https://adminsm.asisonline.org/Pages/New-Survey-on-Active-Shooter-Preparation-Opens.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465New Survey on Active Shooter Preparation Opens0

 

 

https://adminsm.asisonline.org/Pages/How-to-Implement-ESRM.aspxGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465How to Implement ESRM

 

 

https://adminsm.asisonline.org/Pages/Checking-in-for-Safety.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Checking in for Safety

 

 

https://adminsm.asisonline.org/Pages/Getting-the-Green-Light.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Getting the Green Light

 

 

https://adminsm.asisonline.org/Pages/The-Fraudster-Down-the-Hall.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Fraudster Down the Hall

 

 

https://adminsm.asisonline.org/Pages/Soft-Target-Trends.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Soft Target Trends2016-09-01T04:00:00Z
https://adminsm.asisonline.org/Pages/Bridging-Worlds.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Bridging Worlds2018-07-01T04:00:00Z
https://adminsm.asisonline.org/Pages/Book-Review---Cybersecurity-Law.aspxGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Cybersecurity Law2018-01-01T05:00:00Z
https://adminsm.asisonline.org/Pages/Active-Assailant,-Unarmed-Officer.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Active Assailant, Unarmed Officer2018-04-01T04:00:00Z
https://adminsm.asisonline.org/Pages/Q-and-A-Event-Security.aspxGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Q&A: Event Security2018-01-01T05:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now

 

 

https://adminsm.asisonline.org/Pages/Five-Not-So-Easy-Pieces.aspxFive Not-So-Easy PiecesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Alignment is in. Many cities, municipalities, corporations, and school systems are taking steps to align their physical security systems so that security programs across locations will be fully integrated.</p><p>The benefits of such a move are numerous. Uniformity across systems makes it easier for end users, and converged systems are easier to manage from operation centers. Moreover, having only one system makes maintenance and upgrades easier, and this can help provide long-term stability. </p><p>But achieving alignment is no easy feat. Navigating a physical security installation across several facilities can be a difficult undertaking; often, such a project includes wrangling a mish-mash of individual products to get them to function under one cohesive system. Alternatively, some take the approach of completely redesigning the physical security system so that it reflects current best practice design standards. Both paths can be difficult.  </p><p>In addition, the potential pitfalls of attempting a unification project are numerous. What is the installation environment in each facility? Which key players need to be involved at each facility, and at what level of involvement? What type of network infrastructure must be in place to integrate the systems? </p><p>In hopes of avoiding pitfalls, many organizations will hire project managers and consultants to spearhead alignment projects. This type of management, however, is usually complex and unpredictable work. Thus, one of the most useful attributes a security practitioner can have is experience in project management.</p><p>Although there is no one roadmap for successful project completion, and despite all the caveats, most projects can be broken down into five stages. The main purpose of this article is to walk the reader through these stages, which experts sometimes refer to as "process groups." The five process groups are initiating, planning, executing, monitoring and controlling, and closing. For our purposes, the second process, planning, can be considered the design process, and the third process, executing, can be considered the installation process. </p><p>Although these stages will remain consistent, the role and scope of a project manager's responsibilities will change from project to project. And, there may be many project managers on a single project: one for the design team, one representing the owner, one who serves as an installation project manager in the field, and others. Each will have different responsibilities.   </p><p>Primarily, this article is written from the point of view of the project manager who is outside of the org­anization and is hired by an owner to design and manage a project that will be installed by a third-party contractor, either through a public bid or the solicitation of proposals. Typically, this type of manager would be a consultant who works on a project-by-project basis with different teams and organizations, for the procurement and installation of a multi-facility physical security system.</p><p>However, the concepts and best practice guidance offered here could be applied to almost anyone involved with the management or supervision of physical security projects, whether that person is inside or outside the organization.​</p><h4>Initiating</h4><p>As a project kicks off, the act of project management is often the act of discovery. The project may be ill-defined, just a blurry picture of the needs and goals of the project's owner. But an ill-defined project cannot be effectively managed, so it is often the project manager's task to focus the project with the owner into a clear and actionable roadmap.</p><p>For the project manager, one of the main goals of the initiating process is to get up to speed with the requirements, history, and expectations of the project. This includes understanding who the project stakeholders are and determining the project's requirements, constraints, and assumptions.  </p><p>Physical security projects can be sponsored by a range of departments in an organization, including security, facilities, IT, finance, and general management. But these departments may have different levels of familiarity with physical security systems, so the project manager must gain an understanding of how well the owner's team knows physical security. This understanding should then inform the project manager's general approach, including the process of assembling the design team. </p><p>This understanding can be gained during the meetings that take place during the initiating process. For example, the design or project management teams may be akin to experts—they will design and demonstrate how the systems work and function together and explain design best practices. In another project, the design team may merely be documenting the project for an owner who already has a strong grasp and understanding of physical security best practices and the needs of each facility. </p><p>Another key task of the initiating process is to learn the requirements and goals of the project. What is the general scope? What physical protection systems will be affected? Will this be a replacement project, or will it integrate with existing systems? Is there a deadline for installation completion? If grant money is involved, is there a deadline for spending funds? Each answer is part of the roadmap.</p><p>Once the initially hazy picture has come into focus, the project manager may take the next steps. These include developing a rough estimate of how many days will need to be spent in the field documenting existing conditions and systems, and how many designers should be hired to create design documents. Other decisions involve who will sit on the project stakeholder's team, whether the owner will require manufacturer demonstrations, and what a reasonable cost for the project looks like. </p><p>During this stage, the project manager may discover that the existing team of stakeholders is inadequate. In this case, the project manager should try to ensure that all decision makers are included, and that, if applicable, teams not directly associated with security are also represented, or at a minimum made aware of the project. Other stakeholders, for example, could include facility directors, senior management, service providers, IT teams, and grant funding representatives. If the project is for a municipal, city, or public organization, the owner may prefer to involve law enforcement in the early stages and throughout the process.</p><p>By the end of this first stage, all stakeholders should understand their roles within the project, what will be expected of them, and the type of work that will be performed on their systems or the facilities they manage. Accomplishing this early is important. It is never a good idea to inform an IT director of an IP video surveillance project a week before the network electronics are scheduled to be installed.​</p><h4>Design</h4><p>The greatest indicator of a well-executed project is a well-executed design process. The overall objective of this process is to create a complete set of project documents that a third-party contractor or integrator can then use to create a proposal or bid. </p><p>These documents, typically referred to collectively as the project manual, will typically include plan drawings, wiring diagrams, and riser and elevation drawings. They also include specifications explaining the scope, the installation standards, the configurations of various systems, and other pertinent information. Front-end documents in the manual often describe the nature of the project and any general requirements that the bidding contractor must adhere to. </p><p> To create a thorough project manual, it is important for the project manager to assemble a qualified design team. Physical security projects can be derailed by subpar designs that do not consider each facet of each system's requirements. The design team must be able to accurately document the correct configuration requirements among systems; all installation best practices and requirements; the code requirements and testing parameters; and the closeout tasks such as training.</p><p>Once the design team is assembled, the project manager begins the process of creating progressively more detailed designs and reviewing them periodically with the owner. A good guide is to review the design documents at 50 percent completion, 75 percent, 98 percent, and 100 percent. At each review, it should be conveyed to the owner what was refined, changed, omitted, or added from the last review. </p><p>The overall cost and the installation schedule should also be reviewed at those junctures. Most likely, the project will have a specific budget and installation schedule that the design team must adhere to. At each design milestone, the project manager must ensure that the owner understands the budget and schedule. Any major design change should be reviewed with the owner.</p><p>If the project does not have a predetermined budget, the project manager should have a usable estimated cost range after project initiation. At the halfway point, an estimate within a few percentage points of the actual cost should be completed and reviewed with the owner. It is also important the owner understands how any future requests will affect the budget and installation schedule. </p><p>Ideally, the project should leave 10 percent of the total budget in contingency to cover unforeseen costs. For example, for a project with a budget of $1 million, the design team should allocate up to $900,000 and leave $100,000 for contingencies. Aside from this practice, some projects also contain a management contingency designed to cover changes in project scope directed by management. However, this contingency may or may not be shared with the project manager, and it may not be included in the total project budget. </p><p>When it comes time to estimate individual costs, the environment and condition of existing facilities should be kept in mind. Areas likely to add surprise costs to the project should be reviewed. Take ceilings, for example. If the facility has open ceilings, will the low-voltage cabling need to be run in conduit? If so, how much cost will that add? Or, consider data closets. Is there adequate wall space to mount patch panels, switches, and servers? Is there wall space to mount security panels? Other areas that should be reviewed for cost impact include power requirements, configuration fees for integrating systems, and software fees for updating out-of-date systems, among other items.</p><p>Taken together, the overall goal of the planning and design process is to create a project manual that is fair to both the owner's needs for attaining the project goals, as well as the contractor's needs to correctly price the project. </p><p>Many potential headaches that could occur during the installation process can be mitigated by giving the contractor a realistic schedule for procurement and installation of the systems, and by ensuring that the project comes in at or under budget. This is done by informing the owner early and often of the realistic requirements that the scope of the project will require. All cost-saving measures should be considered during the design process when at all possible.</p><p>Throughout the design process, the project manager and design team should constantly ask themselves, "If I were a contractor, would I be able to properly price this project based on the project manual documents without adding change orders in the field?" Many projects are soured by an incomplete project manual that puts the contractor in the disadvantaged position of having to constantly submit change orders to correct their fee. ​</p><h4>Executing</h4><p>If the goals of the planning process were accomplished—including properly and completely documenting the physical security systems, their installation requirements, and all responsibilities required by the installation contractor—then the executing process should run relatively smoothly.</p><p>During the executing process, the contractor who was awarded the project proceeds with installing and testing the systems. Sometimes the project manager and design team stay on to manage the schedule and invoices, review the installation and test results, and generally ensure that that the project is being installed to the quality standards documented in the project manual on behalf of the owner. </p><p>The relationships among designers, consultants, project managers, and contractors should be built on teamwork and based on the shared goal of providing the owner with a well-executed project and physical security system. The best projects are those where a mutual respect and a spirit of genuine collaboration are exhibited by all parties and where the project manager has the best interest of all parties in mind.</p><p> Although, careful initial documentation of exactly what is expected of the installation will help avoid oversights and miscommunications, it is still prudent, and often mandatory, for the project manager to review and approve the work being completed. During this process, the manager's best strategy for ensuring that the project is executed well is to stay vigilant in correcting all possible holdups.</p><p>If the overall budget fails to capture all installation costs, change orders can occur during the installation process, after the project has been awarded to a contractor. A change order is a claim to a change in scope that usually comes with an associated cost. It is used by the contractor to seek fees for the change. Change orders can be owner directed or project directed, and they can be legitimate or illegitimate. </p><p>Here's an example of a legitimate, owner-directed change order. After a project manual went out to bid and the project was awarded to a contractor, the owner requested to add access control hardware to a door. This hardware was not included in the design, so the contractor was not allowed to give a cost associated with it. Seeking a fee to now include that door in the installation was a legitimate change order. </p><p>Here's an example of a legitimate project-directed change order. The contractor discovered that 100 feet of conduit was needed to mount a video surveillance camera in an open-ceiling mechanical space. The project manual did not clearly document that the contractor would need conduit at this location, so the contractor sought to submit a change order for the cost of procuring and installing the conduit.</p><p>Illegitimate change orders occur when a contractor seeks fees for a task or product that was clearly documented in the project manual and, therefore, should have been included in the proposal or bid. It should be noted that legitimate or illegitimate status will not determine if the change order will be accepted by the project. Change order acceptance or rejection is determined by the project manager, owner, and other applicable stakeholders.</p><p>One benchmark of success for the project is the number and scope of change orders. In other words, how close was the executed project to the agreed upon budget and original design?​</p><h4>Monitoring and Controlling</h4><p>If the project manager's responsibility is to review and sign off on the installation, it is best to do so early and often. The goal is to correct minor issues before they grow into major issues. </p><p>For example, let's assume a contractor completes a 200-door access control project across 20 different facilities, but does not properly secure the cabling above the ceiling grid as designed. The longer the project manager waits to get on site and review the work, the more difficult it will be to fix this mistake. If the cabling contractor is a subcontractor of the prime contractor and is finished with the scope of work, by the time the project manager is on site to review the work, it may be impossible to correct these mistakes.</p><p>The project manager should be on site to review, at a minimum, the first few devices that are installed to ensure that the installation is clean and to specification. Indeed, many contractors prefer this method of installation kickoff because it will ensure that the installation is on the right track. </p><p>Common installation mistakes found on physical security projects can include sloppy or exposed cabling to devices; installation of sensors, cameras, and other devices that are not plumb or properly secured; low-voltage cabling strung across the ceiling grid and not on cabling support; failure to firestop applicable penetrations; and poor cable management and cable terminations in the data closets and control panels, among other things.</p><p>All site visits, communications between owner and contractor, issuances of work that need to be fixed, and approvals of work done correctly should always be formally documented and distributed to the entire team in field reports and punch lists. In turn, the contractor must document any corrections or installation requirements that are completed. </p><p>Requests for information from the field, product submittals, invoice submittals, and general project housekeeping should be reviewed and answered by the project manager in a timely matter to ensure that the project is not delayed due to lack of direction for the contractor or owner.  </p><p>Sometimes, the biggest roadblocks to completing a project on schedule are the tasks that must be completed by the owner. It is important that the project manager also manage this side of the project. He or she should inform the owner early and often when tasks will be due and should sometimes advise them on how they can be best completed. These tasks may include providing IP addresses for cameras, printing and issuing badges for new access control systems in time for system cutovers, providing configuration on network electronics if required, and configuring and relaying information related to VLANs, among other things. </p><p>Often, contractors are only allowed to invoice for work completed or for devices that were purchased and delivered to the facility. If the project manager is tasked with reviewing invoices, it should be easy to approve or reject fees based on work completed because the project manager has periodically seen and reviewed the work in person.</p><p>Most projects will require that the project hold a retainer against the contractor's fee until the project is 100 percent complete. This retainer is held until the end of the project, after all the installation and miscellaneous responsibilities of the contractor have been met. Each project may have specific requirements in terms of payment and proof of work for payment that should be reviewed and adhered to by all parties.  ​</p><h4>Closing</h4><p>The closing process can be initiated when 10 percent of the project is left to complete. Common tasks to be completed during the closeout process include administering training, delivering operation and maintenance manuals, final testing of systems, reviewing the system test results, reviewing cabling test results, and handing over the systems to the owner. </p><p>It is a good idea to start closeout tasks when the project is around 75 percent complete. However, getting the owner and relevant stakeholders together for training and close-out meetings can be a difficult task depending on their schedules. If the project is being completed in a school district, for example, training may need to wait for a professional development day, so it is best to book training as soon as the trainer is available. </p><p>Depending on the owner's level of expertise, it may also be beneficial to include additional training in the project manual two to six months after the project is handed over to the owner. This will allow the owner to schedule refresher training if desired. </p><p>Once the project manager and design team accept the final installation; all closeout deliverables are finalized; and all final fees, contingencies, and invoices are paid; the project is handed over to the owner and the project is considered complete. </p><p>Successful project completion requires improvisation, teamwork, thoroughness, and foresight. All are skills that are developed over time and through hands-on experience on projects of different sizes and types. The best project managers are those who learn from their mistakes, document their lessons learned, and share those insights with the project management and security management communities.  </p><p><em><strong>Nicholas D'Agostino, </strong>PSP, PMP, is a senior manager of system design for D'Agostino & Associates, a technology consulting firm. He has spearheaded multiple city-wide physical security upgrade projects throughout the Northeast. He can be reached at NickD@DA-Technology.com. D'Agostino is a member of ASIS International.</em></p>
https://adminsm.asisonline.org/Pages/How-to-Implement-ESRM.aspxHow to Implement ESRMGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​International Paper (IP) is one of the world's leading producers of fiber-based packaging, pulp, and paper. Headquartered in Memphis, Tennessee, IP employs approximately 52,000 people worldwide and has operations in more than 24 countries serving customers around the globe. </p><h4>The Challenge</h4><p>When IP's director of security announced his retirement, the IP team—Deon Vaughan, vice president, deputy general counsel, chief ethics and compliance officer; Casey Yanero, HR manager, corporate staff groups; and Jennifer Carsley, director, legal operations—recognized it was time to transform corporate security to an enterprise level function.  </p><p>The ever-changing threat landscape and IP's core values of "Safety, Ethics and Stewardship" underscored the need for IP to transition to a proactive security posture. To lead this transition, IP hired Art Fierro, CPP, in February 2017 to fill the newly created chief security officer (CSO) role.</p><h4>ESRM Solution</h4><p>Enterprise security risk management (ESRM) links security activities to an enterprise's mission and business goals through risk management methods. </p><p>The CSO's role in ESRM is to manage risks to enterprise people and assets in partnership with the business leaders. ESRM involves collaborating with business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, and then implementing the strategy in line with accepted levels of business risk tolerance.</p><p>Fierro's background is rooted in ESRM in both the government (FBI) and the corporate space. To move IP from a traditional security organization to an ESRM enterprise model, Fierro conducted an extensive security analysis to identify where the organization excelled and where the data showed opportunities for improvement.  </p><p>The analysis included conversations across business groups and corporate partners. It served as the foundation for IP's ESRM strategy and helped create its vision statement: "To protect IP people, information, products, and the corporate brand in support of business objectives and enterprise success."</p><p>IP's new enterprise security strategy is grounded in the principles of security mitigation steps based on risk and using cost-benefit analysis to ensure a return on security investment. The strategy also aligned with IP business operations and is designed to help achieve business objectives—meaning security would not just be a cost center but also a business enabler.</p><h4>Partnerships</h4><p>Sharon Ryan, senior vice president, general counsel, and corporate secretary, embraced ESRM as IP's new enterprise security strategy, because the strategy was aligned with IP's core values and business strategy.  </p><p>"We recognize that by adopting the latest risk management strategies in enterprise security and bringing on experienced security professionals, not only are we helping protect our people and property, we are also reducing the risk of negative exposure related to our brand and reputation," she says. </p><p>Ryan supported the strategy by rebranding IP Corporate Security to Enterprise Security Management and creating three new positions reporting to Fierro and designed to address IP's enterprise risks: global threat manager, global physical security manager, and global investigations manager. The three functional roles cover the spectrum of enterprise risk and each has a deployment roadmap, which ties into the larger Enterprise Security Management global strategy.</p><p>Vaughan also supported the effort by endorsing a campaign for Enterprise Security Management to build partnerships across business lines, such as IP's Environmental Health and Safety (EHS) department, and to partner on initiatives to protect IP's employees—one of Enterprise Security Management's strategic objectives.</p><h4>Outcomes</h4><p> With the endorsement of ESRM at the leadership level, Fierro was able to work with partners to create a risk-based security program to focus security resources on identified risks. The program also provides the operating manual for vulnerability and risk assessments, so IP can make informed business decisions about its risk tolerance.</p><p>Enterprise Security Management created a new concept, a virtual operations center, which produces a global threat picture that helps it identify and address emerging global threats to IP employees and facilities. The virtual operations center is outsourced to leverage economies of scale, leading edge technology, and professional threat analysts and operators, while providing an excellent return on security spend.</p><p>Over the past year, Enterprise Security Management focused on a number of strategic initiatives. One is the geospatial traveler-tracking program for IP's traveling employees. </p><p>The program provides real-time mobile device GPS monitoring, on a voluntary basis, with a panic button for emergencies. The program is monitored  at all times by the virtual operations center.  </p><p>Another initiative is the corporate campus security capital improvement project. Enterprise Security Management is leading a security improvement project for IP's corporate headquarters based on ASIS International physical security standards and guidelines, as well as geographic risk demographics and the return on security spend. </p><p>Enterprise Security Management also launched its first national security guard force contract to consolidate and standardize guard force operations across certain U.S.-based facilities. The consolidated operations agreement helps ensure consistency and reduce cost.  </p><p>Enterprise Security Management is also working with EHS to add a security aspect to the current field assessment process to identify actual risk at IP's global locations. Assessment results will be used to develop security recommendations, including leveraging security technology.      </p><p>Additionally, Enterprise Security Management created a new active shooter response training program for employees. The training included Virginia Tech shooting survivor Kristina Anderson, who shared a survivor's perspective, as well as the Memphis Police Department, which provided training for employees on Run. Hide. Fight. The active shooter plan is also available on IP's internal website for employees to reference.</p><p>Working across business groups and with critical internal partners, Enterprise Security Management developed new crisis communications reporting, dissemination, and functional requirements that include mass communications features for a unified enterprise response to manmade or natural disasters.  </p><p><em><strong>Art Fierro, CPP,</strong> is CSO at International Paper. He formerly served as CEO of Ronin Option - Cyber; executive vice president at Resilient Integrated Systems; and vice president at 20th Century Fox Film Corporation. He is a member of ASIS International. ​</em></p>
https://adminsm.asisonline.org/Pages/Critical-Risk-Management.aspxCritical Risk ManagementGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Private sector companies are not the only organizations that are embracing enterprise risk management. The U.S. government continues to do so too, albeit slowly. And recently, one U.S. federal agency released new draft guidelines on how risk management principles can be applied to critical infrastructure's information systems.<img src="/ASIS%20SM%20Callout%20Images/0818%20NT%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:289px;" /></p><p>The proposed guidelines come from the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). For the last few years, NIST has worked on refining its Risk Management Framework (RMF), which is aimed at helping organizations integrate information security principles and practices into enterprise risk management programs. </p><p>The RMF includes, among other components, a structured process for valuing organizational assets for selecting, implementing, and assessing security controls; and for monitoring security controls. Government officials say this RMF is especially necessary because threats to U.S. critical infrastructure are outpacing efforts to reduce vulnerabilities. </p><p>"There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure," writes Ron Ross, a NIST computer scientist, in the foreword of the new guidelines.</p><p>The guidelines have seven objectives: strengthen the links between high-level risk management efforts and lower-level operational activities; institutionalize risk management preparatory activities; demonstrate how the RMF can be aligned with NIST's Cybersecurity Framework; integrate privacy concepts into the RMF; promote the development of secure software systems; integrate supply chain risk management principles into the RMF; and provide an alternative approach to selecting security controls. </p><p>In addition, the new guidelines include instructions for tasks that will help prepare organizations to use the RMF for their information systems and programs. These tasks are divided into separate categories—organization level and system level.   </p><p>On the organization level, these tasks include assigning risk management roles to employees, establishing an overall risk management strategy, assessing organization-wide risks, establishing and documenting baselines for stakeholder protection needs, categorizing the comparative impact levels of different information systems, and developing an organization-wide strategy for continuous monitoring. </p><p>On the systems level, the tasks include identifying the business mission that the system supports, identifying stakeholders that have an interest in the system, categorizing the types of information the system uses, conducting a system-level risk assessment, identifying the system's protection and privacy requirements, and registering the system for purposes of management and oversight. </p><p>"Given the significant and ever-increasing danger of the threats, it is imperative that organizations remain vigilant and that leaders and managers at all organizational levels understand their responsibilities and are accountable for protecting organizational assets and for managing security risks," NIST says in the guidelines.</p>
https://adminsm.asisonline.org/Pages/Book-Review--Business-Continuity.aspxBook Review: Business ContinuityGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>​The Manager's Guide to Simple, Strategic, Service-Oriented Business Continuity</em></p><p><em></em>By Rachelle Loyear. Rothstein Publishing; Rothstein.com; ebook; $14.74.</p><p>Business continuity plans must be simple, strategic, and service-oriented: that is the key message of this book by Rachelle Loyear. The author advocates a new model—the Three S Philosophy—as an approach to improve engagement and support for business continuity management (BCM) programs.</p><p>Traditional BCM programs face various challenges and roadblocks that make them cumbersome for business subject matter experts and even for the experienced risk professional. To counter those obstacles, Loyear urges planners to focus on the essentials, stripping away complexity and putting strategy and business value front and center to help the risk owner in the BCM journey.</p><p>This guide will provide great value for anyone engaged in BCM, whether as an experienced risk professional or a functional expert. The Three S Philosophy, which endorses simplicity, strategy, and service, provides a powerful yet uncomplicated framework that a focuses on value. The reader will appreciate various references in the manuscript to enterprise security risk management, as well as practical templates and checklists to facilitate further use. </p><p><em>Reviewer: Rachid Kerkab has almost two decades of experience in criminology, strategy, risk, and resilience. He is a member of ASIS.</em></p>
https://adminsm.asisonline.org/Pages/Book-Review-Anatomy-of-Terror.aspxBook Review--Anatomy of TerrorGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​<span style="font-size:11pt;font-family:calibri, sans-serif;">W.W. Norton & Company; wwnorton.com; 384 pages; $18.95.</span></p><p>In his book, <em>Anatomy of Terror: From the Death of bin Laden to the Rise of the Islamic State,</em> former FBI special agent Ali Soufan takes the reader on a journey of al Qaeda's evolution from a locally organized jihadist movement with global ambitions to a globally active organization with regional offshoots. Soufan's goal is to provide a definitive account of the organization's lifetime in a way that moves the Western reader beyond the current discourse surrounding radical Islamism and towards a more "clinically empathetic" point of view, arguing that we still do not fully understand our enemy, even nearly two decades into the War on Terror. </p><p>To be clear, this goal is not altruistic—Soufan argues that this kind of empathy is a critical and heretofore missing ingredient required to build a better understanding of al Qaeda, which in turn helps the security community build more precise and effective countermeasures. </p><p>Soufan's account is useful to the security community that is interested in gaining a more nuanced perspective of al Qaeda's organizational development and the personalities behind it. He draws the reader in, using vivid, occasionally flowery, language, and makes characters out of al Qaeda members, such as "wily security chief" Saif al-Adel and "cold bureaucrat" Ayman al-Zawahiri. This approach makes the book an easy, engaging, and interesting read.</p><p>What compromises the book's utility, at least in an academic sense, is that it is difficult for the reader to know </p><p>where fact ends and fiction begins. Despite his "Note on Sources" and "Notes" sections, which are indeed helpful, Soufan provides few citations for direct quotations and perceptions of al Qaeda's key players. The result is an interesting tale that requires the reader to conduct additional research to fact-check its contents.</p><p><em>Reviewer: </em><em>Margaret D.M. Barber is a national security researcher in the Joint Advanced Warfighting Division at the Institute for Defense Analyses.​</em></p>
https://adminsm.asisonline.org/Pages/August-2018-ASIS-News.aspxAugust 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Opening GSX Keynotes Announced</h4><p>Future-focused visionaries are coming to Vegas. Peabody Award-winning CNN host, columnist, and global thinker Fareed Zakaria and futurist and technology pundit Scott Klososky will bring vital insight to their opening keynote addresses at Global Security Exchange (GSX), formerly the ASIS Annual Seminar and Exhibits, September 23–27 in Las Vegas.</p><p>Zakaria will kick off the GSX conference program on Monday with his opening remarks. A former editor-at-large at TIME and current host of CNN's flagship international affairs program, "Fareed Zakaria GPS," he is a world-renowned expert on global trends. His columns and commentaries—on topics ranging from the future of the Middle East and America's role in the world to innovation and the politics and culture of the global economy—reach millions through The Washington Post, CNN, and his daily digital newsletter.</p><p>At GSX, Zakaria's comments will focus on the forces of global change. Today's cyberthreats know no boundaries. Global expansion and outsourcing mean leaders must manage international teams and varying cultures. With an emphasis on emotional intelligence and security, he will explore what it means to live in a truly global era.</p><p>Klososky returns to GSX as the Tuesday morning keynoter on the heels of his popular "The Technology Integration of Man" presentation in 2017. Since then, he has discussed enterprise security risk management and key change drivers in today's security industry at ASIS Europe and the ASIS CSO Summit. At GSX he will tie all these thoughts together for a comprehensive look at the impact of today's rapid digital transformation on security management and leadership. He will build a compelling case for managing and using technology—and knowing when not to use it—to gain a competitive advantage and lead successfully into the future.</p><p>For more GSX updates, visit gsx.org/blog. The GSX Blog offers previews of the education, products, and experiences available to participants in Las Vegas this September. Hear attendees, speakers, and exhibitors explain what they're looking forward to at GSX and why this show—for the profession, by the profession—is the industry's can't-miss event.</p><p> </p><h4>Student Members Attend GSX Free</h4><p>ASIS International is making it easier than ever for students of all ages to enter the security profession, providing the information, networking, and professional development opportunities needed to kick-start their careers. </p><p>Last year, ASIS reduced student membership fees to $20 per year. In 2018, ASIS has deepened its commitment to the profession's next-generation leaders by offering all student members a complimentary all-access registration for Global Security Exchange (GSX). </p><p>The all-access pass allows students to participate in the onsite career center and job fair to learn about the diverse range of opportunities available across the profession and attend the full education program, including foundational sessions like "Security Careers: The What and the How" and "A Framework for Multigenerational Security Organizations." Most importantly, they can begin to build a network that will support them through every stage of their professional journey. </p><p>Ron Martin, CPP, regional vice president, ASIS International Region 3D, and director, Open Security Exchange, has sponsored dozens of student members over the years so they could benefit from the education and networking that ASIS provides.</p><p>"I've long believed that it's the responsibility of veteran security professionals to take the next generation under their wings," Martin says. "An ASIS membership offers these students career-long connections to the lifeblood of the security profession. Mentors and experts in the field are always within reach and able to provide advice at every stage of their careers."</p><p>ASIS has also started developing a new early careerist certification, envisioned to be the first rung on a security management professional's career ladder. </p><p>The ASIS Young Professionals Council is hard at work to ensure that these next-generation leaders make the most of their involvement with the Society. Each ASIS chapter is encouraged to designate a Young Professionals liaison, who organizes events and advocates for young professionals and the issues that matter to them most.</p><p>Members are encouraged to reach out to their local chapter and identify students who can benefit from membership. For help getting started, contact the Academic and Training Programs Council via <a href="mailto:ASIS.ATPCouncil@gmail.com">ASIS.ATPCouncil@gmail.com</a>.</p><p> </p><h4>Council Corner: Academic and Training Programs Council</h4><p>Nearly two dozen professors, adjunct faculty, and security professionals with expertise in training development and delivery make up the Academic and Training Programs Council. These leaders promote and assist in the development of security academic education and professional training programs at academic institutions, professional associations, private organizations, and government entities. </p><p>The council's work includes collaborating with universities that offer accredited academic programs in security management, national security, and cybersecurity to share security-related trends and studies. The council also works with ASIS stakeholders to connect with undergraduate and graduate students in support of their development to become the next generation of leaders within the security profession. </p><p>In the coming months, the council will focus on updating the ASIS listing of institutions offering security academic programs, surveying universities and student members, improving curriculum development by promoting better understanding of broader skill sets required of security executives, and promoting increased understanding of enterprise security risk management (ESRM) and its linkage to business success.</p><p> </p><h4>Chapter Events in India</h4><p>Over a single weekend in May, the ASIS New Delhi and Mumbai chapters drew hundreds of attendees to chapter events to spotlight and celebrate security excellence.</p><p>On May 25, the New Delhi Chapter's Women in Security event featured topics like "Breaking Barriers," "Diversity and Inclusion," and more, delivered by women security professionals from Boeing, Shell, and IBM, among others. Almost 100 professionals attended the event at the Bank of America's Gurugram office.</p><p>"This meeting provided an excellent platform to showcase women security professionals at various levels," says Manish Datta, chapter chair, ASIS New Delhi. "These women act as a guiding light for others to follow their passion and make this industry their professional choice."</p><p>The Mumbai Chapter highlighted security excellence on May 26 via its CPP Review Session and Mentorship Program presentation. Nearly 150 professionals attended the virtual conference to learn about the chapter's new CPP preparation program.</p><p>Through the program, CPP asp­irants will be paired with a mentor. The mentor will conduct monthly discussions, and aspirants will participate in quarterly review sessions. After a year's time, the program's participants should have attained the requisite knowledge to attain the CPP certification.</p><p>"The overwhelming attendance for this program is a clear reflection of the growing potential of the security industry in India," says Sanjeev Mishra, CPP, chapter chair, ASIS Mumbai. "This initiative will go a long way in both spreading awareness about ASIS and the CPP certification and sharing valuable knowledge needed for security professionals to thrive."</p><p>Datta presented closing thoughts at the Mumbai event, demonstrating the collaborative spirit these chapters share in their efforts to advance the profession.</p><p>To stay up to date on the work ASIS chapters do all year long, read monthly regional Dynamics member newsletters at asisonline.org/Dynamics.</p><p> </p><h4>ASIS LIFE MEMBER</h4><p>ASIS congratulates Frank W. Robinson, CPP, on becoming a Life Member. Robinson has been a member of ASIS for 36 years and has held the CPP certification since 1983. He served on the Commercial Real Estate Council.​</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Manager's Guide to Simple, Strategic, Service-Oriented Business Continuity.</em> By Rachelle Loyear. Rothstein Publishing; Rothstein.com; ebook; $14.74.</p><p>Business continuity plans must be simple, strategic, and service-oriented: that is the key message of this book by Rachelle Loyear. The author advocates a new model—the Three S Philosophy—as an approach to improve engagement and support for business continuity management (BCM) programs.</p><p>Traditional BCM programs face various challenges and roadblocks that make them cumbersome for business subject matter experts and even for the experienced risk professional. To counter those obstacles, Loyear urges planners to focus on the essentials, stripping away complexity and putting strategy and business value front and center to help the risk owner in the BCM journey.</p><p>This guide will provide great value for anyone engaged in BCM, whether as an experienced risk professional or a functional expert. The Three S Philosophy, which endorses simplicity, strategy, and service, provides a powerful yet uncomplicated framework that a focuses on value. The reader will appreciate various references in the manuscript to enterprise security risk management, as well as practical templates and checklists to facilitate further use.  </p><p>Reviewer: Rachid Kerkab has almost two decades of experience in criminology, strategy, risk, and resilience. He is a member of ASIS.</p>

 UPCOMING EVENTS AND EDUCATION

​22 August 2018
Protecting Soft Targets from Active Shooters (Webinar)

11 September 2018
Campus Security and Real-Time Information​ (Webinar)

​18 September 2018
​Migrate, Mitigate, Manage (Webinar)

​19 September 2018
CSO as Steward of Corporate Security (Webinar)

23 - 27 September 2018
GSX​ (Las Vegas)

21 -26 October 2018
Wharton/ASIS Program for Security Executives (Philadelphia, Pennsylvania)

​More Events>>​​​
​​​​