Event Security

 

 

https://adminsm.asisonline.org/Pages/Personnel Peril.aspxPersonnel PerilGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-04-01T04:00:00Z<p>​When employees steal proprietary information, they don't just cause headaches for the organization—they erode confidence in the trustworthiness of screened employees and vetted business partners. Following the recent spate of high-profile incidents—including leaks by U.S. National Security Agency contractor Edward Snowden in 2013, violent attacks on Fort Hood by Major Nidal Hasan in 2009, and Washington Navy Yard shooter Aaron Alexis in 2013—the U.S. government determined that existing vetting processes and security standards for sensitive programs were inadequate. Key policy changes were implemented, including a new requirement for government organizations and certain government contractors to establish an insider threat program. The requirements changed the way government-affiliated organizations approached employee management and codified existing insider threat practices.</p><p>What does that mean for private sector organizations, even if they don't work with the government? Certain features of a U.S. Department of Defense (DoD)-style insider threat program may be relatively easy to implement and offer considerable security enhancements. Traditional administrative and physical security practices—locked doors, alarm systems, and inventory controls—are focused externally and are largely ineffective at preventing employees and other authorized persons from committing harmful acts.</p><p>Integrating an insider threat policy with employee and event best practices can create a well-rounded employee management program that benefits workers and the organization. Educating employees on how to recognize and report potential insider threat information can also have a positive effect on the organization's culture and emphasize everyone's role in keeping a safe, secure work environment.</p><p>Concurrent Technologies Corporation (CTC), an independent, nonprofit organization that conducts applied scientific research and development for government and industry, faced this exact challenge upon the creation of a nuclear research facility. </p><p>With industrial space and laboratories in five states, and more than 25 percent of employees telecommuting, CTC's potential insider threat profile is typical among many technology companies in the United States. Protection of sensitive government programs, client information, and intellectual property is paramount to success in a highly competitive environment.  </p><p>But the August 2017 establishment of CTC's Center for Advanced Nuclear Manufacturing (CANM) in Johnstown, Pennsylvania, created new insider threat challenges that CTC had to address. The CANM is designed to bring fabrication technology and materials expertise to the emerging next generation of commercial nuclear power plants and will conduct business only with private sector organizations that are working on small nuclear reactors. While CTC works with both industry and sensitive government programs—and must abide by federal insider threat policies—it wanted CANM to have a government-grade insider threat program that would defend against all kinds of manmade threats—from petty theft to intellectual property issues to event management.   </p><p>A planned ribbon cutting and open house event at the CANM would place about 75 visitors in close proximity to CTC's intellectual property and advanced technology—and would serve as the first real test of the organization's new insider threat policy. ​</p><h4>Tailoring a Solution</h4><p>The FBI, U.S. Department of Homeland Security (DHS), and U.S. Defense Security Service provide tools for industry organizations to develop insider threat programs, including online training courses and brochures available through public websites. The tools identify specific behaviors that may indicate the presence of an insider threat.  </p><p>Simply educating employees on what to watch for may improve the chances of averting a workplace incident. Other insider threat program features, such as information sharing and incident reporting, could also prove beneficial. Initiatives can be tailored to fit the organization, and security practitioners may find that their programs already include parts of the overall insider threat framework outlined in government directives.  </p><p>This was true for CTC as it began to build a more robust insider threat program. While the organization had taken an informal approach to communicating potential employee issues, it was nowhere near the formalized program needed. To make sure the program covered all threats, CTC created an insider threat working group.</p><p><strong>Comprehensive support. </strong>An insider threat program relies on buy-in throughout the organization. A single official with authority to develop policies and procedures should be appointed to manage the program. He or she should also be responsible for determining when to report substantive insider threat information to law enforcement and other entities outside the organization.</p><p>CTC appointed an insider threat program official and established a working group with membership based on relevant roles, including representatives from security, human resources, IT, executive management, and ethics and compliance. The working group conducted several program reviews and established the types of activities to watch out for or report. </p><p>The group also ensured that all employees completed awareness training in the time leading up to the CANM open house and helped foster a culture of communication so that employees would not hesitate to report concerns about visitors or fellow employees. Line employees are often the first to sense that something is off—if they notice changes in an employee's routine or behavior, they should know how to safely and effectively communicate the information to team leaders without fear of retribution. </p><p>Security staff and senior managers stood ready to work with department managers and labor representatives to reduce or eliminate social barriers to reporting. Reporting policy violations and unusual or suspicious behavior must not be viewed as tattling. Instead, it should be emphasized that timely reporting may save the company or business unit from significant financial loss, unfair competition, or even a tragic incident.</p><p><strong>Team approach. </strong>Effective information sharing and collaboration among security stakeholders in the organization are essential for a stalwart insider threat program. Functional leaders—like the ones in CTC's insider threat working group—typically monitor organizational performance in areas relevant to detecting a potential insider threat. For example, larger organizations usually rely on a CISO to detect violation or circumvention of policies regarding systems access, file transfers, software installation, and other network activities. Likewise, the human resources department should track, analyze, and share information on trends in employee misconduct, including harassment complaints and drug testing. In reviewing such information, the team must take care to protect employee privacy and focus only on security-relevant factors that might create concerns of an insider threat and identify needed adjustments in policies and training. </p><p>For special events and unusual situations, organizations should not shy away from reaching out for help. The CTC insider threat program's leader contacted the FBI private sector coordinator, Defense Security Service representatives, and local law enforcement officials several weeks before the open house to inform them about the event and to obtain updated threat information. The FBI coordinator participated in an event rehearsal and walkthrough, and provided a tailored counterintelligence briefing to CANM engineers, program managers, and support staff, offering specific recommendations to limit risk while accomplishing overall open house objectives.  </p><p><strong>Training. </strong>Employees should feel that they share a common security interest—success for themselves and for the entire organization requires their commitment to protecting intellectual property, proprietary information, and other valuable resources. Leaders must emphasize these points and encourage employees to actively support security programs and procedures. Employee commitment and loyalty to a common cause cannot be assumed, particularly in industries that experience high employee turnover. </p><p>Training employees to watch for specific activities and behaviors that may indicate an insider threat is the key to viable information reporting within the organization. Employees tend to recognize differences in a coworker's attitude, work ethic, or behavior well before an incident occurs, so they must know when and how to report concerns. Employees must also know how to recognize suspicious emails, scams, phishing attempts, and social engineering tricks to avoid becoming an unwitting insider or being coerced into providing information or other assistance. Training should also emphasize the importance of following basic rules aimed at mitigating risk, such as locking or switching off computer workstations when unattended.  </p><p>CANM employees were trained in traditional insider threat identification messages but were also given tips on identifying and reporting suspicious behavior at the open house event. </p><p>Because engineers, program managers, and event staff integrated security best practices into their job requirements, enhanced security was everywhere yet remained unseen at the event.</p><p><strong>Written plans. </strong>The insider threat working group at CTC identified all written guidance regarding employee behavior, from harassment policies and timekeeping systems to travel plans and procedures and integrated it into the plan. The insider threat program features a risk mitigation plan that identifies insider threat stakeholders, roles and responsibilities, resources, policies, and procedures. The team of stakeholders meet periodically to review the plan, share and assess potential insider threat information, and determine additional actions needed to protect people, operations, intellectual property, and other resources.</p><p>For example, at a stakeholder meeting, someone in charge of travel finances might point out that the rental car budget for the previous month was 20 percent larger than normal. Human resources personnel can revisit employee travel dates and potentially identify excessive use of rental vehicles for personal travel. The same insider threat reporting procedures should be followed to address the problem. ​</p><h4>Redefining Insider Threats</h4><p>CTC's reevaluation and preparation paid off—the open house event went smoothly for staff and visitors alike. </p><p>CTC security officials are also reaping longer-term benefits from the CANM experience. For example, the department is improving its approach to training by conducting lunchtime seminars and more personal interviews with employees to reinforce the significant role that each employee plays in countering insider threats, even if security is not their primary role.</p><p>In addition to the CANM program, other business changes prompted CTC to reassess potential threats and strengthen routine security procedures. New contracts with government clients outside the DoD brought new requirements and concerns for protecting sensitive information processed and stored on company networks. The company invested in new equipment, and other areas of business development brought increased interaction with international customers—along with added challenges for ensuring compliance with American export laws. </p><p>By thinking outside the box in regard to an insider threat, CDC was able to create a well-rounded employee management policy that is capable of addressing a variety of organizational concerns. Addressing a wide scope of potentially problematic employee-related activity—not just intellectual property or workplace violence concerns—through an insider threat lens strengthens the entire program and makes it more adaptable for addressing other business concerns.</p><p>As an example, security staff worked with shop floor staff and project managers to revise the facility's access control plan. Doors to certain industrial areas within the 250,000-square foot CANM were closed to employees who did not have a clear need for access. Facility access hours were restricted for many employees, and a proximity card in addition to a six-digit PIN is now required to use doors that are not routinely monitored. Process owners and senior managers fully grasped the need for such procedural changes and strongly supported the recommendations. </p><p>As international business contacts expanded, the security, contracts, and export compliance departments worked closely with program managers to ensure that export licenses encompass all international dealings involving protected technologies. The company's enterprise visitor system, internally developed in 2012 and upgraded in 2015, electronically routes international visit requests for coordination and approval. This ensures that the right managers and technicians are informed, projects are shrouded, or operations are suspended or rescheduled as needed.            </p><p>With such low- or no-cost security enhancements in place, establishing an insider threat program required only a modest effort to formalize plans and procedures, chartering a working group, and expanding existing training. Other corporations working exclusively or extensively with government contracts can engineer similar results.  </p><p>Increasing awareness of insider threats and encouraging employees to report suspicious behavior and policy violations has directly led to improved overall security. For example, information received in recent months from frontline employees has enabled managers to correct internal issues and mitigate vulnerabilities in how the company purchases, inventories, and accounts for low-cost supplies, equipment, and bench tools. Workers in the affected areas recognize how the changes reduce risk of pilferage and unauthorized use of company assets. Minimizing such losses helps the company control overhead costs, remain competitive, and protect jobs and salaries.     </p><p>If an organization is unaccustomed to a regimen of safety and security rules during daily business operations, it may take months to evolve a security culture where employees are likely to bring their concerns forward and key supervisors can evaluate information and respond effectively. The advantages of starting now almost certainly outweigh the risk of what could come later.  </p><h4>Sidebar: How Nuclear-Level Security Influenced Today’s Insider Threat Programs​<br></h4><p></p><p>Concerns about insider threats are not new. In the mid-1940s, during the highly secretive Manhattan Project—the United States' efforts to develop the world's first atomic weapons—leaders were most concerned that a trusted insider could be blackmailed or tempted to commit espionage for money. Losing atomic secrets to enemies could have drastic—and deadly—consequences. The art of protecting critical research, test activities, materiel and weapons production, and plans for use of nuclear weapons was woven into the Manhattan Project and remains a hallmark of security within U.S. Department of Defense (DoD) nuclear programs.</p><p>The personnel clearance process and the personnel reliability program (PRP) have been central in addressing insider threats to nuclear capabilities since the 1960s. Clearance processes are designed to screen people for trustworthiness and must be strictly followed prior to granting an individual access to classified nuclear design information, plans, capabilities, or operating procedures. A personnel clearance is based on favorable evaluation of factors such as the person's demonstrated financial responsibility, personal conduct, and allegiance to the United States. Cleared individuals are reinvestigated periodically to ensure continued access is appropriate. Those in unusually sensitive and critical positions may be subjected to polygraphs.   </p><p>The PRP is an added layer of administrative security comprising procedures, automated notifications, tiered supervision, and other checks designed to ensure workers are mentally and physically fit at the time they perform critical tasks, such as nuclear command and control, maintenance, or armed security. PRP requirements and standards are risk averse—the slightest concern may result in temporary suspension from normal duties until circumstances change or a problem is resolved. A common reason for temporary suspension from duties under the PRP is use of prescription medication, which may cause drowsiness. Minor disciplinary infractions may also result in PRP suspension, triggering security measures that block access to restricted facilities and information systems.</p><p>Together, clearance processes and the PRP foster a heightened safety and security environment where workers are dutybound to report relevant information about themselves and others to appropriate authorities. Such an environment is essential based on the destructive power and political significance of the nuclear arsenal. Senior government and military personnel hold leaders within the nuclear community accountable for evaluating conditions that may detract from anyone's assigned tasks under PRP. For example, removal of the responsible unit commander is often the outcome of failure to properly adhere to PRP guidelines.    </p><p>Historically, these stringent screening and reliability standards are seldom applied to government and contractor enterprises outside nuclear communities. Since 2013, however, government officials have increasingly acknowledged the threat of insiders. Personnel clearance processes are now bolstered with additional screening and random selection for background checks between the traditional timespans for periodic reinvestigation. Additionally, government clearance adjudicators may now review and consider social media information when determining overall eligibility for access to national security information.</p><p>A series of U.S. Department of Homeland Security and DoD documents and guidelines mandate insider threat programs for agencies and certain contractors but stop short of requiring self-reporting measures such as those associated with the DoD PRP due to cost, legal concerns, and other practical considerations. A PRP-like mindset, however, can be encouraged within any operation where inattention to detail, slowed reaction time, or lapse in judgment could result in injury, death, or unacceptable material or financial loss.​</p><p><br> </p><p><em>Ronald R. Newsom, CPP, is a retired U.S. Air Force officer now employed with Concurrent Technologies Corporation, a recipient of the DoD 2017 Colonel James S. Cogswell Award for sustained excellence in industrial security. Newsom is a member of ASIS International. He also serves as the Chair of the National Classification Management Society's Appalachian Chapter.    ​ ​</em></p>

Event Security

 

 

https://adminsm.asisonline.org/Pages/Personnel Peril.aspx2018-04-01T04:00:00ZPersonnel Peril
https://adminsm.asisonline.org/Pages/Securing-Special-Events.aspx2018-02-23T05:00:00ZSecuring Special Events
https://adminsm.asisonline.org/Pages/How-to-Learn-from-Las-Vegas.aspx2018-02-01T05:00:00ZHow to Learn from Las Vegas
https://adminsm.asisonline.org/Pages/Q-and-A-Event-Security.aspx2018-01-01T05:00:00ZQ&A: Event Security
https://adminsm.asisonline.org/Pages/Houston-Secures-the-World-Series.aspx2017-10-24T04:00:00ZHouston Takes Measures to Secure World Series
https://adminsm.asisonline.org/Pages/LIVE-UPDATES-LAS-VEGAS-SHOOTING.aspx2017-10-02T04:00:00ZLIVE UPDATES: Las Vegas Shooting
https://adminsm.asisonline.org/Pages/Houston’s-Game-Day-Solutions.aspx2017-07-01T04:00:00ZHouston’s Game Day Solutions
https://adminsm.asisonline.org/Pages/Security-101--What-to-Expect-at-the-U.S.-Presidential-Inauguration.aspx2017-01-18T05:00:00ZSecurity 101: What to Expect at the U.S. Presidential Inauguration
https://adminsm.asisonline.org/Pages/Truck-Drives-Into-Berlin-Christmas-Market-Killing-Nine.aspx2016-12-19T05:00:00ZBerlin Christmas Market Attacker Killed in Shootout
https://adminsm.asisonline.org/Pages/Rocking-in-Cleveland.aspx2016-11-01T04:00:00ZRocking in Cleveland
https://adminsm.asisonline.org/Pages/Open-Carry-Conundrum.aspx2016-11-01T04:00:00ZOpen Carry Conundrum
https://adminsm.asisonline.org/Pages/Olympic-Sized-Threats.aspx2016-08-01T04:00:00ZOlympic-Sized Threats
https://adminsm.asisonline.org/Pages/What-the-Pulse-Nightclub-Attack-Means-for-Soft-Target-Security.aspx2016-06-14T04:00:00ZWhat the Pulse Nightclub Attack Means for soft Target Security
https://adminsm.asisonline.org/Pages/Training-Device-Triggers-Evacuation-of-Manchester-United-Stadium.aspx2016-05-16T04:00:00ZTraining Device Triggers Evacuation of Manchester United Stadium
https://adminsm.asisonline.org/Pages/A-Vote-for-Biometrics.aspx2016-05-01T04:00:00ZA Vote for Biometrics
https://adminsm.asisonline.org/Pages/Feds-Take-on-Assault.aspx2016-05-01T04:00:00ZFeds Take on Assault
https://adminsm.asisonline.org/Pages/Secure-Activism-101.aspx2016-03-14T04:00:00ZSecure Activism 101: How To Survive a Demonstration
https://adminsm.asisonline.org/Pages/A-Defensive-Stance.aspx2016-03-01T05:00:00ZA Defensive Stance
https://adminsm.asisonline.org/Pages/Securing-the-Fan-Experience.aspx2015-02-09T05:00:00ZSecuring the Fan Experience
https://adminsm.asisonline.org/Pages/Here-Comes-the-Sun.aspx2015-01-01T05:00:00ZHere Comes the Sun

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/Q-and-A-Event-Security.aspxQ&A: Event Security<p>​The ASIS 2017 Book of the Year is <em>Managing Critical Incidents and Large-Scale Event Security</em> by Eloy Nuñez and Ernest G. Vendrell. The authors spoke to <em>Security Management </em>about security trends and challenges in the event industry.</p><p><em><strong>Q. </strong>What are some of the biggest challenges facing the event security industry today?</em></p><p><strong>A. </strong>An overreliance on technology is a major challenge. We tend to think that a wall or a fence will keep the bad guys out, and it does help a lot, but in and of itself it's not going to solve our problems. We know that every fence and wall can be breached, and every technology that one can think of can be counteracted. It takes an active observation of the technology and how it's working. Another challenge is a sense of complacency–the idea that someone else is watching. That tends to make us less alert. Communication also becomes so important, especially when you're dealing with a variety of participants. It's essentially impossible to achieve requisite levels of coordination and collaboration without that effective communication.</p><p><em><strong>Q. </strong>How has the event security space evolved over the last few decades?</em> </p><p><strong>A. </strong>Three factors have made us more effective and efficient than in the past: computer processing speed, the miniaturization of technology, and the interconnectedness of people via devices. The improvements to technology have been outstanding. We're now able to process information more quickly. The interconnectedness allows us to communicate, collaborate, and crowdsource for information. There are so many different people from disparate backgrounds and agencies. We all get together and plan things out, and the byproduct is that we learn from each other.</p><p><em><strong>Q. </strong>Your book draws on lessons learned from past events. What are some of the overarching themes in those lessons?</em></p><p><strong>A.</strong> Given the complexities of critical incident management and large-scale event planning, we try to simplify things as best we can so that everyone is able to execute those plans. It takes a well-trained, diversified, and committed team that has clear goals and objectives. Have the team that you put in place practice as much as possible, and institute training that's relevant, realistic, and replicates the environment that you're working in. </p><p><em><strong>Q. </strong>Given the range of threats to the live event industry, how can security professionals share information to help mitigate those challenges?</em></p><p>A. Networking is so critical. One thing we wrote about was that, in the public safety arena, we were great at identifying lessons learned, but the problem was that we weren't applying those lessons. Conferences like the ASIS annual seminar and exhibits), where you have professionals sharing lessons learned and how they applied them, are so important in terms of professionalization and collectively doing a better job moving forward. Identifying contacts ahead of time and getting to know them before there's a problem is critical. That way when an unforeseen incident occurs, you have the right parties on speed-dial.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/Securing-the-Fan-Experience.aspxSecuring the Fan Experience<p>​<span style="line-height:1.5em;">In October 2005, as the final seconds ticked off the clock and Oklahoma University (OU) sealed its 43 to 21 victory against Kansas State, an announcement washed over the 84,000 fans gathered in the football stadium: a bomb had gone off outside the stadium and attendees could not leave.</span></p><p> When fans finally exited the venue 30 minutes later, OU student Joel Henry Hinrichs III was dead, killed when an explosive device attached to his body detonated near Oklahoma Memorial Stadium. After an FBI investigation, authorities determined that Hinrichs had no intention of harming others and his death was ruled a suicide.</p><p> The incident at OU is just one in a long line of threats to sports venues across the United States and the world, stretching from the Munich Summer Olympics in 1972 to the Boston Marathon bombing in 2013. Now, any sporting event can be selected as a worthy target,and with more than 2,450 stadiums in the United States alone, there are many of these critical infrastructure targets to choose from.</p><p> Complacency in responding to emerging threats could result in lost assets, injuries, and deaths. The National Football League (NFL) addressed this concern with its clear bag policy for entry into any football game—a controversial and unpopular decision, especially for female fans. </p><p> The policy, adopted in May 2013, requires fans who carry in bags to use bags that are clear plastic, vinyl, or PVC that do not exceed 12” x 6” x 12.” The league also allows fans to bring in one-gallon, clear, plastic freezer bags, and small clutch bags that are approximately the size of a hand. These rules are similar to policies that were already in place at the University of Michigan, Penn State University, and others.</p><p> “Our fans deserve to be in a safe and secure environment,” said Jeffrey Miller, NFL vice president and chief security officer, in a press release on the policy. “Public safety is our top priority. This will make the job of checking items much more efficient and effective.”</p><p> Following the NFL’s actions, in January 2014, Major League Baseball (MLB) announced that metal detectors will be required by 2015 in all baseball stadiums. The policy was developed with the aid of the U.S. Department of Homeland Security (DHS) in an effort to “standardize security practices across the game,” said MLB spokesman Michael Teevan in a press release. All 30 teams will be required to implement security screening for fans, either with hand-held metal detection or walk-through magnetometers.</p><p> Although there are many obstacles to overcome, the ultimate goal is to provide a secure venue where sports fans are safe watching their team and the stakeholders are responsible in their efforts to provide a safe and secure environment. Two ways of doing this are by understanding the current liability landscape and through improvements in facility design.​</p><h4>Liability</h4><p>During the February 2014 Super Bowl, DHS provided support to the State of New Jersey and the NFL to help secure MetLife Stadium in East Rutherford and establish a perimeter around the facility. Efforts included teams to secure transit to and from the stadium, equipment scanning of cargo entering the stadium, air security enforcement, maritime and waterway security, and the addition of screeners and checkpoint lanes at Newark Liberty International Airport for the influx of fans arriving by air for the game.</p><p> This was part of the department’s efforts through the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act of 2002, which allows businesses to have a cap placed on liability due to terrorist acts where Qualified Anti-Terrorism Technologies (QATTs) have been deployed. Many venues in the sporting world have qualified for the act designation and are among the more than 685 applications that have been approved, according to DHS.</p><p> When venues achieve designation, they are encouraged to develop and deploy antiterrorism technology, and private corporations have seized on the opportunity to promote the financial incentive of enhancing technology and infrastructure to create a secure ring around venues. These methods include 24-hour awareness of the interior and exterior of the venue before, during, and after the event, such as the security operation surrounding the 2014 Super Bowl. </p><p> The SAFETY Act is just one part of the initiative to improve security at critical infrastructure in the United States, clarify liability, and ensure that insurance is available to cover terrorist attacks. This became a major concern for the private sector following the collapse of the Twin Towers, when the courts decided that the World Trade Center stakeholders should have known that the building complex was a potential target for terrorist attacks. Consequently, the stakeholders should have provided more mitigation to occupants in the buildings, the courts determined, resulting in $39.4 billion in losses from the towers’ collapse.</p><p> Following the incident, many insurance providers began to exclude terrorism coverage from their policies. This ultimately threatened the economy; commercial project leaders and many industry investors require terrorism protection to begin construction.</p><p> After the insurance companies’ move, the federal government decided to take action, and in 2002, Congress passed the Terrorism Risk Insurance Act (TRIA), which allows the federal government to assist with compensation in the event of losses from a terrorist attack. It was renewed by Congress in 2007 and is currently being debated for extension through December 2019; otherwise, it will expire at the end of this year.​</p><h4>Facility Design</h4><p>With the changing liability landscape, constructing new stadiums and retrofitting them to improve the fan experience and security is now a focus. Venue owners of the NFL, MLB, National Hockey League, and National Basketball Association are taking pride in developing new, elaborate facilities, and have recognized that stadium construction analysis and design can help them achieve their goal of protecting the up to 100,000 people who attend a game. </p><p> New stadiums can be engineered for increased safety. For example, to ensure maximum security new construction can avoid dangerous major industrial areas, highways, freight railways, and bodies of water. The structure should also be protected against earthquakes, lightning, and bombs.</p><p> Additionally, it should have all glassy, show areas away from where the fans stand. This means putting up a large expanse of glass near the entry could result in a shower of glass on fans if a sniper or bomb blast blows it out.</p><p> Venues should also be less porous. In particular, ballparks should not expose their outfields to adjacent neighborhood buildings where a sniper could lurk. There are now numerous companies that promote building protection, bollards, barriers, safety glass retrofit, hydraulic lift gate closure, hazardous materials detection technology, and other security services to protect the integrity of the building and the fans.</p><p> Along with improving the safety features of the materials in the facility itself, ingress and egress issues should also be of concern to venue owners: patrons have been crushed to death on several occasions. One of the worst incidents of fans being crushed at a soccer match was at a match at Hillsborough Stadium in Sheffield, England, in 1989 where 93 people were killed and 180 injured when fans surged forward in severely overcrowded stands, according to <em>The New York Times. </em></p><p> Egress should also be considered during an evacuation, given that victims can be trampled when panicking crowds behave erratically, such as during a fire. Venues can also be held liable for crowd crush incidents, so many are changing their venue construction and practices in response. For instance, festival seating or open admission is no longer a universal practice because crowds can get unruly and can threaten public safety, according to Steven Adelman of Adelman Law Group. Adelman doesn’t consider general seating, such as festival seating, to be a wise arrangement. Assigned seating, railings, sections, and corridors are valuable for crowd management and result in fewer crush situations.</p><p> Venues of various capacities in the United States will eventually be required to protect the public with a high standard of security, including MLB and NFL stadiums. The focus on entry security and control of access is only one of many enhancements seen in the last few years that are now necessary to prepare for a wide range of threats.</p><p> In the past, venue security was focused on weather related, earthquake related, or firearm related threats. The concerns of today include biological, chemical, radiological, and hidden explosive threats, and venues must take the proper precautions to ensure fans and athletes within their facilities are secure. </p><h4>Government Programs for Securing Sports Venues</h4><p><br>The federal government has designated sports venues as critical infrastructure and the Department of Homeland Security (DHS) is providing a variety of resources to the sector, taking the lead in sports venue security. One of its first projects was in May 2005 when the agency worked with the Mississippi Emergency Management Agency, providing funds to the University of Southern Mississippi to develop a model for sports venue security. </p><p> These vulnerability models were designed to address hazards and threats, and DHS has concentrated on providing resources for venue owners and managers. Following are a few such tools available to security professionals.</p><p> <strong>Risk assessment.</strong> DHS has created a Risk Self-Assessment Tool (RSAT), which provides an assessment of the venue and a benchmark report, comparing it to other similar venues. Results of the assessment are confidential and can address retrofitting of equipment and physical infrastructure, technology, staff training, maintenance, and creating a virtual ring of safety around a venue to increase security.</p><p> <strong>Reference materials. </strong>DHS also publishes an official Protective Measures Guide for U.S. Sports Leagues and a Protective Measures Guide for Outdoor Venues as a resource for sports venues. It also has created a suspicious activity video, Check It! A Training Guide: How to Check a Bag for Security Personnel, which includes guidelines on checking for false sides or bottoms, and checking for forbidden or hidden items. </p><p> DHS has also created another video in the Check It! line on protecting public spaces. This video explains how to recognize suspicious behavior.</p><p> Additionally, DHS will also provide site assistance visits for venue owners and law enforcement to receive input on their particular venue vulnerabilities. DHS can also provide evacuation planning for a stadium.</p><p> <strong>Cubed Program.</strong> DHS is also taking an active role in promoting the interconnectivity of cybersecurity and physical security. One recent initiative, the Cubed Program (C3), was announced in February 2014 and is just one of DHS’s recent efforts. The program provides assistance to owners and operators, voluntarily, to use DHS guidelines in managing their cybersecurity. The program provides cybersecurity resources and access to a cybersecurity advisor. </p><p> The federal government also provides incentives for participating, including liability protection, procurement advantages, and tax grants. </p><p> <strong>Reviews.</strong> If a sports venue is listed in the Commercial Facilities Sector of U.S. critical infrastructure, DHS will provide tools for a self-assessment Cyber Resilience Review. However, DHS also gives venues an option to allow a DHS representative to perform a security assessment. All findings are then presented in a confidential report.</p><p> <strong>Insider Threat.</strong> DHS’s Federal Emergency Management Agency (FEMA) also offers programs to assist with sports venue security. Its “IS-915: Protecting Critical Infrastructure Against Insider Threat” course provides guidance to critical infrastructure employees and service providers on how to identify and take action against insider threats. There are no prerequisites for the course, which is offered for free on FEMA’s website, but FEMA recommends that participants take “IS-906: Workplace Security Awareness” to provide a foundation for the course.</p><p> <strong>Surveillance.</strong> FEMA also offers another program, “IS-914: Surveillance Awareness: What You Can Do, A Guide to Identifying Suspicious Behavior.” The course is designed to make critical infrastructure employees and service providers aware of actions they can take to detect and report suspicious activities associated with adversarial surveillance—surveillance conducted to gather information about individuals, organizations, businesses, and infrastructure to commit an act of terrorism or another crime.</p><p> The course is also available on FEMA’s website for free and also provides additional course documents and training resources for students. </p><h4>Sports Venue Security Checklist</h4><ul><li><span style="line-height:1.5em;">Credential all employees and vendors with photo IDs.<br></span><br></li><li><span style="line-height:1.5em;">Conduct background checks on all staff working the event, including delivery staff and concessions suppliers.<br></span><br></li><li><span style="line-height:1.5em;">Conduct pre-event staff training on e</span><span style="line-height:1.5em;">mergency plans for evacuation, hazardous weather, terrorism, hostage events, bomb threats, releases of chemical agents, food borne illnesses, fire, structural collapse, and earthquakes.<br></span><br></li><li><span style="line-height:1.5em;">Prepare and update a protocol and script in video and audio of emergency instructions for every type of emergency.<br></span><br></li><li><span style="line-height:1.5em;">Address crowd management and fan demographics, accounting for the influence of alcohol and fan emotion. Ensure one crowd observer—live or via video surveillance—for every 250 visitors.<br></span><br></li><li><span style="line-height:1.5em;">Upgrade to advanced camera surveillance of interior, exterior, and perimeter of the venue for 24-7 coverage.<br></span><br></li><li><span style="line-height:1.5em;">Promote the use of the Department of Homeland Security initiative “If You See Something, Say Something” to empower fans and staff through signage and video.<br></span><br></li><li><span style="line-height:1.5em;">Assess barriers, fences, and surveillance of the perimeter and install perimeter barriers, bollards, or planters as needed.<br></span><br></li><li><span style="line-height:1.5em;">Secure all systems serving the venue, including air flow, utilities, and water.<br></span><br></li><li><span style="line-height:1.5em;">Make sure hazmat strips are in place to monitor air quality and detect foreign chemicals.<br></span><br></li><li><span style="line-height:1.5em;">Search and lock down the venue before the event; all individuals and vehicles should be searched on arrival.<br></span><br></li><li><span style="line-height:1.5em;">Ensure that all parking and entry staff are equipped with radios.<br></span><br></li><li><span style="line-height:1.5em;">Have highly visible uniformed security and law enforcement in place to act as a deterrent.<br></span><br></li><li><span style="line-height:1.5em;">Secure all concessions.<br></span><br></li><li><span style="line-height:1.5em;">Maintain open communication and cooperation with law enforcement.<br></span><br></li><li><span style="line-height:1.5em;">Consider using a social media technology for situational awareness to monitor the venue.</span><span style="line-height:1.5em;">​</span><br></li></ul><div><br> </div><div><em>Nancy Serot is a business development manager for Phoenix Risk Assessment and a member of ASIS International. Thomas K. Zink is a professor at the Saint Louis University Department of Environment and Occupational Health and founder of Project EQUIPP.</em><br></div>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/Q-and-A---Soft-Targets.aspxQ&A: Soft Targets<p>​<span style="line-height:1.5em;">Jennifer Hesterman, Colonel, U.S. Air Force (Retired), discusses her book <em>Soft Target Hardening</em>, which was named the 2015 ASIS Security Book of the Year. Available from ASIS; asisonline.org; Item #2239; 322 pages; $69 (members); $76 (nonmembers).</span><span style="line-height:1.5em;">​</span></p><p><strong><em>Q.</em></strong><em> Why are soft targets increasingly attractive to terrorists?  </em></p><p><strong>A. </strong>Soft target, civilian-centric places that are not typically fortified—such as schools, churches, hospitals, malls, hotels, restaurants, and recreational venues—have little money to spend on security. Frequently, they must balance security, aesthetics, and a positive experience for customers.  </p><p>Terrorists select soft targets because there are many, possibly hundreds, of them in small towns and cities; they are vulnerable, so the odds of success are high and the terror effect is amplified among civilians. The story also stays in the news longer—the soft target attack in San Bernardino received far more coverage for almost twice the length of time compared to the Ft. Hood shooting. Military and government workers are generally seen as more legitimate targets than civilians, so soft targets provide more of the outrage, shock, and fear that terrorists crave.</p><p><em><strong>Q.</strong> What inspired you to write a book on hardening soft targets? </em></p><p><strong>A.</strong> I was living in the Middle East and close to several soft target attacks. I also realized that in the United States after 9-11, we further reinforced hard targets like government buildings and military installations, while soft targets are increasingly in the crosshairs but unprotected. I traveled all over the Middle East and Southwest Asia, and saw how soft targets are protected against attack. I wanted to apply some of these lessons to the civilian sector.  </p><p><em><strong>Q.</strong> Which soft targets are being hardened in the United States?</em></p><p><strong>A.</strong> Schools are further along the spectrum due to the rise of school shootings and stabbings. Mall security is much improved after the Westgate Mall attack in Nairobi, but shopping venues are still extremely vulnerable. Churches have a unique problem due to their open, inviting culture even after the Charleston shooting. Of course synagogues, mosques, and Sikh temples are moving towards a more hardened posture as the result of a rise in domestic terrorist activity. Hospitals usually don’t realize they are targets for terrorist attack or exploitation. Every type of soft target is different and requires tailored hardening tactics. </p><p><em><strong>Q. </strong>What trends should security professionals look out for?</em></p><p><strong>A. </strong>The insider threat is a growing concern. Insider attacks have the greatest possibility of success in terms of destruction of a target and mass casualties. The perpetrator can preposition items, understands the layout of the facility, has unfiltered access, and knows vulnerabilities to exploit. </p><p>We spend a great deal of time in vetting people during the hiring process, but new employees are basically left alone after the onboarding process. Venues like stadiums or concert halls may perform inadequate background checks on seasonal workers. The book discusses added layers of protection such as using behavioral detection techniques, a buddy system where a seasoned worker is paired with a new worker, and rules ensuring that no one is ever alone.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465