Reposted from Security Info Watch

A Manhattan mile transformed into a killing field yesterday afternoon when a man rented a pickup truck and carried out his jihad. “Rent me starting at $19” read the sign on the grotesquely bent truck, a painful testament to the disproportionate economies-of-scale of asymmetric warfare. In the city where law enforcement, intelligence, and anti-terrorism capabilities have been constant since 9/11, bent bicycle frames littered the streets like post-carnival decorations. Eight innocents died before the pickup hit a school bus and came to a halt.

Reporters and anchors are asking, “what could law enforcement have done to prevent this attack?” The important thing to know is that law enforcement and intelligence personnel have been and continue to do everything they reasonably can within their scope of authority. This attack was not due to any failure on their part.

The three required elements of a crime in U.S. law are motive, means, and opportunity. The motive is wide-ranging but for consideration herein, we assume that motivation exists and is sufficient to embolden a deadly-force attack on others. Law enforcement and intelligence efforts (combined with coordinated preventative/defensive security measures) have ramped-up nationwide since 9/11, to the point that meansand opportunity requirements for significant terrorism exceed the capabilities of most adversary groups. While no locations can be secured against all threats; protective money, time and effort have been allocated in a prioritized, methodical, and deliberate manner nationwide. 

Tuesday’s attack is an unfortunate but poignant side-effect of responsible government resource prioritization; increasing means requirements and reducing opportunity at larger targets has shifted the available target opportunities to softer, smaller targets like the Manhattan bicycle path. As larger targets were hardened, smaller and “softer” targets became more attractive to adversaries.

This attack was enabled by minimal means requirements; a common vehicle with everyday operational skills was all that was needed. Minimal complexity, planning, logistics, communications, timing, secrecy, or funding thresholds stood in the way of success. Even a police traffic-stop 100 feet from the attack starting point would have been almost irrelevant. As the perpetrator was unassuming and law-abiding up to the moment of attack, police and intelligence personnel did everything in advance that could be asked of them.

The real chance to increase public safety in this and in many similar soft-target scenarios lies with the security designer and civil engineer. Engineering and traffic controls combined with architectural and security elements will reduce opportunity and increase means requirements. These classic force protection principles are neither cost-free nor 100 percent effective but are wisely employed in a distributed fashion providing reasonable protection at a reasonable cost. When optimized for each municipality (or town, park or business), they will increase security and safety while limiting cost and potential liability.

Urban planning and public safety concerns are converging; hardening critical infrastructure has left smaller, softer targets (including pedestrian and bicycle paths) as low-hanging fruit for opportunistic perpetrators. Terrorist organizations have actively spread these targeting suggestions to their followers, and the threat will persist for the foreseeable future. 

This iteration of public security enhancement is in the hands of the planners, designers, architects, engineers, and law enforcement liaison personnel. Soft targets need not remain vulnerable, nor do they have to be transformed into unusable, unwelcoming space in order to provide safety. 

See Original Post                                                                                                

Reposted from SHRM.org

Even the best workplace security plan is ineffective if no one knows about it. That doesn't mean employers need to walk their staff through a security plan in detail. Rather, it means they should make sure that employees are trained on their roles in the plan and that they understand what to do in an emergency.

All employers should have their employees watch the FBI's video "Run. Hide. Fight." This video details what the FBI now recommends when a shooter enters the workplace. The video instructs employees to try to get away if they can.

If they can't escape, they should hide and use barriers to prevent the shooter from getting to them. As a last resort, they may have to fight the shooter.

It's a powerful and alarming video, but it's a great way to get employees thinking about how to react in a nightmare scenario.

After I watched the video for the first time, I decided to figure out where I would go should there be an emergency at my workplace. I recommend that employers train their workers how to evacuate the building after watching the video. Businesses also need a contingency plan for employees with disabilities who have difficulty using stairs.

[SHRM members-only toolkit: Developing Effective Safety Management Programs]

Have a Written Plan

If employers don't have strong written policies prohibiting threatening behavior and weapons in the workplace, they are vulnerable.

Workers need to have confidence that their reports will be taken seriously, that their identities won't be divulged unnecessarily and that leaders will take appropriate action, even if workers don't always hear what that action is.

So if employees lack confidence in their manager to handle a threatening situation or to report such incidents, employers may want to appoint a more senior person or an HR representative to field concerns.

Further, employers might want to set up a hotline where employees can anonymously report concerns. Whatever method they choose, businesses must make sure that employees understand that they must respond immediately and diligently if they perceive a threat.

Employers must make sure that the plan is disseminated to all workers through multiple means, including printing the plan in the employee handbook, posting it on workplace bulletin boards and giving it to employees on a card they can carry in their wallets.

Explain Employee Resources

If an employer contracts with an outside hotline service, it should make sure employees understand that the service is provided by a third party, that it is anonymous and that there will be no retaliation against employees who report to the hotline. Employees should know where to find the hotline number and should be told that the company's senior managers have sanctioned the hotline or other reporting method.

It's a good idea during training to review scenarios that employees might want to report and to explain that they should err on the side of over-reporting.

Finally, I recommend additional training for managers, particularly with regard to employee terminations. Firing an employee can be an emotionally charged experience, and managers need to know how to handle terminations to reduce the risk of violence.

Such training can also explore how to handle firings in a way that reduces the risk of an employment lawsuit. 

See Orginial Post

Reposted from Fifth Domain

Some 25 percent of emails claiming to be from the federal government are either unauthenticated or malicious, according to a new report from cybersecurity firm Agari.

In the report, Agari notes federal agencies will continue to suffer from excessive malicious emails without the usage of proper Domain-based Message Authentication (DMARC) monitoring policies. The company concluded that 90 percent of the 400 federal domains are vulnerable to these types of threats.

Agari believes that this is because 82 percent of federal domains do not use DMARC email authentication standards. This factor increasingly leaves constituents vulnerable to phishing and general email-based cyberattacks that can involve the theft of passwords, installation of ransomware, or the conning of users to send money.

DMARC is an email authentication system that discovers and potentially rejects unauthorized emails that appear from organization controlled domains before reaching the intended recipients. The U.S. Department of Homeland Security issued a binding operational directive this week that ordered DMARC usage as a part of a greater mandate to increase federal agency email and web security.

Agari showcases how even the few federal domains that do have DMARC programs are still vulnerable to virulent email activity, as they do not have a strict “reject” policy.

About 9.3 percent of federal DMARC domains have policies that only “monitor” authentication abuses and not block them. Furthermore, less than 1 percent of DMARC domains have a “quarantine” (spam folder) policy, and only 8.9 percent have the “reject” policy. Agari emphasizes how DMARC cannot be effectively used in a federal domain without having “quarantine” or “reject” policies.

Agari ultimately finds that many organizations have difficulty transitioning from the first stage of DMARC, i.e the “monitor policy,” to the “quarantine” and “reject” policies. This is because large organizations must identify who is sending emails on their behalf, and then authenticate said emails before their policy is changed. Agari seems to suggest that this process can be arduous for one organization alone, as they subsequently offer their analytics and workflow services to better help organizations transition to DMARC “reject” policies. 

See Original Post

Reposted from IFSEC Global

Marking the one-year anniversary of a fire that destroyed the UK’s oldest hotel – the Royal Clarence Hotel – the FRS is emphasizing the importance of conducting regular fire-risk assessments.

(In the wake of the Royal Clarence Hotel blaze, fire safety consultant Alan Cox posed a series of questions that need answering if lessons are to be learned.)

Built with long-abandoned methods and materials, heritage architecture poses unique challenges and risks in the built landscape when it comes to fire engineering.

Things become more complicated still as structures are reinforced and adapted for modern use over time.

Priceless architecture

And the cost of damage caused by fires extends beyond financial costs to the loss of priceless architecture and artefacts of enormous cultural import.

“Older buildings have unique features such as hidden voids and cavities supported by dry timber construction,” said Paul Bray, community safety protection manager at Devon & Somerset FRS. “Fire can easily travel undetected within these voids.

“The challenges of fighting a fire in a terrace of ‘heritage’ or buildings of substantial age are substantial. The fact that the fire is hidden also makes it almost impossible to tackle internally and externally without a major dismantling of the building fabric.

“Heritage is all that has been passed to us by previous generations. The term has become synonymous with the places, objects, knowledge and skills we inherit that are valued for reasons beyond their mere utility.” Historic England

While responsible persons are limited in what they can do to protect buildings that were built with little consideration for fire safety, there are still measures they can take to reduce the risk and impact of fire, suggests Bray.

“Even with the most attentive fire prevention and protection measures (such as fire alarms and fire separation), it cannot always be guaranteed that a fire will be contained and prevented from causing destruction. It can be significantly reduced through by the development of a comprehensive pre-survey of the impact on surrounding buildings during the construction phase.

“We therefore advise that a full set of records, drawings, photos and other information is stored and is made available to us for use in any heritage building in the event of a fire. This would contribute to forming the basis of how the service will deal with each building in the event of a fire.”

Devon & Somerset FRS notes that there is no standardized format for recording or presenting the findings of a fire risk assessment. However, those responsible for protecting heritage buildings should always produce and regularly review clear and comprehensive documentation. Once the risks are identified and assessed, they can then set out to reduce them.

Fire risks in heritage buildings

Devon & Somerset FRS has set out the following risks to consider relating to heritage buildings:

• Sources of ignition and fuel
• Potential for fire to spread through the building
• Adequacy of the fire alarm system
• Means of access and escape
• In rural areas: Water supplies and access for fire appliances
• Any valuable contents you wish to prioritise

Sometimes seen as disruptive to the building’s original fabric, protective measures taken are not always welcomed in the heritage sector, admits Devon & Somerset FRS. Physical installation of systems can also be seen as challenging.

However, you can take suitable protective measures that are sympathetic to the building’s historic fabric of the building.

The fire safety management plan should incorporate a business continuity plan, Devon & Somerset FRS advises. Should a fire occur, restoration work can then proceed promptly.

Being prepared for the worst-case scenario will vastly improve your chances of recovering quicker recovery rate.

Devon & Somerset FRS offers further guidance on heritage buildings here. 

See Original Post

Reposted from NSCC November 15, 2017 e-newsletter

The October 15, 2017 Collections Caretaker Newsletter had an item titled Museum Boards -- Leadership Wish List. It echoed many of the issues explored in my PhD research on museum leadership (1994-98) published as Leading With Passion: Change Management in the 21st Century Museum(2004 - Alta Mira Press).

Chapter 5 in Leading With Passion focuses specifically on trust and the director-trustee leadership interface. It's a fraught interface. Two levels cooperating, colliding, and colluding. It's important to nurture relationships of trust. Accept there will always be conflict, especially during periods of change. There will also be predictable role confusion - who does what, when, and where. Effective conflict resolution skills and practicing principles of restorative justice can help repair damaged relationships. Clarify governance. What does this actually mean? What does it look like when it is working well? Sort out who does what re: policy development, financial planning, and legal responsibility so there are no surprises described in the press.

Finally, get a handle on succession planning for both levels of leadership-- museum directors and trustees. I had a meeting in September 2017 with a mentor from the Emerging Leaders Program funded by the Australia Council for the Arts. The mentor shared issues from the 2017 program compared to issues identified in my research for Leading with Passion (1998 - 2002). There is still a shallow pool of potential leaders for both museum director and trustee roles. Twenty years ago, I offered advice that every director and trustee needs to mentor at least six (6) people to 'take their place' over the next ten years. Whether these people applied for and landed the jobs was not the point. This is what the Australia Council for the Arts has to say about their program: [1]

Over the years Australia Council programs such as the Emerging Leaders Development Program (ELDP) have made a positive impact on the sector and individual careers. As with many capacity building investments, the full extent of the impact of these programs will be realized over the long term. The Australia Council is now working in a different funding environment and has reinforced commitment to supporting the sustainability and capacity of the sector. To ensure our investment is focused, a new strategic approach has been adopted to deliver leadership development. In 2015, the Australia Council completed detailed needs analysis by consulting with various arts leaders including alumni from existing programs. These arts leaders identified the need for a bespoke program to develop their leadership capabilities. We are continuing from an existing base of capacity building programs and will draw on the expertise as well as address the needs of past alumni in future program developments. Participants of the program will have access to a wide variety of internal subject experts with deep sector knowledge and expertise.

Twenty years ago, we needed to create a pool of potential leaders for director and trustee roles. It is a perennial challenge!

Born in the USA and resident in Australia, Dr. Sherene Suchy is a member of the Australian Association of Social Work and the International Council of Museums. She completed her PhD on the museum director's leadership role and change management. Publications include books such as Leading With Passion (2004) andKeepsake: Memoir on the Museum of You & Estate Planning (2016) as contributions to museum management. 

Reposted from WBFO.org

Authorities say Daniel Witek, 54, was a volunteer at the museum in the spring of 2013, when he stole historical writings addressed to Anson Conger Goodyear. Witek then offered to sell the stolen documents to autograph dealers in New York City and New Jersey.

Born in Buffalo, Goodyear was a businessman, military officer, postwar European relief executive and humanitarian, author, founder of the Museum of Modern Art and collector of modern paintings, rare books and historical manuscripts. The Goodyear family in America is traced back to Stephen Goodyear, a founder of New Haven, CT and deputy governor of Connecticut from 1643 to 1658.

His historical documents include family correspondence, diary and scrapbooks, speeches and writings, business papers and military-related correspondence.

Witek was convicted of mail fraud, sentenced to six months time served and ordered to pay $2,100 in restitution.

See Original Post

Reposted from UNESCO.org

Recognizing the importance of protecting cultural heritage from attack in times of conflict, Irina Bokova, Director-General of UNESCO, and Fatou Bensouda, Prosecutor of the International Criminal Court (ICC), today signed a Letter of Intent formalizing and further enhancing their collaboration.

The signing of the Letter of Intent took place in the margins of an international high-level panel on “Responding to Cultural Cleansing, Preventing Violent Extremism” at UNESCO Headquarters, in which both Ms Bokova and Prosecutor Bensouda participated.

“The deliberate destruction of cultural heritage not only affects peoples’ historical identity but fuels sectarian violence and hampers post-conflict recovery and peacebuilding. UNESCO and the ICC must strengthen their cooperation for the protection of cultural property in armed conflicts, as this is a humanitarian and security imperative”, said Ms Bokova.

Praising UNESCO for its crucial work, Prosecutor Bensouda emphasized that more can be done, adding that “an effective strategy to address the destruction of cultural heritage requires a multi-faceted and collaborative approach.  UNESCO is a natural partner for my Office and, the ICC more broadly, in confronting the scourge of attacks against cultural heritage within the Rome Statute framework. This Letter of Intent is a recognition of that important relationship and paves the way for continued cooperation.” She added: “cultural heritage is the embodiment of the continuity of the human story, a celebration of our commonality and the richness of our diversity.  We all have a duty to protect cultural heritage. With close collaboration with UNESCO, we hope to make a difference.”

The recent historic ruling of the ICC in the case of the destruction of shrines and mausoleums in Timbuktu (Mali), the first of its kind before the Court, sent a clear signal that intentional targeting of cultural heritage is a serious crime that causes significant suffering to those immediately affected and beyond, and should not go unpunished. The Court subsequently issued a Reparation Order, establishing that the victims of such crimes were entitled to compensation.

The importance of prosecuting those responsible for war crimes against cultural heritage was echoed in the ground-breaking UN Security Council Resolution 2347, adopted in March 2017, the first ever to condemn the unlawful destruction of cultural heritage.  These unprecedented developments have led over the past years to frequent exchanges and collaboration between UNESCO and the ICC Office of the Prosecutor, based on the convergence of aims within their respective independent mandates.

As attacks against culture have regrettably become more frequent, the need for a stronger and more articulated framework of cooperation has become apparent. In addition to expertise UNESCO has provided in the context of the Al Mahdi case, cooperation has also been at the non-operational level, for example through participation in the ICC Office of the Prosecutor’s new policy initiative on cultural heritage, which is scheduled for finalization and adoption in 2018.  The Letter of Intent signed today builds on these efforts, further solidifying the existing relationship, with a view to establishing a comprehensive cooperation agreement in the near future.

 See Original Post

Reposted from The Local

A former employee of a Stockholm museum has been charged with theft after he admitted stealing the museum's exhibits.

The man, who worked at the Royal Coin Cabinet in the capital's old town, said he stole coins from the museum's vault and smuggled them out in his pockets before selling them to a coin dealer. 

He has been charged with stealing objects from both the Royal Coin Cabinet and Gothenburg City Museum, receiving a total of 1.2 million kronor in payment. At the trial, which began on Monday, he admitted stealing 42 items and said the money had gone on holidays and clothes as well as other items.

“I stole things that I thought were good. Valuable, sought after. Sometimes I took several things at the same time,” the museum employee said in the trial, according to SVT.

The coin dealer who bought the items is also suspected of receiving stolen goods.

See Original Post

The security insight you need…right at your fingertips! Here is your monthly recap of Allied Universal blog posts. Don’t wait for this email. Receive your industry updates as soon as they are available! Subscribe here.

Staying Prepared All Year Long 

By Katy Samaha

The theme for the 2017 National Preparedness Month, observed in September, was “Disasters Don’t Plan Ahead. You Can.” Though the official observance has passed, it shouldn’t deter businesses from adopting plans to be prepared all year long. Whether natural or man-made, emergencies can wreak havoc and result in loss of lives and property. However, not all emergencies become disasters—the difference is in how effectively people respond. For security professionals, emergency preparedness training is critical for high profile events and localized situations including civil disturbances, medical emergencies, hazardous material release and power failures.

Extending Your Options and Quality of Work through Collaboration 

By Jonathan Kassa

Safety and security on a college or university campus is critical. The right blend of resources can create a dynamic security program that helps campus community members feel safer, deter crime, improve safety awareness and control costs. The Clery Center video, Part of the Fabric, describes the role of campus security professionals as integral stakeholders in a comprehensive campus community-based public safety model. It’s one of a suite of free 5-10 minute videos with accompanying companion guides that assist institutions of higher education to deliver consistent, pertinent training for their public safety and security professionals.

Featured Blog Topics ...

Managing Tabletop Exercises for Improved Preparedness 

By Paul Caruso 
You have real opportunities to improve your organization’s readiness to manage a crisis. Developing emergency preparedness plans is critical, but a challenge arises when the planning efforts end with the plan creation. While it is better to have a plan than to be completely unprepared, a constant state of readiness is only possible if the plan is challenged and practiced. Tabletop drills are an excellent way to practice, evaluate – and ultimately, improve – an emergency preparedness plan.

Risk and Resilience in the Security Sector 

By Ty Richmond 
What’s the worst that can happen if your company has no enterprise security risk management plan? Organizations are exposed to a wide range of evolving threats that can create a multitude of security risks. A company without a comprehensive risk management plan could face serious repercussions ranging from a supply chain breakdown of a product line, reputational damage, revenue loss, market credibility and shareholder devaluation. The protection of the enterprise is vital to the viability and survivability of your company. 

William J. Powers, III, CPP, CIPM II, CIPI
IFCPP Advisory Board Member & Sergeant at Arms

​​​​​William J. Powers, III, CPP is director of facilities at the Clark Art Institute in Williamstown, Massachusetts. The Clark’s 140-acre campus includes five buildings that house museum galleries, an art history library, an auditorium, research facilities, a sophisticated physical plant, and offices. The campus also has an expansive landscape, including a reflecting pool, woodland meadows, and walking trails. The Clark’s permanent collection includes American and European art amassed during the first half of the 20th century by Francine and Sterling Clark.

To secure this eclectic campus, Powers oversees 12 full-tim​​e employees and a 60-person contract security staff. In his 22 years at the Clark, Powers has seen much growth in the institute’s programs and facilities, including a recent $170 million expansion and renovation. “I worked very closely with the security consultant on product selection,” says Powers. “I am proud to say that the installation and implementation of the choices were seamless.” The result, he adds, is a system that is a model for other institutions.

Powers’ biggest challenge is responding to HVAC alarms. “The museum requires very stable climate control 365 days a year,” he says. “I have found that if you follow acknowledged best practices you can have peace of mind.” He credits his affiliation with ASIS International for giving him access to the latest best practices, as well as subject matter experts.

Two achievements helped Powers reach his current status. The first was completing his master’s degree. At the time, Powers was supporting two children in college, and attaining that degree seemed impossible. But he applied for and was selected as a recipient of an ASIS/University of Phoenix scholarship. The second was when Powers received his Certified Protection Professional© (CPP) certification. “These two events really lifted my confidence and proved that I was a true professional,” he says.

Powers was an ASIS volunteer leader for many years before pursuing the CPP, and knew peers who had their CPPs. As past chair of the ASIS Cultural Properties Council and current member of the Awards Committee, “I wanted to be recognized that I am in those positions for a reason.” Studying for the CPP also pushed Powers to review guidelines and best practices that he otherwise might have overlooked. In his position, he must understand all facets of security—physical, electronic, and cyber. By earning his CPP, he says, “I confirmed my competence in all aspects of security management,” he adds.

Powers never expected to be in his current position. A trained auto mechanic, his first job was in the facilities department of a museum. He eventually became director of facilities at that institution, which included oversight of security.

Today, Powers mentors young professionals coming into the field, reminding them that private security can provide a career path that is personally and financially rewarding if they work towards professional certifications. To that end, Powers advises taking a CPP review course and investing time in studying for the test. The payoff, for Powers, is obvious: “I am now a more effective, well-rounded security professional.”

Reposted from ASIS 

See Original Post