Reposted from CSOonline.com

Responding to a cyber security incident has its own unique objectives and requires its own recovery plan.

Many enterprises blend their disaster recovery and security recovery plans into a single, neat, easy-to-sip package. But does this approach make sense?

Not really, say a variety of disaster and security recovery experts, including Marko Bourne, who leads Booz Allen’s emergency management, disaster assistance and mission assurance practice. "Security and disaster plans are related, but not always the same thing," he observes.

The objectives in disaster recovery and security recovery plans are inherently different and, at times, conflicting, explains Inigo Merino, former senior vice president of Deutsche Bank’s corporate security and business continuity unit and currently CEO of cyber threat detection firm Cienaga Systems. "The most obvious difference is that disaster recovery is about business continuity, whereas information security is about information asset protection," he notes. "The less evident aspect is that security incident response often requires detailed root cause analysis, evidence collection, preservation and a coordinated and--often--stealthy response."

Such operations usually have to be handled very delicately. "On the other hand, [business continuity plans] are by nature very public events, requiring all hands on deck, large scale communications with the objective of rapid, tactical business resumption," says Merino.

For disaster recovery plans, you almost focus on data quality first and then business processing second," says Scott Carlson, a technical fellow at BeyondTrust, an identity management and vulnerability management products developer. "For security, you rely on capability of protective control with less regard for whether or not you lost past data-- it's much more important to 'protect forward' in a security plan."

Similar, yet different

Many enterprises combine their disaster and security strategies as a matter of convenience, lured by the plans' apparent superficial similarities. "At a high-level, disaster recovery and security plans both do similar activities," says Stieven Weidner, a senior manager with management consulting firm Navigate. "Initially, both plans will have procedures to minimize the impact of an event, followed closely by procedures to recover from the event and, finally, procedures to test and return to production," he notes. Both types of plans also generally include a "lessons learned" process to minimize the possibility of a similar event occurring again.

Yet scratching the surface reveals that disaster and security recovery plans are actually fundamentally different. "[Disaster] recovery plans are focused on recovering IT operations, whereas security plans are focused on preventing or limiting IT interruptions and maintaining IT operations," Weidner notes.

A security recovery plan is designed to stop, learn, and then correct the incident. "A disaster recovery plan may follow similar steps, but nomenclature would not likely use 'detection' to describe a fire or flood event, nor would there be much in the way of analytics," says Peter Fortunato, a manager in the risk and business advisory practice at New England-based accounting firm Baker Newman Noyes."Further, not many disasters require the collection of evidence."

Another risk in merging plans is the possibility of gaining unwanted public attention. "For instance, invoking a disaster recovery plan often requires large-scale notifications going out to key stakeholders," Merino says. "However, this is the last thing you want during an issue requiring investigation, such as a suspected [network] breach, because of the need to collect and preserve the integrity of highly volatile electronic evidence."

Stitching together complex security and disaster recovery rules and procedures can also result in the creation of a needlessly bulky, ambiguous and sometimes contradictory document. "If you try to combine processes and resources into a single plan, it can muddy the waters, oversimplifying or overcomplicating the process," states Dan Didier, vice president of services for GreyCastle Security, a cybersecurity services provider. While some disaster and security recovery processes may be similar, such as ranking an incident's overall impact, other processes are not as easy to combine. "In addition, you are likely to have different resources involved, so training and testing is complicated, as are updates to the plan after the fact," Didier explains.

Fires, storms, blackouts and other physical events are all unpredictable, yet their nature is generally well understood. Security threats, on the other hand, are both unpredictable and, given the rapidly advancing nature of cyber criminality, not generally well understood, either. This means that security recovery strategies must be revisited and updated more frequently than their disaster recovery counterparts,

A security recovery plan is undoubtedly more difficult to keep up-to-date than a disaster recovery plan, says Anthony McFarland, a privacy and data security attorney in the Nashville office of the law firm Bass, Berry and Sims. "New external cyber threats arise weekly," he notes. The list of man-made or natural disasters that could threaten a business, however, is relatively static. "Even when a business expands geographically, the number of new anticipatable disasters is limited, McFarland says.

Response to a disaster must be immediate, yet response to a cyber-event must be even quicker. "This response reality is amplified because a company may have forewarning of a pending disaster, like a tornado, flood or earthquake, but no advance notice of a targeted cyberattack," McFarland says.

"The nature of the threats within security recovery plans are more dynamic than within disaster recovery, and therefore require continual review and update," says Mark Testoni, president and CEO of SAP National Security Services.  "For example, recent ransomware attacks, such as WannaCry, are incredibly destructive and require security recovery plans to examine how to effectively respond to new threats and risks."

The discovery process is the most important aspect of both security and disaster planning, Bourne says. "Plans must be adaptable and key leaders must understand what the plans are trying to achieve in order to ensure maximum success," he adds.

Making it a team effort

While most experts advocate creating and maintaining separate disaster and security recovery plans, they also note that both strategies must be periodically examined for potential gaps and conflicts. "The best course of action to have the plans complement one another is to make sure that you have the same team working through both of them," says Steve Rubin, a partner at the Long Island, N.Y., law firm Moritt Hock & Hamroff, and co-chair of its cybersecurity practice group. "Not only will they will be stronger and complement one another, but will also be more effective and resilient in the long run."

Weidner notes that it's okay, however, to have separate teams in charge of security and disaster plans as long as they regularly coordinate their strategies and goals with each other. "Each team, whether supporting security or IT recovery, needs to manage their own specific plan requirements," Weidner says. "However, oversight and governance should be centralized to guarantee events will be supported using the same methodology, such as communications to executive teams, company stakeholders and customers."

Whether planning is handled by one or two teams, the right people need to be brought onboard, Didier says. "Senior management plays a critical role and must oversee the operation," he says.

"The CIO, CISO and network administrators will be integral members of both teams," McFarland observes. However, many disaster recovery team members will have no, or only limited, involvement in the work of the security group, and vice-versa. "For example," McFarland notes, "facilities managers are critical members of a disaster recovery team, but typically not needed in the [security] group unless there was a physical loss or theft of tangible/hardcopy data from an office."

Operations and security teams should review each other’s plans in a controlled and constructive manner to determine how they can be leveraged in support of each other, suggestsMorey Haber, vice president of technology at BeyondTrust. "These policies should not be developed on islands and if possible be tested together," he says. "This helps address extreme edge cases while maintaining separation of duty requirements and building team synergies."

Lessons learned

As enterprises learn what works and what doesn’t work in both security and disaster recovery planning, a growing number now realize that security recovery is not disaster recovery and that each has very different needs. "As organizations mature, they learn that the purpose of security incident response is much more nuanced than merely a restoration of business and that many of the functions typically invoked in disaster recovery for business continuity purposes are either not applicable to cyber security events, or in some cases, harmful to security incident response and forensics," Merino says.

"The key to having successful security and disaster recovery plans is to document, manage, test plans and and develop a common governance, communication and escalation methodology," Weidner says. "This unified approach will minimize confusion and decrease the time to recover from events."

See Original Post

Reposted from artnews.com

Friday morning August 25, as Hurricane Harvey approached the Gulf Coast of Texas, museums in the region closed, saying they would keep their doors closed for the weekend. Harvey, which hit the state as a Category 4 hurricane, was downgraded to a tropical storm but has battered the area since, with rain falling in unprecedented volumes and rampant flooding as a result. The crisis is expected to continue for a long time to come in small towns throughout Texas and in Houston, the fourth-largest city in the United States.

Among the institutions that closed early or completely before the arrival of the storm were the Museum of Fine Arts Houston, the Contemporary Arts Museum Houston, the Galveston Arts Center, the Menil Collection in Houston, the Blaffer Art Museum at the University of Houston, the Art Museum of Southeast Texas in Beaumont, and the Museum of South Texas in Corpus Christi, which is near where Harvey made landfall on Friday evening.

A bit farther back from the coast, other institutions closed for the weekend included the Blanton Museum of Art at the University of Texas at Austin, the Contemporary Austin, and the San Antonio Museum of Art. The Houston Press compiled a list of arts events that were canceled or postponed.

Updates:

– Sunday, August 27, 4 p.m.: A spokesperson for the Menil Collection told ARTnews this afternoon that museum officials have been monitoring the situation closely. “We have done preventative sandbagging at buildings that require it,” the spokesperson said by email. “At this time, and thankfully, our buildings have not been impacted by the storm. Our director, conservation, and registration departments, which includes art handling services, are receiving regular updates about building status.” The museum is closed to staff on Monday. It is always closed to the public on Mondays and Tuesdays.

– Monday, August 28, 12:15 a.m.: The Galveston Arts Center, which rescheduled openings for its latest exhibitions from Saturday to September 9, was “doing very well under the current circumstances,” its curator, Dennis Nance, said in an email Sunday afternoon. When Hurricane Ike hit Galveston Island in 2008, the building GAC calls home on Strand Street suffered damage in excess of $1 million, and artwork totaling more than $100,000 was lost. The institution returned to the building in 2015. “Based on the organization’s experience with Ike, we’ve made necessary preparations to secure all artwork and the building,” Nance said. “We’ve deinstalled and secured all work in our second-floor vault and galleries. As of today, the building has not taken on flood water or lost power. There was minimal flooding of the streets on and around the Strand.”

– Monday, August 28, 12:35 p.m.: The Rockport Center for the Arts, which is located near Corpus Christi, south of Houston, has suffered damage, according to its executive director, Luis Purón. “From images I have been provided and third party accounts, it appears the building has sustained serious external damage,” Purón said in a post on Facebook. “One image demonstrates that the front porch is completely gone and a roof structure in the front of the building is exposed and thus compromised. It is entirely possible that additional damage to the roof exists, yet only an onsite inspection will reveal that.” The director added later in the post, “It remains unclear if all the sculptures in the Sculpture Garden collection survived the 130 miles-per-hour winds of Harvey’s Category 4 direct impact to Rockport. We won’t know about internal damage until we are able to re-enter and inspect the building. The timeline for that is uncertain.” Purón said the museum was boarded on Thursday and “the time to prepare for this evacuation was minimal, as information regarding the strength of the storm changed.” All of the institution’s staff members are safe.

– Monday, August 28, 2 p.m.: A spokesperson for the Museum of Fine Arts in Houston said in an email that “thanks to the advance preparations of our Hurricane Planning Group—from sandbagging and floodgates to emergency pumps—the storm’s impact has been greatly mitigated so far. Our on-site staff are all safe, and our collections have not had any damage. We had some isolated leaks on the main campus.” At the Bayou Bend Gardens, which are part of the MFAH and located a few miles away, “outbuildings and basement were flooded but that water has receded,” the spokesperson added. “The house and its collections remain secure.”

– Monday, August 28, 2:10 p.m.: The situation at the Menil Collection remains the same after a tense night in the city surrounding it. “No impact on our buildings,” a spokesperson wrote. “Our 24/7 maintenance and security monitoring continues. At this time, the museum and its administrative offices will remain closed to the public and staff through Wednesday, August 30. We will continue to monitor closely and update regarding closures as needed.”

– Monday, August 28, 3:55 p.m.: Bad fortune has so far spared the campus of Rice University, which plays home to the new Moody Center for the Arts as well as large outdoor artworks by James Turrell and Michael Heizer. “We are deeply concerned for our fellow Houstonians, but are meanwhile fortunate that the Moody is faring well,” a spokesperson for the center wrote. “Our building was constructed to withstand storms, and its location on campus is elevated to prevent flooding. We have no immediate information on the Turrell and Heizer installations but hope to get word about them before long.”

— Monday, August 28, 4:30 p.m.: Project Row Houses, a community-based nonprofit in Houston’s Third Ward, has been largely unaffected by the storm. “In the Third Ward, we have no standing water because we don’t have any bayous near us to overflow into our neighborhood,” Rick Lowe, the founding director of the organization, wrote. “Plus, Highway 288 dips in our area and acts as the reservoir for us, and it is holding steady only half full. I’ve spent most of the day driving between Third Ward, Fifth Ward, and Montrose buying and delivering groceries to those who can’t get out.”

— Tuesday, August 29, 1:10 p.m.: The Menil Collection was not affected by a deluge of rain that continued last night and into the day. “[Director] Rebecca Rabinow reported that the buildings are in great shape following her morning walk through,” a spokesperson said. “We are so grateful for that news and for our security and maintenance staff who will continue monitoring. No decisions yet about reopening. We are checking in with our staff to get updates about the storm’s impact on them. We hope that all are safe and sound.”

– Tuesday, August 29, 1:45 p.m.: Like many institutions throughout the Houston area and the surrounding region today, the Museum of Fine Arts and the Contemporary Arts Museum in Houston are closed because of the storm. A spokesperson for CAMH shared a statement with press that read in part, “Our thoughts are with those who have been impacted by Harvey and our fellow Houstonians during the ongoing storm. We are thankful to our crew who prepared CAMH for the storm and who continue to monitor the museum. We will keep you updated with closures and changes to programming via social media.”

– Tuesday, August 29, 2:30 p.m.: In a statement issued on August 29, the National Endowment for the Arts said it would work with arts institutions to help them rebuild. “We are coordinating with the Texas Commission on the Arts and the Division of the Arts in the Louisiana Office of Cultural Development to assess the situation and those arts organizations hardest hit by Hurricane Harvey,” the NEA’s chairman, Jane Chu, said in a statement. “As the current situation stabilizes, the National Endowment for the Arts is prepared to direct additional funds to these state arts agencies for re-granting to affected organizations, as we have done in the past.”

— Wednesday, August 30, 2:10 p.m.: Numerous Houston-area arts institutions remained closed today as officials worked to ascertain the extent of the damage throughout the region. Glasstire, a blog about the arts in Texas, has created a list of emergency resources for artists.

— Wednesday, August 30, 4:05 p.m.: The National Endowment for the Humanities announced plans to grant $1 million to libraries, arts institutions, and colleges and universities affected by the hurricane. Texas and Louisiana’s state humanities councils will receive $250,000, and the Texas Cultural Emergency Response Alliance and the Heritage Emergency National Task Force will also get money from the NEH as they continue to assess damage resulting from the storm. Cultural institutions in FEMA-designated disaster areas can also apply for emergency grants for up to $30,000.

— Wednesday, August 30, 4:15 p.m.: The Menil Collection will reopen to employees who are able to travel on Thursday and then to the public for the resumption of its regular hours on Friday at 11 a.m.

See Original Post

Reposted from Norway Today

Wednesday afternoon it was clear that at least 245 items from the Iron Age and Viking Era was stolen during a break at the weekend, according to NRK. Thieves has climbed scaffolding on the outside of the building and shattered a pane on the seventh floor to get into the museum premises.

The alarm went of twice, but the security guards who were at work did not notice anything suspicious.

The museum is working full blast to get an overview of the scale, but believes the number of stolen objects may increase to 300 when the museum expects to have a reasonably safe estimate next week.

Significant number

– It is a significant number. This is not a burglary where someone has come in and been in a rush. We are becoming increasingly despaired as the list of stolen objects grows longer, says Head of Department, Henrik von Achen, to NTB.

On the newly created Facebook page Theft at the Historical Museum – the Viking Treasure, the museum has published a series of pictures of the 2,000 year old artifacts, asking people to share the photo series and keep their eyes open when they go online.

Reconstructs the burglary

– Look for our cultural heritage on Finn, eBay and other markets, the museum writes, despite the assumed low monetary value, believes the items will be attemted sold online.

– We are now trying to reconstruct exactly what happened, but it takes time to clarify this. The most important thing for us now is first and foremost to get an overview of what’s stolen and if possible to get the items back, says von Achen.

See Original Post

Reposted from securityinfowatch.com

One of the most critical elements in any disaster planning and preparedness program is the use of an effective mass notification system to alert all staff, students, visitors, patients and vendors that there is an immediate emergency unfolding and instructing them how
to safely respond.

Whether it is a weather-related disaster, for example, a college may cancel classes during an ice storm; a water main break or whether it is an active shooter incident located in a specific area of the campus, mass notification is a critical element of keeping people safe during any type of emergency.

Danger on Campus

For example, on October 1, 2015, an active-shooter breached a lecture hall at Umpqua Community College in Oregon and began shooting students.  It was a shocking event because 10 students were killed (including the shooter) and many more were wounded.  The shooter asked students whether they were Christians, and if they were, he shot them in the head, and if they said no, he shot them in the leg. 

The most distressing element of the Umpqua Community College incident was that the mass notification system didn’t work.   The system had been purchased and implemented but when the disaster happened, the system did not work.  It had been set up to send out emails and text messages to all students, staff and contractors, and the system even had a scrolling banner across the screen of all campus computers. But still, the system failed. 

As news of the shootings and the sounds of the gunshots were heard on the campus, students were posting questions and warnings on twitter. They were also calling their parents, who were unable to find out information on the safety of their children.  The shooting was a pivotal event in the adoption of mass notification systems.

Every organization should have a mass notification system in place.  Whether the organization is a hospital, a college or university, a business, a retail store, a mall, or a medical clinic, this piece should be a critical element of your organization’s emergency plan.

If your company or organization is planning to implement a mass notification system, here are some of the things to consider when selecting the system that will work best for your application

Elements to Consider When Implementing a Mass Notification System

• Does it Match Your Organizational Needs? Make sure the system fits your organization.  If you are a small organization, you might not need to use social media feeds like Facebook or Twitter as part of your mass notification system.
• To Text or Not to Text? Pick the elements that your organization will actually use.  For example, if you are a college or university, the system must include automatic texts because that is what students use most.
• Should Campus Message Boards be Included? Do you need just wireless notification, or do you need to add message boards across the campus to flash a message to people in transit, from one building to another?
• Is the System Flexible? Does the mass notification system allow for flexibility, so you can automatically notify people in one facility, instead of the entire campus list?
• Is the System Easy to Maintain? Is the system easy to maintain, especially in an institution like a college, where you have a large influx of new students twice a year?  Is it easy to add and delete people in the program?
• Can You Scale the System Up or Down? Would the system easily expand up if you added 1,000 new people tomorrow? Alternatively, could it also scale down if a part of the company was sold?
• How do You Handle Staff Training? Commitment to properly train the staff on the new system is a must.  Explore training options like an online training refresher class that can be accessed at any time, or even instructions that can be attached to the phone
  at each workstation, or a card that staff can take with them, knowing that it’s impossible to know where each person may be when disaster strikes.
• Does the Vendor Have a Good Track Record? The vendor of the mass notification system you purchase will be critically important to the success of the system, and to ensure its installation and setup will be as painless as possible.  Make sure the vendor understands how your organization will be using the system and how you need to have it set up ahead of time to minimize problems.

No matter the specific mass notification system selected,  you’ll need to decide whether staff will be required to use the system on their personal cell phones and home computers, or whether they have a choice of how they prefer to be contacted in case of an emergency. And as advanced capabilities are added to the organization’s mass notification system, all the policies and procedures for emergency preparedness, safety and security will need to be updated.

While use and capabilities of mass notification systems have expanded over the past decade when they were primarily used only for weather emergencies, such as tornadoes, hurricane warnings and flood warnings, today’s systems are far more proactive for safety and security purposes such as active shooter, workplace violence and terrorist incidents. 

So as the use of mass notification software increases beyond its presumptive boundaries, what other uses are organizations finding for their systems? Some of the most common are:

• Event Notification: to alert of upcoming, or cancellation of events
• Attendance alerts: in an educational setting, this can alert parents and guardians when a student is tardy or absent, or in healthcare, notify of an elopement or abduction.
• News Updates: keeping parties informed about a particular item like a water main break.
• Building Closure: for maintenance reasons or a power outage.
• Ad-hoc meetings: when it is necessary to gather a group of individuals

In these cases, the mass notification system becomes not just a critical element of the emergency planning process but acts as a direct communication tool that can be used in a variety of circumstances.

Technology that is Helping the Community

At the beginning of this article, I referenced the Umpqua Community College shooting, where the mass notification system failed when needed, and how that may have contributed to the high number of deaths at the college.

However, there are numerous positive instances of how mass notification systems have saved lives, property and worked as a critical community resource.

In instances of inclement weather circumstances can change with each passing minute, the mass notification system can serve a vital role in keeping people safe by announcing hurricane or tornado emergencies in advance;  sending out notifications of flooding in communities, or even intersections;  notifying specific areas of cities and unincorporated areas of urgent evacuations, as in flooding during Hurricane Katrina, and also in the recent spate of wildfires in the western United States.  Besides notifying residents of a required evacuation, they can also provide residents information concerning evacuation options, where available shelters are open in local areas, and even places where pets are welcomed.

Compliance Issues

On November 15, 2016, the Centers for Medicare and Medicaid (CMS) posted a new Final Rule for Emergency Preparedness in the Federal Register.  The Rule covers 17 types of healthcare organizations, from hospitals to ambulatory surgery centers to medical clinics and hospices.  This new broad-reaching rule has to be complied with by November 15, 2017 and includes a requirement for a mass communication system.

The CMS Final Rule on Emergency Preparedness states that:, “A hospital [must] have a process for ensuring cooperation and collaboration with local, tribal, regional, state, or federal emergency preparedness officials’ efforts to ensure an integrated response during a disaster or emergency situation.”

“In addition, “we would expect the facility to include in its emergency plan a method for contacting off-duty staff during an emergency and procedures to address other contingencies in the event staff are not able to report to duty which may include but are not limited to staff from other facilities and state or federally-designated health professionals.”

Accrediting organizations like the Joint Commission for healthcare organizations also includes similar requirements for communication systems.

Difficult times call for new strategies in protecting staff and facilities.  Having a mass notification system is a critical component in ensuring organizational staff is safe during a wide variety of emergencies.  Whether it is a flooding event, an approaching tornado, a domestic violence incident,  severe heat, an active shooter, a local terrorist, or a variety of other types of events, having a mass notification system is one of the very best controls you can implement that will help your organization function better in an emergency situation.

See Original Post

Reposted from smithsonianmag.com

The Galveston Arts Center sustained heavy losses when Hurricane Ike hit Texas in 2008. This time around, staff members were ready.

On a Wednesday afternoon, staff members at the Galveston Arts Center were in the final stages of installing an expansive exhibition that was scheduled to open on August 26. Works by three contemporary artists—Bradley Kerl, Angel Oloshove and Christopher Cascio—had been carefully displayed in three different galleries. Then the news broke: Hurricane Harvey was going to hit, and it was going to hit hard. 

Fearing for the safety of the art, staff began dismantling the exhibition. They carried the works to an upper level of the building, and stored them in two different rooms: a small, cement vault and a windowless back gallery. The opening of the exhibition was pushed back to September 9. The main galleries stood empty.

Now that Texas is in the midst of the storm, it appears that Galveston has been spared the worst of Harvey’s wrath; Houston, by contrast, has been devastated by heavy rains and flooding. But last week, not knowing where the hurricane would hit, the Arts Center team decided not to leave anything up to chance.

“We are taking every precaution,” Dennis Nance, curator at the Galveston Arts Center, tells Smithsonian.com. “There's no messing around with this stuff." 

Nance has good reason to be wary. Back in 2008, when Hurricane Ike pummeled Texas, the Galveston Arts Center sustained steep losses. According to Harvey Rice of the Houston Chronicle, art valued at more than $100,000 was ruined, and the storm caused upward of $1 million in damage to the historic, 19th-century bank building that houses the Arts Center.

Nance was not working for the Galveston Arts Center at the time, but he noted that the team was unable to properly prepare for the storm.

“They had a huge retrospective exhibition with large works,” he explains. “I believe the curator wasn't able to get there in time to help with the preparations, and couldn't even have done it on his own. It was just the worst possible scenario.” 

It took the board members seven years to raise enough funds to restore the building and return the Galveston Arts Center to its historic home. Nance says that memories of Hurricane Ike, and the damage it caused, are still “traumatic.” So this time around, the team was prepared.

Planning for the possibility of a fierce storm began long before Harvey started fomenting in the Caribbean. Knowing that hurricane season was approaching, Nance deliberately scheduled exhibitions that would be easy to transport and store if the worst were to happen. The works that will now go on display in September include a series of paintings and small, ceramic totems.

“I was like, ‘We're going to do a couple of painting shows, not major installations in hurricane season,’” Nance says.

When news of Harvey’s impending arrival broke, Nance swung into action. He made sure that the upstairs vault was clear, and then began sorting through essential paperwork, like insurance policies and loan agreements. Next, he contacted artists whose work was on display at the Arts Center.

“The three artists with work on view all live in Houston and we all felt we could safely secure their work in our building, where it would also be covered by our fine art insurance policy,” Nance explains. “I made sure all loan agreements were in order and thoroughly documented the work on view. If we would have brought the work back to their studios [in] Houston, we would have not been able to offer the same assurances in the event of flooding in their studios. It's definitely just as much about taking care of the people we work with as much as the object they create.”

Once the art was packed away in a secure location, staff moved all gift shop merchandise that was touching the floor to an elevated space, where it would be safe from potential flooding. During the renovations after Hurricane Ike, the basement of the Arts Center was fitted with storm windows. But on the recommendation of Alex Irvine, former executive director of the Galveston Arts Center, staff members lined the rest of the building’s windows with towels.

Then, they went home to wait out the storm, hoping that the Arts Center would emerge unscathed. Thus far, it seems to be faring well.

“With the renovation of the building, we have a security system with cameras, and I can just turn my phone on and look into the gallery,” Nance says. “So Friday night when that first rain was coming in, I was just looking, and you could see the front door, and there was a little light on the table so I could tell, ‘OK, power's still working. There's no water in the building.’”

“We feel really lucky,” he adds, “and our hearts totally go our to the organizations and people who are experiencing the worst part of [Harvey].”

As heavy rains continue to fall on Houston, Nance and other members of the local arts community have been busy compiling resources for artists whose work has been damaged by flooding. Fresh Arts, a Houston-based non-profit that supports local artists, has put together a community-sourced Google Doc listing organizations that provide emergency support, in the form of financial grants, loans and short-term residencies.

“I think everyone just really wants to help right now,” Nance says. “It's been really amazing just to see what people are doing to support one another.”

See Original Post

Reposted from Chicago Tribune

A shooting inside a public library that killed two people and wounded four has deeply shaken an eastern New Mexico community.

The gunman surrendered after the shooting Monday and was taken into custody without incident after police entered the Clovis-Carver Public Library, authorities and elected officials with the city of Clovis said during a news conference. Warrants for his arrest were being prepared, but it's wasn't immediately clear what charges he would face.

Clovis Mayor David Lansford said things could have been much worse had it not been for the quick response, training and courage of police. He called the shooting tragic and senseless.

"This is a big blow to our community," he said. "Our community is a community that places a high value on life and the sanctity of life. And each life that lives in this community is precious. So we're all hurting right now as a result of what took place this afternoon."

Clovis, a city of about 40,000, is about 200 miles east of Albuquerque, near the Texas state line. The area is home to Cannon Air Force Base. The nearby community of Portales is home to Eastern New Mexico University.

The injured included two men and two women, authorities said. Some were taken to a hospital across the state line in Lubbock, Texas. The extent of their injuries was not immediately known.

One woman was seen being helped into an ambulance while a call for air ambulances could be heard over police radio traffic.

The names of the victims and the gunman were not released.

A woman who was in the Clovis-Carver Public Library when a man killed two people and wounded four others said the man told her to run, the Eastern New Mexico News reported Monday night.

Lisa Baird told the newspaper that she was about 20 feet from the man as he opened fire inside the library.

"Run!," he yelled at her. "Why aren't you running? I'm shooting at you! Run!"

Baird talked to the newspaper through Facebook Messenger. She said she was talking with a library patron when she says she heard a "very loud bang."

"My initial thought was why would someone throw a cherry bomb or M80 firecracker into the library? Then I saw a young man aim his hand, which had a handgun in it, to the ground/carpet about 6 feet in front of him and he fired like four or five shots into the carpet," she said.

She dove under a nearby desk "and tried to squish up as small as possible," Baird said.

From there, Baird said she could hear the man moving around the library and firing multiple shots.

"Then I heard his pants 'shooshing' as he approached the end of the reference desk. I heard a sound like a phone or something being put on the reference counter at the end of the desk, about 4 feet from my head," she said.

Then police entered the library and began shouting for the man with the gun to "lay on the ground" repeatedly, Baird said.

Police Chief Doug Ford says the suspect did not resist after police arrived.

Police said they were still working to process the crime scene and piece together what happened. Ford could not immediately say what kind of gun was used in the attack.

Top elected officials from across New Mexico issued their condolences for the victims and their support for the community. Gov. Susana Martinez called it a "horrific attack."

"In the coming hours and days we will learn more information about this despicable act, but for now I ask all New Mexicans to pray for the victims and their families, and for the entire Clovis community," said Martinez, a former prosecutor.

Attorney General Hector Balderas said his office has reached out to the local district attorney to offer its help.

Sojung Her, a 26-year-old cashier at the Shogun Japanese Steakhouse within view of the library lawn, said the shooting left behind a sense of fear and vulnerability.

"It's kind of a freak thing," she said. "What if he just walked into our restaurant and started shooting?"

Police cars and tactical officers crowded the streets outside as she arrived to work at the restaurant late Monday afternoon.

"This kind of thing never happens here," she said.

Vanessa Aguirre told The Eastern New Mexico News that she was in the library with her son when a man came in and started to shoot into the air.

"It all happened so fast," she said. "We took off fast."

See Original Post

Reposted from The Economist

The jihadists are not the only ones to blame.

The Middle East is used to ruins. A millennium ago the “mad caliph” of Cairo, Hakim, ordered the leveling of all churches, including the Holy Sepulchre in Jerusalem, Jesus’s burial site. The Mongols sacked Baghdad in 1258, causing the Tigris to flow black from the ink of discarded books. Tamerlane spared nothing but hospitals and mosques as he went on what a contemporary chronicler called a “pilgrimage of destruction” across the region’s great cities. “She is empty, and void, and waste,” wailed Nahum, the biblical prophet, foreseeing the ruin of Nineveh at the hands of the Babylonians.

Still, the desolation of the past three years is probably the worst on record. According to the UN, half of the old city of Mosul, in Iraq, and a third of the old city of Aleppo, in Syria, are rubble. Hundreds of minarets, monasteries and monuments have been toppled. Of the world’s 38 endangered cultural-heritage sites, 22 are in the Middle East, says UNESCO, the UN’s cultural arm. “It’s Europe after the second world war,” says Michael Danti of the American Schools of Oriental Research (ASOR), which tracks the destruction.

The jihadists of Islamic State (IS) like to boast of their role in the wreckage. They have filmed themselves razing ancient temples, churches and mosques. So they do not quibble when their adversaries heap most of the blame on them for destroying the region’s heritage. “Responsibility of this devastation is laid firmly at the doorstep of ISIS,” said Major-General Joseph Martin, the commander of coalition forces in Mosul, after the jihadists blew up a medieval minaret in the city.

But the American and Russian armies, along with their local allies, have inflicted at least as much damage in their war on the jihadists. Data compiled by ASOR shows that IS damaged 15 religious sites in Mosul. The American-led coalition’s operation to recapture the city damaged 47, of which 38 were largely destroyed. Russian air strikes in support of Bashar al-Assad, Syria’s dictator, have damaged such treasures as the pillars where Saint Simeon the Hermit is said to have perched for 40 years. Mr Assad’s barrel-bombs have destroyed ancient buildings across Syria; so have the explosives of Western-backed rebels.

Ready, fire, aim

In 2011 the International Council of Museums (ICOM) supplied NATO with a list of heritage sites, and their co-ordinates, in Libya, which the alliance avoided in its bombing campaign. But the Saudi-led coalition in Yemen has been less scrupulous with the list that it received. Air strikes have hit the national museum in Dhamar, with its 12,500 artefacts; the Great Dam of Marib, an ancient engineering wonder; and the al-Qasimi complex of mud-brick towers in the old city of Sana’a. The best protection for the artefacts is often to leave them underground, says Hanna Pennock, a former director of ICOM.

Pressure for international action is rising. In March the UN security council reaffirmed that attacks on cultural sites are a war crime. Last September Ahmad al-Faqi al-Mahdi pleaded guilty in the International Criminal Court (ICC) to crimes of cultural destruction in Mali. The jihadist leader admitted to ordering attacks on Muslim shrines in Timbuktu. As The Economist went to press, judges from the ICC were expected to award reparations (who would pay them is unclear), setting a precedent for similar claims at other heritage sites.

The damage continues long after the shooting stops. Poverty, despair and a collapse of civic pride hasten the vandalism. Scavengers paw through the wreckage. The rock supposedly bearing the imprint of the Prophet Muhammad’s hand disappeared from a mosque in Aleppo last year. Egypt’s 72 archaeological warehouses, with thousands of uncatalogued artefacts, are manned by unarmed police and double as treasure troves for booty-hunters. International demand encourages the looting. In July Hobby Lobby, an American crafts chain, was fined $3m for importing thousands of ancient cuneiform tablets and cylinder seals from Iraq. Indirectly, at least, the trade has helped to finance IS.

Most of the smugglers get away. The Metropolitan Police in London, home to one of the world’s busiest antiquities markets, suspended its art and antiques unit in June. The authorities in the Arab world have more immediate priorities—or do not exist. Local truces have calmed much of Libya, but the country no longer has an effective department of antiquities to safeguard the country’s treasures. It has fallen to a ragtag band of fighters to protect Leptis Magna, the home town of Septimius Severus, a second-century Roman emperor, from less historically minded militants.

Reconstruction is often a euphemism for the final act of destruction. Antiquities experts mourn the treasures buried beneath the areas of Beirut that were redeveloped after its civil war. Land prospecting in Aleppo, often by cronies of Mr Assad, has already begun. Some treasures might survive. The floodlights are back on at the city’s majestic 12th-century citadel. The old city’s clock tower should soon peal for the first time in six years. Some facades, too, might get a facelift. But the foundations for tower-blocks that might soon soar over the city would tear through layers of an 8,000-year-old archaeological site. “Bulldozers,” bemoans an archaeologist, “can be even more damaging than tanks.”

From Art Guard

The recent seizure of a 2,300 year-old Roman vase that had long been on display at the Metropolitan Museum of Art shined a spotlight on an attitude that pervades the art market and affects not only looted antiquities but stolen art, as well. If there was any suspicion by the Met that the vase was looted and illegally transported out of Italy we won’t know.  They certainly should have connected the dots since the dealer through which the piece originally passed was convicted 10 years ago for having brokered another vase to the Met that was looted and returned to Italy.

It’s too easy for a museum to look the other way and claim problems with provenance or nonexistent records. Museums throughout the world are no doubt in possession of an unfathomable number of artifacts and relics that rightly belong to the country of origin.

When it comes to stolen art and artifacts the circumstances are a little less gray but some of the players no more virtuous. Granted it would be hard to find any institution willing to purchase The Storm on the Sea of Galilee, maybe the most iconic of the paintings stolen from the Gardner, or the Bacon’s or Warhol’s, stolen in the last year in Spain (several are still missing) and Missouri respectively (all still missing). We can only hope they haven’t been destroyed.

But works of lesser artists and other artistic objects can be laundered in various ways to find themselves without proper provenance or with vague identities. In particular, too little effort is applied to finding rightful owners of artifacts of historical or religious significance.

The UNESCO convention has placed pressure on institutions to apply more rigorous standards to identifying the origins of a piece that may have been looted. Applying the convention to stolen art that is privately held and sold is more difficult, leaving sellers and buyers to their own ethical restraints. And where enough money is involved, restraints can soften considerably.

With too many people willing to look the other way the opportunities to succeed with theft increase.  We only hear about what people want to publicize, which is just the tip of the iceberg. Protecting your assets by having a properly blended security system that is always on is the only prudent defense against theft.

Reposted from asisonline.org

​Security Management has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Roy Maurer​ discusse​s the merits of a yearlong employee onboarding program.

New employee onboarding is the process of integrating a new employee with a company and its culture, as well as getting a new hire the tools and information needed to become a productive member of the team.

Onboarding new hires at an organization should be a strategic process that lasts at least one year, staffing and HR experts say, because how employers handle the first few days and months of a new employee's experience is crucial to ensuring high retention.

Getting Started with the Onboarding Process

Finding the best candidates for positions in your organization is only part of building an effective team. The process of onboarding new employees can be one of the most critical factors in ensuring recently hired talent will be productive, contented workers. 

However, in some organizations, onboarding is often confused with orientation. While orientation might be necessary—paperwork and other routine tasks must be completed—onboarding is a comprehensive process involving management and other employees that can last up to 12 months.

Before implementing a formal onboarding program, employers should answer some key questions to attain team and upper management buy-in, including:

• When will onboarding start?
• How long will it last?
• What impression do you want new hires to walk away with at the end of the first day?
• What do new employees need to know about the culture and work environment?
• What role will HR play in the process? What about direct managers? Co-workers?
• What kind of goals do you want to set for new employees?
• How will you gather feedback on the program and measure its success?

Once these questions have been answered, HR professionals and upper management can devise a plan of action to help new employees quickly assimilate company policies and workflow while getting fully acquainted with the organization's culture.

Creating an Onboarding Program

"If we don't worry about onboarding before the employee starts, then we're way behind," said Ben Peterson, CEO of BambooHR, an HR technology company. "Rather than having a stack of papers waiting for their signature, send them out to the employee beforehand, for electronic signature. Give them their benefits selection. Find the technology to help you automate the paper-pushing process."

As soon as new employees receive a job offer, they can also receive access to the company's online onboarding portal, said Amber Hyatt, director of product marketing at SilkRoad, a talent management solutions firm. 

"Here they discover content that's designed to engage them, like a friendly note from their manager, first-day information, welcome messages and photos from new teammates, a glossary of company acronyms, a virtual copy of your employee handbook as well as other details about the new hire's department and job responsibilities," she said.

New-hire portals also benefit HR through dashboards that can organize and track tasks that need to be completed and managed electronically, such as W-4 or I-9, benefits and payroll forms, Hyatt said.

In addition to having new employees fill out new-hire paperwork online, consider providing the answers to questions they may have, such as where to go on day one, who to ask for upon arrival and what to wear, she said.

Set up new hires' desk, phone, computer and password logins before they arrive, said Peterson. 

"The worst thing for a new employee is being wooed through the recruiting process and then arriving on the job and the receptionist isn't even expecting you or your office isn't set up," he said.

The First Day

The two main goals on the first day should be setting expectations and introducing objectives. Employees need to have crystal clear ideas about what their job duties and responsibilities are on Day 1, Peterson said. 

"New employees need to get to know the job and get to know their new co-workers. Social interaction is critical. You want them back on Day 2, right?" he asked. 

New employees at BambooHR are taken out to lunch on the first day. "We cared enough to hire them, we want them to know we care enough to build rapport," Peterson said.

Aligning expectations is critical. 

"Organizations that don't focus on acclimating new employees to their corporate culture are at a significant disadvantage," said Hyatt. "Employees who know what to expect from their company's culture and work environment make better decisions that are more aligned with the accepted practices of the company."

To keep existing team members from resenting a new employee, make sure roles and responsibilities are outlined for the entire team, Peterson advised. 

"Sometimes existing team members could feel threatened that someone new could take over their responsibilities. So it's a good idea to clarify the position of the new hire as well as [the positions of] other team members whose work is closely related, how they'll interact with each other, and how projects will run," he said.

The First Few Months

It's important for HR to have a one-month check-in to make sure that that the new employee is comfortable, happy and engaged, said Peterson. "Reviewing and giving thoughtful feedback on your new hire's early contributions are also important during onboarding," he said.

According to a BambooHR survey, three-fourths of new hires said training during the first week on the job is most important to them. Meanwhile, 41 percent of HR professionals felt they needed to update training in onboarding. 

"If you aren't communicating what new hires are supposed to be doing and arming them with the tools to do it properly, you're setting them up to fail," Peterson said. 

You also don't want to inundate your new hires with too much information. 

"While it's important to get your new hire ramped up and productive quickly, you also need to make sure you provide on-the-job training in a manageable flow," he said.

Hopefully, new hires have picked a mentor by the end of the first month, Peterson added. Fifty-six percent of respondents in the BambooHR study said that having a buddy or mentor at work was very important when getting started.

The Aberdeen Group report found that high-performing organizations are nearly two-and-a-half times more likely than lower-performing employers to assign a mentor or coach during the onboarding process. 

"Mentoring programs can be as simple as assigning a new employee a go-to person or having an elaborate team of mentors for any questions that might arise," Hyatt said.

The First Three to Six Months

Peterson advised HR to conduct another check-in between three and six months, depending on the employee and the role. 

"Unfortunately, only 15 percent of companies continue onboarding after six months," he said. Remember, nearly 90 percent of employees decide whether to stay or go within that first six months. "You have a huge impact on that choice. Sometimes you just have to show that you sincerely care," he said.​

The First Year

"An employee's performance at the end of the first year will prove if they're fully productive," said Peterson. "Now you can plan for future development. Show them what their career looks like at the company. Sadly, sometimes they don't belong there," he said.

The end of the first year is when traditional onboarding transitions into retention and employee satisfaction. 

"Shift from on-the-job training to continuous development. It's also a great time to have the compensation conversation," Peterson said.

"Your new hires will thank you for setting them up on the path to success and your company will be well on its way to turning those new hires into seasoned employees."

See Original Post

Reposted from The New York Times (security management daily)

A 23-year-old Oklahoma man has been arrested after he tried to blow up a bank in downtown Oklahoma City using a vehicle bomb similar to the one that destroyed the federal building there in 1995, federal officials said Monday.

The man, Jerry Drake Varnell, had been plotting the attack for months, the authorities said, but was thwarted by a long-running undercover investigation led by an F.B.I. joint terrorism task force.

Mr. Varnell was arrested early Saturday after he parked a van loaded with what he believed to be a working explosive device in an alley next to the bank, and then dialed a number on a cellphone that he thought would set it off, federal officials said. The device was inert and could not explode, the officials said.

According to court documents, Mr. Varnell had espoused an anti-government ideology and had expressed an interest in carrying out an attack that would echo the bombing of the Alfred P. Murrah Federal Building in Oklahoma City in April 1995, which killed 168 people.

The bank Mr. Varnell was said to target — the downtown branch of BancFirst, Oklahoma’s largest state-chartered bank — is about a half-mile from the site of that attack.

During a meeting in June with an undercover F.B.I. agent posing as someone who could help him, Mr. Varnell said that he wanted to start the next revolution and that he identified with what is known as 3 percenter ideology, according to an affidavit filed in support of the federal criminal complaint against him. Mr. Varnell sought to form and arm a small militia group, inspired in part by the movie “Fight Club,” the authorities said.

“I’m out for blood,” Mr. Varnell wrote in one text message to a confidential informant who cooperated with the authorities, according to the affidavit, which was written by an F.B.I. special agent. “When militias start getting formed I’m going after government officials when I have a team,” he wrote. The complaint did not name the informant.

In another text message, Mr. Varnell wrote: “I think I’m going to go with what the okc bomber used. Diesel and anhydrous ammonia.” He was referring to Timothy J. McVeigh, who was executed for the Oklahoma City bombing. Mr. McVeigh and a co-conspirator, Terry L. Nichols, built a giant fertilizer bomb using ammonium nitrate and racing fuel as their primary ingredients. Mr. Varnell later told the informant to get him ammonium nitrate, adding, “That’s all I need,” according to court documents.

Federal law enforcement officials said the public was not in danger at any time.

“There was never a concern that our community’s safety or security was at risk during this investigation,” Kathryn Peterson, the special agent in charge of the F.B.I. in Oklahoma, said in a statement. “I can assure the public, without hesitation, that we had Varnell’s actions monitored every step of the way.”

The bombing case appeared to have started in December, when the confidential informant told the F.B.I. that Mr. Varnell wanted to bomb the Washington building that houses the offices of the Federal Reserve’s Board of Governors. Mr. Varnell appeared to be especially angry with the banking and financial data system, and expressed interest in attacking corporate data centers and facilities known as server farms, including those run by Facebook and Bank of America, the authorities said.

He told both the informant and the undercover F.B.I. agent that he did not want to kill “a bunch of people.” But when the undercover agent told him in June that any bombing might kill one or more people, Mr. Varnell responded, “You got to break a couple of eggs to make an omelet,” according to the affidavit.

Mr. Varnell also wrote a statement that he wanted posted on Facebook after the bombing, and sent it to the informant, the authorities said. The statement refers to the bombing as an act of “retaliation” for government actions that he said restricted Americans’ freedom.

“It was a wake-up call to both the government and the people,” Mr. Varnell’s statement said, according to officials.

A variety of militia groups around the country regard themselves as 3 percenters. The term comes from their belief, debunked by historians, that only 3 percent of American colonists fought in the Revolution. These groups reject characterizations of them as racist or anti-government, describing themselves instead as pro-Constitution, pro-gun and, in many cases, pro-President Trump.

The movement’s logo, the Roman numeral III encircled by stars, was visible on at least one of the heavily armed, camouflage-clad militia members at the white nationalist rally in Charlottesville, Va. Militia leaders claimed to be neutral and told reporters they were not affiliated with either the white nationalists or the counterprotesters.

Mr. Varnell lives in Sayre, Okla., with his mother and other relatives. The authorities said that he had been outfitting a bunker next to his home with end-of-the-world supplies and that he had spoken to the informant of using marijuana and methamphetamine. He was arrested in 2013 in Weatherford, Okla., and charged with domestic assault and battery by strangulation; it was not immediately clear how that case was resolved.

See Original Post