Security Trends in K-12, Some Thoughts

For lack of staff, money, expertise, and time, school districts for the most part still can’t put a huge emphasis on education programs similar to those run in many colleges and corporations to continually remind people about the rules they need to follow when dealing with physical security and confidential data. Maybe 2013 will be the year that starts to change, especially since the Newtown, Connecticut shooting, making the mitigation of risk more palatable and far less pricey than the potential of extended legal actions.  I say this because it bothers me as a parent and a physical security professional, that we spend so much more protecting our Data Centers and Networks than we do in our schools.

The “Active Shooter Scenario” is everyone’s worst case situation, I work with this everyday in protecting hospitals (Code Silver), in malls or any other open to the public facility.  Based on all that I have read on the above incident, I do not believe that anyone could have handled that situation better than it was handled. The school staff did an outstanding job and Law Enforcement responded immediately keeping the carnage to a minimum. My point is schools do not need to be open. We can reduce access and push back the perimeter, which I believe is the only way to reduce the active shooter threat. 

Many times, when I would bring up K-12 school security enhancements I would get push back like “We want an open feeling in our schools and the employees won’t allow that.”  Hopefully what Richard Cantlupe, an American history teacher at Westglades Middle School in Parkland, Fla.: He called Newtown "our 9/11 for schoolteachers." If this is true and we can at least give our schools the same protection as our data centers will come a long way in making our schools safer.  

After 911 we had Presidential Directive 7 which was a Homeland Security Presidential Directive that established a national policy for Federal departments and agencies to identify and prioritize critical infrastructure and to protect them from terrorist attacks. The directive defines relevant terms and delivers 31 policy statements. These policy statements define what the directive covers and the roles various federal, state, and local agencies will play in carrying it out.  We need to add our schools to this list and give grant money to the school districts to get it done today.

The solution is available; it will just cost some money.  The school designs are mostly fine; we just need a few enhancements to reduce the threat, especially the perception of a school being a soft target. However you can never completely eliminate the threat completely.  I have many ideas on this issue and look forward to discussing them in future postings.  I have a check list I have used in the past that I picked up along the way that gets everyone thinking.  If you would like a copy please go to  https://dl.dropbox.com/u/62454695/k-12_School_Safety_Security_Checklist_McDonald_AACI.pdf.  If you have any questions, comment here or call anytime!

How to Reduce Risk by Designing and Supporting the Best Physical Security Technology Solution

It is clear that a system that aims to improve physical security and reduce risk must cater for today’s challenges and tomorrow’s risks. As a security professional, I often encounter clients with integrated security technology systems that do not measure up to their expectations, or fail to effectively mitigate common risks, or need to be completely replaced at cost due to poor design.

Today’s Security Technology Systems are very technical and installations need to cater for a variety of conditions. Even though it is common practice, organizations should not be solely dependent on the installers of their current systems when contemplating security investments. The following 10 steps towards implementing a cost-effective integrated security system can serve as indicators for you as client when evaluating a new security system or a system upgrade:

1.  Design for Risks

When designing a security system I look to design one that not only meets the customer’sexpectations and requirements, but more importantly, mitigates their risk profile significantly, it is imperative to design to reduce current and future risk. Security systems designed to mitigate or neutralize a particular set of vulnerabilities at a particular point in time, are basically restricted from the outset. A security system designed without conducting a comprehensive physical security risk assessment is doomed to failure once the customer’s risk profile changes - a costly mistake! Therefore, a thorough risk assessment should be done to give the designer a clear indication of the threats and vulnerabilities to be aware of the consequences on the design.

 2. Security System Design as a Project

A security system design must be managed as a project with agreed project deliverables. As such, the project must be initiated, planned and executed according to a formal project plan (including scope of work, project schedule and cost estimation) to manage time, cost and quality effectively. Throughout the project attention must also be given to customer expectation management.  Deliverables of a successful security system design project include:

• Technical design drawings
• Technical design specifications
• Inter-disciplinary coordination
• Product selection

3. Design for Scalability

Can the design be expanded upon and is it flexible? There is nothing worse than a fixed design system that cannot be extended or adjusted. A scalable security system design should integrate with other systems, be upgradable and comply with the customer’s strategic security plan and current security policy.

 4. Design for Robustness

Robustness refers to the quality of the system’s design and installation workmanship. Poorly installed electrical wiring, fragile network installation, incorrectly placed equipment mountings, poorly shrouded cameras and the like, may cause system failure and/or interruptions for repairs or maintenance. A well-designed security system incorporates robustness as a core consideration to ensure that the installed system copes well with day-to-day handling demands.

 5. Provide for Redundancy

The system design should provide for component failure (redundancy) to ensure that there are other components that can replace it functionally, either internally or through a layered approach.

 6. Manage the Roles and Responsibilities

Role players include the design team, integrators and system product suppliers. The different responsibilities must be clearly defined and understood, for example: Is the installer qualified to install the system? Are the technicians trained? Is there a client owned agreement between client and the installer that is supported by the supplier?   It is imperative to create a process flow where there is an independently constructed technical specification document underwritten by the supplier and integrator.

7. Planned Maintenance

With regards to maintenance, the following questions should be contemplated: Is the system correctly installed to meet manufacturer standards and supplier warranties? Is there a dedicated system maintenance team that is trained to maintain the system? Are there comprehensive maintenance schedules set out in a client owned maintenance agreement that are checked on a regular basis? Is there a technical specification document available that has been agreed to by all parties prior to the commencement of the installation? Does this document accurately reflect what you as the client are paying for? Was there proper testing and demonstrations conducted before the installation? Has there been proper user expectation management in the pre-installation phase? Is the system tested against the current and future requirements and expectations? Can you confirm that that which you paid for is installed?

8. Service and Support

Today’s customers need 24/7/365 access to service and support.  Monitoring systems live from a central command center is just one part of the needs of a security system.  From time to time customers need either in-line or on-site emergency support from their integrator.  Does your integrator offer 4 hour on-site support by a qualified technician at any time of the day or week?  Your service agreement should include this type of response written into the contract.

9. Parts Inventories

Integrated security platforms are complex and integrators must respond to service calls and be available 24x7x365. Contractors must send a fully trained and qualified if applicable Certified Technician and have replacement parts available in the vehicle at the time of arrival to the eligible entities location.  The fully trained and qualified if applicable Certified Technician will be required to perform repairs or diagnosis the problem.  The fully trained and qualified if applicable Certified Technician must have replacement components available including but not limited to boards, power supplies, cameras, hard drives, electrical components and all other parts required to make the equipment work.

10. Training

Integrators must provide significant training to designated customers personnel during the final system testing and start-up phase of the project.  The amount of training required is dependent on the complexity of the equipment purchased or leased by the customer and the ability of the designated personnel to learn from the training and training material.  The integrator and customer shall mutually agree on the duration as well as the location and schedule of the training.  The integrator’s fully trained and qualified if applicable Certified Technician shall conduct and instruct the training.  Training materials: to include but not limited to books, handouts, software, or customized training videos will be provided by the Contractor and will be given to the customer at no additional cost, as agreed upon by the parties.  Additionally the maintenance agreement should also include the option for some regular annual training.  Many customers have regular employee turnover and some ongoing training should be expected.

In conclusion, when comprehensive foresight is applied to plan and manage tomorrow’s risks with today’s technology, clients can indeed reap the benefits of a proper system design with risk planning included, followed by proper implementation and ongoing support.

How Physical Security Technologies apply to effective Risk Management in 2012

As a physical security and loss prevention professional I have had the privilege of working with hundreds of clients to reduce their risks. Risks are not just a threat but an opportunity to upgrade physical security solutions and at the same time improve an organizations productivity and profitability. Today’s improvements in technologies, especially software, the physical security industry can offer a more holistic approach that dramatically improves centralized visibility into an organizations security posture and new challenges related to doing more with less (productivity) and increased regulatory requirements. Depending upon the size and scope of the organization the solution may be different but the goal remains the same; to maintain, control and monitor the numerous security-related systems and sensors to a single graphic user interface or GUI that simplifies monitoring and reporting. These systems may include alarm monitoring, access control, locking systems, audio communications, asset tracking, intrusion detection, perimeter protection, video monitoring, video analytics and in some cases building management.

When meeting initially with a new client the most common complaint I hear is: “We have looked at this before and my existing solutions lack the ability to communicate or be integrated.” as the biggest barrier to implementing a more holistic security solution. Well I am here to tell you that with some small upgrades at the “head-end” many of your edge devices and sensors can be immediately integrated in most cases. More importantly from my perspective, by including all departments in the evaluation and research process to improve risk management, the policies, procedures and goals will result in the organizational value of improved overall visibility into the entire security infrastructure.

Here is a generic example of how you might discuss the real needs, goals and risks within your organization before you look to make any changes. By understanding the risks and potential costs associated with those risks, such as: annual loss expectancy, total cost of ownership, you can better develop your return-on-investment.

Let us look at internal investigations as the business area’s to discuss the risks. First create a working group that includes a representative from every department that plays any role in these areas. This might include human resources (HR), corporate security, (CS) information technology (IT), facilities, loss prevention (LP), finance & Insurance, marketing and legal.

Next, brainstorm events and scenarios that could create risk for the company in an internal investigation or disaster. Such events might include information leaks in various departments or a potentially violent customer or employee. Then, rank the risks by likelihood and impact. Absolute precision is not necessary here, although this step may provide the momentum to gather new metrics, both within your business and from the outside world for benchmarking purposes. Now for controls and solutions: List existing controls. Look for redundancy across departments. Brainstorm new ones to address these risks. Rank new controls based on cost, difficulty, and effectiveness—especially noting controls that can reduce likelihood and impact across multiple types of event. With good luck, you might be able to pay for a new control by reducing the redundancy of existing controls. Finally select the appropriate point person responsible for implementing (or championing) each high-priority control. Then establish a way to measure the effect of each new control and a way to communicate that measurement within and outside of your working group. Don't get too hung up on making overly formal. Keep the end in mind: Enable business objectives. Keep it simple (KISS). Make internal investigations more effective and less risky. Now repeat this process with a new team for each of these additional areas: business continuity and disaster recovery, intellectual property protection, and brand protection, employee fraud, loss prevention or asset protection and general liability. Obviously, each of these areas may require a different set of team members although may be the same.

Beyond the specific business value you create in each area—the deliverables you will also lay the foundation for more interdepartmental communication and coordination. Security personnel will have more and better contacts within finance, marketing and other groups. These connections can form the basis for competitive advantage for your organization.

One of the greatest benefits of today’s integrated physical security solutions is the real time actionable intelligence that can dramatically decrease the time to gather together information about security incidents. Then act on that information. For example if an employee is terminated by the organization and HR removes the employee’s authority from the network that information can instantly be upgraded to the organizations access control system, alarm system, etc. This can immediately reduce the opportunity and temptation from a disgruntled employee to cause any further damage to the organization.

After you have defined your risk management goals and vulnerabilities it will be a lot easier to create a budget to meet these goals. Then if you have not already done so, develop a partnership with a security integrator that you can trust. The next step is to test various potential solutions within your organization; I always try to show three of the top solutions based on the client’s vertical market, current legacy systems in place and your goals for today and tomorrow.

The good news is that in many cases with these solutions real benefits have been proven within organizations of all sizes and across a multitude of vertical industries and with very high return-on-investment (ROI) such as three to nine months. Some of the key benefits are: Having the capability to quickly communicate to management the details of an incident, having actionable intelligence about incidents, tools to assist in prevention of future incidents, having real time view of security events, instantly responding to events in real time, reducing incident resolution time, streamlining operations/improving productivity, reducing security costs and delivering a ROI on the organizations physical security environment.

Take a moment to discuss “Risk Management” as a concept with your management team, remember there’s never a dull moment in security. In the next few years, more new challenges will be thrown at business organizations as the cultural landscapes transforms. Will you have the tools in place to meet those challenges?

You are invited to join www.PhysicalSecurityTechnologist.com and www.PHYSECTECH.org

You are invited to join www.PhysicalSecurityTechnologist.com and www.PHYSECTECH.org, our Web Community. Thiese sites are free to users. The Showcase sub-group-sites are free to the non-profit associations and are available for a fee to commercial enterprises. These sites can be either public or private.  Signup is simple and takes less than a minute. Also, those of you interested in managing discussions drop me a note and I will upgrade your security permissions. 

Do you need a fake receipt printed professionally?

Watch out, there is a new web site in town http://www.falseexpense.com/index.htm. Can your employee’s tell the difference?  They say FOR NOVELTY USE ONLY, but we all know what that means.  

Do you need a fake receipt printed professionally?

According o their website you can pretend an item of fake jewelry you bought is real - fool people into thinking your fake Rolex is real, Pretend you were away in a hotel for the weekend- create an alibi, One person we created a fake receipt for had went to a lap-dancing bar and spent money on his corporate card - he needed to show his 'itemized' expense weren't dubious - otherwise he would have lost his job.  Another person used us our service to create false receipts for a lap-dancing bar, so his wife would divorce him.  These receipts can also be used for False receipts for insurance fraud, fake receipts for eBay sales - like here - they create false Tiffany's receipts so you can pretend fake jewelry is real or here Fake Versace Bag Being Sold With Receipt.  False claim extras on your expense account - create false create false gas receipts, false tax receipts.  Over claim your expense account, reclaiming taxes, and expense in China Bogus Receipts & Fake Invoices.  When purchasing expensive items overseas, such as electronic equipment, you could use a false receipt to show a purchase price lower than that actually paid as a means of reducing the Customs charges payable. Welcome to FalseExpense.com. We print the finest Fake receipts available, with your custom information on them.

Sample Receipts:   http://www.falseexpense.com/fake_receipts.htm

Templates: http://www.falseexpense.com/fake_receipt_template.htm

Need a barcode for your receipt?  The site links you to http://www.barcodesinc.com/generator/index.php

I am sure that none of these receipts will be used to return stolen merchandise.  They say “We can produce false or fake store receipts from any US electronics retailer including:

• BEST BUY

• CIRCUIT CITY

• COMPUSA

• RADIOSHACK

• THE GOOD GUYS

• THE WIZ

• ULTIMATE ELECTRONICS INC.

• TWEETER HOME ENTERTAINMENT

• BRANDSMART USA

• REX STORES

• AMERICAN TV & APPLIANCE

• J & R ELECTRONICS 

   

These will be printed on real thermal till-roll and posted to your address - from only US$14.99

100% fool proof- 100% Genuine Looking”

After seeing this site, I thought you should all know.

Jamie McDonald

 www.PhysicalSecurityTechnologist.com