contract options is place that allow the organization to convert the retainer hours at the end of the contract to other services. This way it’s better than an insurance policy, the organization can still get value out of the investment even if they didn’t experience a need to use it during that contract year.

Even if you have a third party in your back pocket, I would like to caution that it’s not a buy and pray for the best solution. It’s important to understand that there will be requirements of the organization during an incident response cleanup, or forensic investigation that require a little advanced planning. The provider will be asking for logs, system images, copies of gold images and other evidence. Being prepared in advance of these request will make a difference between a successful IR engagement with minimal impact to a very costly engagement.

The second option is for organizations that have in incident response plan written but don’t have the skill set or resources to support a major breach or their program is still in the maturing stages. Companies in this position would greatly benefit in partnering with a third party incident firm that offers program assessments and validation services.

We at NTT offer a proactive service where we come in an assess written documents from the organization, and we do an assessment against best industry standards and practices such as NIST and ISO, along with their own years of experience in the space.

We offer advice on how to improve the program. Once the assessment is complete and documentation updated, a test of the execution of the plans can take place to determine the effectiveness of the plan along with identifying other areas that can be improved. Like identifying at what point legal needs to be brought in and when third party providers should be called, or even if you know who to call.

If an organization does not have an incident response plan in place, or would like to supplement their incident response plan with specific runbooks or playbooks, NTT can help with that development as well.

An incident response program is not something that can be developed and forgotten. I see companies that are most successful and confident in handling incidents when they partner with a third party on an annual basis for program review and assessment, and to facilitate testing of the organizations incident response team.

Like a firefighter, they spend a good amount of time training and practicing so that instinct comes into play when they have to respond to a fire. It’s the same for your incident response team.

A residual benefit of utilizing NTT proactive services is that the analyst that go in to assess an organization incident response program will most likely be the analyst that will respond if they have a breach, and call in the cavalry for backup. The organization will know the analyst and their capabilities, and the analyst will already be familiar with organizations environment and the staff that will be working with them. This will speed up the response tremendously. And we all know time is money when it comes to breaches.

The third and final options is for organization that have the capability, talent and financial backing to define, build, mature and maintain an effective incident response capability. However, in cases where incident response capabilities are handled by an internal team, I have observed circumstances where special expertise is needed to support advanced response requirements. For instance, many internal incident response teams do not have training in detailed forensic analysis, or reverse-engineering of malware. Some organizations will elect to put a third party incident response service on retainer to assist in those situations.

In my experience, an attack never comes at a convenient time. It will be the Friday afternoon before a holiday weekend when your smartest IT guy is unreachable because he’s enjoying his ten year anniversary with his wife on a luxury cruise liner with minimal to no access to the outside world; or during the change control freeze to ensure production systems stay stability during critical times such as the Christmas shopping season.

Incidents will happen, and if your org is not prepared with a plan and practiced it could be the difference between the organization surviving the incident or shutting the doors.

Our view is that incident response should be looked at as a continuous process rather than a reactive process that can enable an overarching security strategy and is necessary to survive in today’s world.

See Original Post

Reposted from krqe.com

It’s no secret Albuquerque has a crime problem. Now the city is doing something about it, using security cameras as their weapons.

The plan is to combine security cameras from business owners and residents into one large database, allowing law enforcement to keep a better eye on the city.

For some business owners, there’s still some questions about the new initiative.

“I came in on Sunday morning approximately at 10:00 a.m., to discover that my barbecue pit had been missing,” said Daniel Morgan, the owner of Peppers Ole Fashion Barbecue on San Pedro.

In his nine years at that location, he had only experienced minor thefts, until this weekend.

“I just felt very agitated and frustrated,” said Morgan.

Morgan has a security camera, but unfortunately it didn’t catch the criminal.

“Today we are announcing the SCAN system, which stands for Security Camera Analytical Network,” said Mayor Richard J. Berry.

The Mayor’s Office, prosecutors, and law enforcement are joining forces to find a better way to not only deter crime, but catch the bad guys when they do strike.

It allows homeowners and business owners to put their security cameras in the city’s database.

“Use the collective resources of this community and bring people together to try and join and fight crime against this community,” said District Attorney Raul Torrez.

The network will help police be more efficient when working to solve crimes so they don’t have to spend so much time hunting down surveillance video.

It’s an idea that Morgan is willing to participate in, but he still worries about response time. The Albuquerque Police Department has admitted it is overwhelmed.

“If the database is set up with the city and the authorities, when they are contacted they can act. That’s the only benefit in my eyes,” said Morgan.

Mayor Berry says the new system won’t decrease response times, but it will allow the officers to be better informed.

“If you’re tied into the Real Time Crime Center, information that those officers can get potentially on the way to the call,” said Mayor Berry.

The Mayor wants to emphasize for homeowners who are concerned about their privacy, officers will only have access to your home video when a crime is committed and they can’t watch it live.

Business and homeowners who want to register their cameras can do so on the city’s website.

See Original Post

In today’s business environment, emergency response plans are crucial to keeping employees, tenants and visitors safe when and if a dangerous event arises. An essential component of any emergency plan is communication. How you choose to communicate the incident, the severity and response protocols can make a difference.

From workplace violence to weather emergencies, many organizations are implementing incident and mass notification processes. Gone are the days of endless employee call trees. When an emergency strikes, communication must be fast, timely and accurate.

When developing an incident notification plan as part of your overall emergency response approach, you must consider:

• Types of Notifications – The notification process you decide on may depend on your industry, location and business environment. Not all notification tools will be appropriate across the board, as there is not a one-size-fits-all approach. Work with your security provider to assess your environment and provide tailored recommendations.
• Technology – There are numerous technology options, including alarms, intercom systems, text message and email alerts, just to name a few. When evaluating solutions consider ease of use, reliability, scalability, features and functionality.
• Responsibilities – Designate a point person for message or alert deployment. They must be well-trained on your approach, and comfortable with the technology options you choose.
• Integration – Incident notification plans cannot be created in a vacuum, but must actively involve all stakeholders, neighboring businesses and local law enforcement. These plans will only be effective if they are communicated and practiced regularly.

Communicating with a large number of people can be a daunting task, add to that the panic of an emergency situation, and there is a probability that things will go wrong. A well-organized and rehearsed incident notification process is crucial to employee safety and business continuity.

Learn more about the importance of an incident notification plan in the on-demand webinar, “Incident Notification – Fast, Timely, Accurate.”

See Original Post

Quality service providers that strive to exceed client expectations and meet the highest industry standards need to carefully evaluate how to continuously improve and keep pace with changing needs. This is critical in the security industry where needs and priorities evolve rapidly. To be successful, security providers need to recognize and honor this critical priority: understand what is important, commit to excellence and deliver.

To do so requires a carefully developed program designed to gather, measure and implement feedback on a continuous basis. This must be much more than a passing question or the sharing of anecdotal comments. A true listening program creates opportunities for your voice to be heard and is supported by formal processes, measurements and assessments that transform feedback into results.

Ongoing communication and evaluation can take your security program to the next level. Some questions to consider when assessing if your security provider is truly listening to you include:

• Does your security provider utilize a well-known and respected evaluation process?
• Do they ask for feedback in both formal and informal ways?
• Does your security provider act on the feedback provided?
• Is the feedback utilized to improve service and processes?
• Do they conduct regular business reviews?
• Do they measure success using defined criteria?
• Does security management visit your site regularly or as outlined in your contract?

Open conversation and structured check points enable you and the contracted security firm to respond to the changing security landscape quickly. Define when you will meet to assess changing risk situations, and schedule status meetings and business reviews.

At the end of the day, quality security providers want to create opportunities to get beyond the basics and deliver exceptional, value-added solutions. A value-driven approach which ensures that your and your security team’s feedback is actively listened to and acted on is a win-win for everyone.

Use this evaluation guide - Is Your Security Provider Listening to You? - to help gauge if your security provider is taking every opportunity to listen to your concerns and assess your satisfaction.

See Original Post

Active Shooter incidents are statistically rare, but devastating events (low probability-high consequence). They can be the end point of a long progression along the workplace violence continuum and should be integrated into the organization’s overall violence prevention posture.

OSHA historically classifies workplace violence into one of four categories which include:

• Type I: Criminal Intent, wherein the violence is incidental to another crime such as robbery
• Type II: Customer/Client/Patient where the violent person has a relationship with the business such as being a customer or client
• Type III: Worker-on-Worker where the perpetrator of the violence is an employee or past employee of the business attacking current or past employees and
• Type IV: Intimate Partner, where the perpetrator has no relationship with the business but has a personal relationship with the intended victim.

 
I believe, however, that current events suggest there is clearly a fifth type, ideological violence, in which terrorism comes to the workplace. Type V violence is directed at an organization, its people and/or property for ideological, religious or political reasons. Violence perpetrated by extremist environmental, animal rights and other value-driven groups may also fall within this category.

Type V violence may take the form of Hybrid Targeted Violence (HTV) defined as the use of violence, targeting a specific population, using multiple and multifaceted convention and unconventional weapons and tactics. The massacre at the Charlie Hebdo news outlet in Paris, France, is a powerful example of this intersection of terrorism and workplace violence as was the attack at the Armed Forces Recruiting offices in Chattanooga, Tenn.

How do these attacks differ from the more common active shooter incidents? These attacks feature well-trained, tactically competent perpetrators who are willing to die. They include multiple attackers working in small tactical units.

What are the benefits of this expanded typology that identifies Type V? By recognizing that there is an important intersection between workplace violence and terrorism, we understand that extremist-driven violence may be directed at a workplace. This allows for more inclusive training that includes specialized training to understand the warning signs of workplace violence including specific signs of terrorism and the various warning behaviors. The recognition of the role that ideology plays in workplace violence promotes a “force-multiplier” effect with more eyes and ears on the ground monitoring potential threats.

Employers need to align their workplace violence training with their overall emergency preparedness posture. Read more about the evolution of the active shooter.

For more info on active shooters, read the Allied Universal Fire Life Safety Training blog.

See Original Post

At  the outset, our mission was clear: Allied Universal provides unparalleled service, systems and solutions to serve, secure and care for the people and businesses of our communities. We put our relationships with our employees and clients at the heart of everything we
do each and every day.

It has been one year since Allied Universal was formed from the merger of Universal Services of America and AlliedBarton Security Services to face a new security era together.

So on our birthday, Aug. 1, 2017, we thought it fitting to reflect on some of the achievements of the past year and lessons learned. For some insights on the process and how it unfolded, I invite you to read recent Security Management article “The Meaning of a Merger.”

Here are some achievements we’re very proud of:

• We grew another $600 million in revenue within one year by adding new accounts and acquiring five additional companies, making us the unequivocal leader in guarding services throughout all of North America. Our security professionals and our company play a major role in keeping America, parts of Canada and other service areas safe and secure.
• In North America, we serve over half of the fortune 500 companies and nearly every major retail mall in the U.S. From healthcare facilities, commercial office buildings, manufacturing and industrial plants, residential communities, transportation facilities and government services, Allied Universal has a significant security presence.
• Our local teams all across North America managed the integration of 150,000 security professionals, combined locations of both legacy companies, updated the uniforms and rebranded all of the offices and operational material we depend on to perform our jobs and serve our customers daily.
• Our training and development teams did an amazing job integrating the company’s training programs to create a world-class AU Institute that contains a library of training material for both field and office employees.
• We’ve introduced several technological innovations to help improve the security industry in a positive way and offer our clients enhanced solutions for protecting their properties and assets.

We have accomplished so much in such a short time span, and yet, still have more to achieve to become the company we aspire to be in the future—one that is not only the clear leader, but, one that is fast, nimble and is easy to do business with internally and externally. In short, we aim to be the company that is the best place to work for security professionals and service employees in our industry.

That said, we have many initiatives in place for the remainder of this year to help us get to our goal of being that company of the future. Thank you to our employees and clients on whom the success of Allied Universal depends. Congratulations on a fantastic first year. I look forward to all of our future shared success as we continue to grow.

Happy anniversary Allied Universal—here’s to many happy returns!

Steve Jones, CEO
Allied Universal

Reposted from The Army Times

The Army announced Wednesday plans to release a mobile application that would allow soldiers and civilians to rapidly alert first responders during an active shooter incident.

Army Training and Doctrine Command and TRADOC Capability Manager-Mobile (TCM Mobile) announced that a team of civilian employees from the Aviation Center of Excellence, Fort Rucker, Alabama, submitted the winning entry for a competition TRADOC held to develop an active shooter response mobile app.

Once the app is formally ready for release, it will be available in Google Play, the Apple App Store and other online app stores, according to the Army.

"If adrenaline kicks in and they forget what to do in the moment, all of that information is right there in front of them," said Matt MacLaughlin, a civilian employee at TRADOC Senior Mobile Training Development. "It should help everybody respond to that situation in the fastest manner possible."

The winning entry — which has yet to be officially named — allows users to walk through various steps for how to respond to an active shooter situation, and what to do and not do when law enforcement arrives on scene.

"We're going to try to think for you," MacLaughlin said in an Army release. "Because there's situations where you won't have time to think."

In an emergency situation, users can tap open the app and tap another button to reach an emergency dialer to get in touch with law enforcement. There will also be a Spanish translation feature. The Army Provost Marshal’s office is still reviewing final features of the application, according to MacLaughlin.

It is unclear if the app will feature any means of alerting law enforcement without having to speak on the phone. In an active shooter situation, it is sometimes dangerous to make an emergency call when in hiding.

The U.S. Department of Homeland Security’s " Active Shooter: How to Respond" booklet says to remain quiet and silence your phone if the shooter is near. The booklet advises to try and call emergency responders and let dispatchers listen if it is unsafe to talk.

But because vital, timely information can be impossible to relay over the phone in these scenarios, many law enforcement agencies are implementing what are known as Text-to-911 services to allow for texting dispatchers. There are currently more than 1,000 law enforcement agencies nationwide that offer or are implementing Text-to-911 services, according to the Federal Communications Commission. The Army could not immediately confirm whether the app would feature a service similar to texting for communicating with emergency dispatchers.

In addition to instances of on-post shootings, there have been several attacks at military recruiting centers. It is unclear if the app will allow for service members off-post at recruiting centers to use the app to contact local authorities.

While the app has yet to be released, there is significant value in increasing access to first responders for Army personnel in the event of an active shooter. Since 2009, 32 people have been killed in mass shooting attacks on military installations and at recruiting centers, according to The Washington Post. An additional 52 have been wounded.

The Army is rapidly expanding its use of mobile apps as a means of keeping soldiers informed and safe.

"We have people all the time that want to have mobile applications created and they want it … as soon as possible," said Lt. Col. Joe Harris, TRADOC Capability Manager-Mobile. "Now that they have this capability down at the school level … decentralized creation lessens the work on this end to have the mobile application (available for use)."

The new active shooter app follows the development of the "We Care" mobile apps created for sexual harassment and suicide prevention. TCM Mobile has produced about 80 mobile apps for other purposes, according to the Army. These include apps for combat training.

TCM hopes to establish a pipeline of emergency mobile apps, according to MacLaughlin. It also hopes to establish servicewide infrastructure to oversee development and training of mobile apps.

See Original Post

Reposted from CGN.com

Some of the hardest parts of a security professional’s job are identifying which elements in an enterprise infrastructure pose the greatest risk and keeping that infrastructure secure going forward. The underlying constraint in these considerations is how to do this with a less-than-infinite budget.

In many organizations, and certainly for most of government, that comes down to keeping systems up and running when at least some part of that infrastructure depends on legacy systems. Agencies can’t replace all of the aging machines and applications, so where should they invest scarce dollars to boost security, while at the same time making sure they don’t introduce problems that prevent that infrastructure from functioning properly?

That’s what the National Institute of Standards and Technology most recent guidance on risk assessment aims to address. Unlike other cybersecurity guidance NIST has published, however, this document includes a step-by-step process that agencies can use to identify the most critical parts of an infrastructure so they can better choose what to upgrade and where to spend their (usually scarce) dollars.

NIST itself said the new guidance builds on previous publications, such as SP 800-53 Rev. 4, SP 800-160 and SP 800-161, all of which also emphasized picking out critical parts of an infrastructure, but didn’t say how to do that.

The relevant publication, the NIST Cybersecurity Framework -- an answer to the President Barack Obama’s 2013 Executive Order 13636 on “Improving Critical Infrastructure Cybersecurity” -- includes a detailed mechanism that organizations can use to better understand how to managing security risks.

The framework has become a standard document for both public- and private-sector organizations in establishing their approach to cybersecurity. In May, the Trump White House issued an executive order on strengthening federal cybersecurity that effectively made use of the NIST framework government policy.

The new NIST guide described what it calls a “high level criticality analysis process model,” which steps users through the various components needed to get to the end point of a detailed analysis of the criticality levels for all of the programs, systems, subsystems, components and subcomponents needed in a particular enterprise.

This kind of approach will give agencies more certainty in what they buy, and it won’t upset the business logic that supports an agency and its mission. After all, even though cybersecurity has certainly risen in the list of agency priorities, the main question most IT managers ask security product vendors is how any new tool will affect the normal running of current networks and systems.

The authors of NIST's new guidance believe their approach could eliminate the debate over return on investment of security solutions versus the long term resilience of systems. That’s something to be hoped for, but it may be a while before agency bosses shunt aside the well-established ROI for something that’s still so nebulous -- for now, anyway -- as resilience.

The new NIST publication does hint at the need for more active outcomes for all of the guidance -- from NIST and others -- that’s been published over the last few years. The House, for example, recently tried to push measurable metrics onto the NIST Framework through the NIST Cybersecurity Framework, Assessment and Auditing Act of 2017, which was introduced in February.

It would be a real advance if that effort produced actual metrics that could be used because it’s been notoriously hard to do that with any kind of specific security guidance. Each organization has very different needs when it comes to the application of security, so getting a general set of metrics to measure effectiveness may not be possible.

Still, the current draft of the NIST criticality guidance, which is open for comment until Aug. 18, gets halfway there. It at least promises to give users a better idea of what they have and how best to insert new security solutions and systems. That should make for a more certain and more effective acquisition process. And, who knows, it might eventually take its place alongside the NIST Cybersecurity Framework as a solid basis for government cybersecurity efforts.

See Original Post

Reposted from Government Accountability Office 

The Government Accountability Office (GAO) has released a public version of a sensitive report on how federal agencies on the National Mall are addressing physical security risks to icons, museums, and galleries. The report evaluates how the Department of the Interior, the Smithsonian, and the National Gallery assess physical security risks and the extent to which they use goals, measures, and testing to assess their physical security programs. The Interagency Security Committee and GAO have reported that it is necessary to establish goals linked to performance measures to assess progress, which the agencies have not yet done. Ensuring that plans include goals linked to performance measures and timelines for completion could help the agencies prioritize needs and develop a more strategic view of physical security. While the entities have reached out to others to improve their overall programs, they did not focus on testing. GAO recommended that the National Gallery document its risk management decisions and that all three agencies link performance measures with security goals and seek input to improve testing programs. The Department of the Interior, the Smithsonian, and the National Gallery agreed with GAO's recommendations and indicated they will begin addressing them.

Read More