ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 1
UNITED KINGDOM CHAPTER 208
ASIS NEWSLETTER OF THE YEAR – WINNER 2013, 2012, 2008 & 2003 – HONOURABLE MENTION 2011, 2006.
The New World of Converged Security —Dave Tyson CPP Security risks and vulnerabilities have changed, and security departments develop new strategies and tactics.
enable you to plug these devices into an IP network — which is vulnerable to hackers.
Today, a criminal gang thousands of miles away from your company’s offices can travel over the Internet, break into your building, steal intellectual property, turn off your surveillance cameras and unlock a door protected by an access control system.
What You Need From Equipment Vendors
When you discover the plundered databases and the unlocked door, you might think the thief broke in by defeating your physical security systems and waste your time trying to strengthen those, when you should be strengthening your IT security systems. Of course, it works the other way, too. A thief can break into your building and IT department and carry off a couple of servers with the personal information of thousands of your customers. The point is, security threats and vulnerabilities have converged. Weaknesses in physical security technology put your IT data at risk just like weaknesses in IT security put your plant’s physical plant at risk. How has this happened? Advancing technology has improved cameras, access control systems, alarms and other physical security technology with many new features and capabilities, including IP features that
A handful of physical security equipment vendors have focused on the problems created by this IP migration — but only a handful. Security directors can find those vendors by specifying that their products must be secured from an IT-side attack. Some vendors do provide inherently secure products or at least provide the software applications and hardware that you can use to secure the products yourself. You must also require vendors to provide a plan for configuring the security software and operating systems, server hardware and the protection systems for those tools. If the configuration is weak, hackers and criminals will find ways to get into the equipment. From there, they can break into your building and your firm’s IT system. continued page 14
ASIS UK Police Liaison receives OBE ASIS UK Police Liaison committee member Richard Stones CSyP has been awarded an OBE in the 2015 Birthday Honours for services to police and business. Richard was the first serving Police Officer worldwide to be awarded Chartered Security Professional status (CSyP) back in 2011 and is also a Fellow of the Security Institute and a Freeman of the Worshipful Company of Security Professionals. On receiving the award Richard said, “it’s great to be recognised in this way. I was shocked when I received the letter and initially thought it was a wind-up. I hope it will
help raise the profile of ASIS particularly in policing circles where a closer collaboration with business and industry standard would help us all.” ASIS UK Chapter Chairman Andy Williams CPP said on hearing the news “With the Police service in the UK being subject to further budget reductions, the pressure on nonfront line departments to reduce expenditure whilst improving efficiency is huge. In that context, it is particularly gratifying to see work that Richard has undertaken being rewarded in this way. As a former Police Officer myself, I am especially proud to have Richard working as part of the ASIS UK team in his Police Liaison role.” Richard, Staff Officer to the National Policing Lead for business crime reduction, holds an MSc in Security and Risk Management and is a Visiting Fellow at Derby University.
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 2
Chairman’s Notes According to recent press reports, Jihadi John may now be surplus to the requirements of his ISIS leaders. He must be wondering whether it would be better for him to be captured by the allied Special Forces teams that are apparently searching for him, or to be dealt with by his leaders. Whilst, if these reports are to be believed, some may wish to celebrate his imminent fate, my hope is that the episode acts as a stark warning, to those individuals and groups planning on travelling to join the fight, that no matter how good their work, they have a shelf life and when the day comes, there will be no celebration or reward for their efforts. Closer to home, it was excellent to read that seven men have been convicted of a number of smash and grab jewellery robberies in London dating back to 2007. The group who used motorcycles to make their escape were sentenced to a 64 years between them. Two others, who were convicted of conspiracy to handle stolen property, will be sentenced at a later date. As I’ve reported in previous newsletters, fellow members of the Chapter leadership and I, are continuing to reform the administration and the Chapter. You will have read about the huge financial turnaround that has been achieved in the past 18 months, thanks in no small part to the incredibly generous sponsorship and exhibitor fees that we receive, the decision at the AGM in December to vote for a change in the structure of the Chapter, from being an unincorporated body to being members of a Company limited by guarantee and the formation of a Chapter constitution. This is all taking time and a great deal of effort, not least from Chris Brogan, to whom I would like to pay particular tribute. As Chapter legal advisor, Treasurer and Company Secretary of the Limited by guarantee company, ASIS Chapter 208 Ltd, he has spent countless hours, leading us to a
position where we are fully compliant with all legal requirements, laws and best practices. As with every member of the leadership team, he has done all of this work voluntarily and in doing so, has saved us many thousands of pounds. Last but not least, I would like to remind you that London has been chosen as the host for the 2016 European Conference. This is a second opportunity in just 4 years to show off all that is best about UK Security and the men and women, up and down the country, who make us the world leaders. www.asisonline.org/London for more information about exhibiting or attending. Enjoy your summer. Best wishes, Andy Andy Williams CPP
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 3
Calendar Events Sep 15 7th 22nd 28th - 31st
ASIS UK Autumn Seminar, SOAS, London Security Institute Annual Conference 61st Annual Seminar and Exhibits, Anaheim, California Retail Crime & Loss Prevention Conference, London, 2015 JSAFE—Charity Dinner - Bookings Open
Oct 15 15th 15th 19th - 20th 28th
Consec Global Resilience Summit, London Total Security Summit, Northamptonshire Security Twenty 15, Heathrow
Nov 15 TBC 12th 12th 17th - 19th 25th Dec 15 2nd - 3rd 3rd - 4th 10th
ASIS 60th Birthday Party, London National Association of Healthcare Security Conference, London Security Institute Remembrance Event IIPSEC, Birmingham Security and Fire Excellence Awards Transport Security Expo ASIS China Conference ASIS UK Winter Seminar & AGM, State Street Bank, London
2016 Feb 16 21st - 23rd
7th ASIS Middle East Conference, Dubai
Mar 16 9th
ASIS UK Spring Seminar, PwC, London
April 16 6th- 8th 6th 7th 8th 19th - 20th 27th - 28th Jun 16 21st - 23rd
15th ASIS European Conference and Exhibition, London Behind the scenes tours followed by Welcome Party Conference followed by President’s Reception Conference followed by Chapter Reception at the House of Lords Security and Counter Terror Expo, London 26th ASIS New York City Security Conference & Expo IFSEC
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 4
Your CV is a marketing document. Too much information presented as a career biography may not achieve the results you are hoping for. A recruiter or hiring manager, who has never met James Butler is Managing you, will judge Director, EMEA/APAC of you by its content security recruitment firm and appearance SMR Group alone, whether you deserve further consideration for the role in which you have expressed interest. A brief, clear, attractive CV will recommend you more highly to a recruiter than will a long-winded, poorly designed one — even if the content is the same. Here are a few tips for creating an enticing CV. Be brief People who come from security, law enforcement and intelligence backgrounds may tend to include wordy explanations of their positions and duties in an effort to be truthful and precise. These are good qualities in a professional, but a CV must make an impact on its reader in 20 seconds or less, so in this case, brevity is key. If you have led a certain type of program, simply state that and move on; unless the program is so unusual that the reader may not understand its significance, there is no need to explain it further. However, if you accomplished something extraordinary
Your CV remains a critical document in your job search James Butler in that program — if you were a loss prevention manager and implemented a program that dropped your shrinkage from 20 percent to nothing, for instance — you should consider including a bullet point that states the results you achieved. Tailor to the position Context is King. You may have a 10page list of positions and work experience that are relevant to a security career in general, but a recruiter or hiring manager does not need or want every little bit of that information. You should focus on the areas highlighted in the job description. Make a list of the key things you have accomplished in the course of your career and then pick out the items that are relevant to the position for which you are applying. Pay attention to the design Try to develop a CV that is visually pleasing, easy to read, and that can impact or interest someone within 20 seconds. A page so dense with words that it looks like an essay will likely receive little attention, because the people sorting through the stack of CVs will consciously or unconsciously tend to gravitate towards those that look clean and organised. A neat CV also conveys that you have good communication and presentation skills
because you can synthesize a lot of information into a small form and make it visually and verbally appealing to the reader. Choose a layout that you like and that is reflective of you as a person. Watch your wording Use power verbs to start sentences. Don’t use “I” or “responsible for” — this phrase will make your CV sound like a position description. Do not take your old company or organisation job description and convert it to a CV. Include as much contact info as you can Address, name, (work, home and cell phones, clearly marked as such) and email(s) that you may be contacted on. Include dates with every position listed You can list month and year or even just year — but do not make the recruiter chase dates for you. Outside impressions of content Last, hand someone your CV and ask them to read it, then take it back from them after 20 seconds and ask them what it says and what their impression is. This will give you a good idea of what that all-important recruiter may think.
SECURE ACCESS. NO CARD REQUIRED. Secure mobile access solutions by HID represent a revolutionary breakthrough in next gen technology by combining convenience, ﬂexibility and the power of Seos. With a simple tap or use of our patented “Twist and Go” gesture technology, you’ll experience the most innovative way to make an entrance—no card required. And because it’s all powered by Seos, issuing, managing and revoking access couldn’t be easier—or more secure. You’ll call it the most advanced way to use your mobile device. We call it, “your security connected.” YOUR SECURITY. MOBILE
Visit us at hidglobal.com/WP-MobileAccess_Request.html
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 5
SUPER SAVER WEEK
SUPER SAVER WEEK There’s still time to submit abstracts for the European Conference (www.asisonline.org/london) and we do want a good crop of speakers from the UK. We are expecting in excess of 600 delegates at the Conference and ideally looking to top the 700 who attended The Hague in 2014. If you’ve never attended an ASIS European Conference before, I encourage you to make time and allocate some budget to attend. In addition to the c.40 speakers, plenary sessions and receptions, there are numerous networking opportunities where you will be mixing with delegates from 40 or 50 countries in an incredibly positive atmosphere. We are trying to make the event as affordable as possible for members, especially those who are selffunding and we are working with the ASIS Brussels Bureau on a number of options. One date for your diary is for Super Saver Week which will run between 19 - 26 October when there will be a chance to book at the best possible rate.
Lenel® Introduces ‘Lite’ Version of OnGuard® WATCH to Visualize Critical Security Data
Following on from this the Early Booking Rate will run from 27 Oct 2015 - 3 March 2016. There will also be the opportunity to pay in two instalments.
James Wheeler, regional sales director, Lenel UK. “It helps them visualize important security data to get an overall snap-shot of OnGuard system performance — taking just seconds to understand system health. Additionally, it gives the user a sneak-peek into the Lenel Systems International, Inc. today new look and feel of the next generation announced the launch of OnGuard of OnGuard systems, as well as WATCH lite 1.0 across Europe, Middle underlying technologies such as the new East and Africa. WATCH lite is a free Lenel Services Platform and evergreen version of the comprehensive, Webbrowser support.” based dashboard tool for OnGuard With OnGuard WATCH lite, users can system users. The dashboard discovers quickly view: and presents security data to security • Total counts of access panels, & IT professionals in a whole new readers, inputs, outputs, cardholders, way — enabling them to visualize the active badges, visitors and visits information at once to allow for quicker • Basic system information about decisions, rather than scanning multiple OnGuard and Windows operating reports. Lenel products are offered system, SQL server versions and through UTC Fire & Security UK, which service packs is part of UTC Building & Industrial • Database backup details Systems, a unit of United Technologies • New badges created per day Corp. (NYSE:UTX). • Alarms generated per day OnGuard WATCH lite places actionable • System performance such as CPU, information at the fingertips of key memory usage, hard drive, peak personnel. Users can monitor OnGuard usage system information through one • Error logs graphical and intuitive interface to more For additional ease of use, the date efficiently manage the OnGuard system. range can display a few days, months “OnGuard WATCH lite is a great way or years of captured data and deeper for existing users to get a flavor of the analysis can be conducted into hours benefits of this new dashboard,” said and minutes.
OnGuard WATCH lite is free for customers with a valid software upgrade and support plan and is also available as a free 90 day trial for customers without a support plan. The full version of OnGuard WATCH will be available later this year through Lenel value-added resellers. For more information, visit www.lenel.com or follow @LenelSystems on Twitter.
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 6
MANAGING COMPLIANCE AROUND PHYSICAL ACCESS MANAGEMENT FOR CONTRACTORS Dr Vibhor Gupta In today’s competitive and riskprone business environment, security practitioners need to understand whether their current physical security and access management systems are capable enough to minimise or completely eliminate the risks caused by contractors. In spite of organisations hiring thousands of contractors to carry out different kinds of work, this is one area that is overlooked when it comes to identifying risk and minimising loss. Contractors add great efficiency to the business as they bring specialised expertise to the job, but these contractors and third party vendors are not included in
the same category as that of employees and hence are not subjected to the same set of policies as that of employees. Since they are an external entity, mostly they cannot be trusted at the same level as that of regular employees. They always pose a serious security threat to the organisation and hence need to be vetted properly using rigid policies. Imagine how dangerous a hostile contractor could be for an organisation if they continue to have access to an area after being terminated. In this paper we discuss the value of a solution which helps organisations in managing the entire lifecycle of a contractor by automating
processes around contractor requisition and approval, access and change management, badging, terminations, renewals and reactivations. In an organisation that needs to hire and manage contractor identities and provide them with a badge and/or physical access, the following aspects are looked at (or should be) as part of the administrative process: Are access entitlements of contractors correct and as per company policy? Like employees, have contractors been properly vetted and trained before grant of access?
ASIS International - UK Chapter Autumn Seminar - September 7th Hosted by SOAS, University of London Thornhaugh Street, Russell Square, London WC1H 0XG
14:00 Registration, Coffee, Networking 14:30 Chapter Business SPEAKERS INCLUDE: Corin Dennison CPP, Adidas “Corporate Security – the balance between security and brand “ Frank Armstrong QPM – Former Assistant Commissioner CoLP Dr Vibhor Gupta, Chapter Technology Lead Emerging Trends in Security Technology – What’s Next? Dave Clark CPP PSP, Francis Crick Institute The Security Commonwealth ‐ our turn. The Security Commonwealth, what this means to ASIS.
18:00 Drinks, canapés and networking in the heart of Bloomsbury – our host has also arranged exclusives access to their Japanese inspired roof garden, created in 2001 and dedicated to Forgiveness – also nearby is the Tavistock Square 7/7 Memorial on the railings outside the BMA. Members and guests will also have access to the Brunei Gallery Exhibition at SOAS.
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 7
Are contractors enrolled and terminated from security systems immediately upon contract expiration or their termination from contractor’s employer? Is there a detailed audit trail available around access/badge requisition and approval process? Existing Challenges around Contractor Access Management “In our organisation, every department has its own database and process of hiring contractors with no audit trail into why someone got access to a restricted area.” – Director, Physical Security of leading global electronics manufacturer Present mechanism of managing contractors involves several manual, redundant and paper/email based steps around on-boarding, background verification, training checks, rolebased access determination and approval. These processes are executed in a disjointed sequence. The access related information is maintained in a paper/spreadsheet format and manual updates are made whenever changes are required. There is usually no proper way to make sure that the security policies are implemented properly as they are enforced manually in so many instances. Current methods usually fail to capture and manage details of various transactions pertaining to contractors such as who requested for the contractor, what was the request justification, who approved/denied the request and the reason for the decision. Maintaining details of this complete audit trail is a manual process and involves a lot of cost and time effort which still may not be accurate. Additionally, security practitioners have a regular need to associate physical assets — metal keys, tokens, mobile phones, PCs, carts and more — with the contractors they are provisioning these to. Present methods of issuing and tracking of physical assets are
manual leading to lost/stolen/missing assets. Organisations are required to follow the same set of external regulations or internal standards for managing contractors like they have to for managing their own employees. However, the challenges in recording, monitoring and reporting specific details involve a significant level of effort, which are often manual in nature and error prone thereby exposing the organisation to a significant level of risk. These problems are further compounded in larger organisations spread across multiple locations since each location has its own policy of hiring contractors, which seldom results in a multitude of databases. Due to the existence of such silos and the lack of a central database, security teams lack visibility and ability to take decisions around authentication, authorisation and physical access entitlements. In order to assure compliance against external regulations and internal audit requirements while complying with cost pressures, there is a growing need in enterprises to optimize their access management processes and administrative tasks around contractors. How to resolve these challenges around physical access management for Contractors? The need of the hour is to have a policy-driven solution, which can automate all current manual processes for provisioning anddeprovisioning of contractors and vendors, ensuring that accurate verification related to contractors is captured and stored within the system. A Physical Identity and Access Management (PIAM) solution follows this idea at its core. The basic capabilities of a PIAM solution in this regard are: Centrally manage contractor data and make site-specific data
available locally Automate contractor management processes and provide a single web interface to allow sponsors to make requests for on-boarding and off-boarding of contractors and subsequently automate the approval workflow Automate security policies governing contractor management and associated compliance. Provide audit ready reports and the ability to put internal controls into business processes to bring accountability and visibility in the security operation. With a solid approach to PIAM, physical security practitioners can closely connect their physical and logical security infrastructures, quickly lowering operational costs, improving their compliance standing and lowering their overall level of risk. Examples (case studies) and Conclusion A global technology company gained better control by consolidating multiple contractor databases into a PIAM solution A large utility company in North America defined and enforced one set of policies for on-/off-boarding of contractors through a PIAM solution Managing the lifecycle of contractors is complex but strategically important to achieve cost savings and ensure a more secure and risk-free workplace. Ensuring that contractors are managed confidently in a fair and consistent manner is important for the enterprises trying to increase performance and reduce costs. A PIAM solution offers a holistic approach to identity and access management by integrating logical security with physical security to secure the critical operating assets of an organisation. Dr Vibhor Gupta, PhD Technology Lead ASIS UK Committee firstname.lastname@example.org
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 8
Best Practices for Integrating Mobile into the Access Control Architecture by Jaroslav Barton (Segment Director Physical Access Control EMEA at HID Global) Merging Security and Convenience with Mobile Access As companies merge security and convenience at the door by transforming smartphones and other mobile devices into trusted, easy-to-use digital credentials that can replace keys and smart cards, there are certain things to consider when choosing a mobile access solution. To be certain the solution works with the latest smartphone technologies and is able to evolve with the mobile industry, it should be rooted in a standards-based card technology that can be emulated on a large number of mobile phones, tablets and wearables. To gain acceptance among employees and students, the user experience must be equal to that of physical cards. First impressions last, and the solution may be easily dismissed if it does not meet expectations. The experience of opening doors with mobile devices must be streamlined, intuitive and convenient; the user should not be required to perform too many steps. An interesting value proposition of mobile access is the possibility of sending and revoking mobile identities in almost real time, and for maximum benefit, the mobile identity platform must be designed for administrator convenience and efficiency. Mobile access presents the opportunity to dramatically alter how we open doors and interact with our environment, and when implemented correctly, the future of access control will come knocking. Using a mobile device to gain access to different buildings is not only about solving a particular problem. It is also about doing things better, by embracing technological advances and delivering a concept that will change how we interact with readers and locks and open doors using our mobile devices. In the era of mobility and cloud computing, enterprises and individuals are increasingly concerned about the security and protection of their physical environment. Correctly implemented, mobile access has the potential to change how we open doors as it’s the first time in history we have a solution which can increase both security and convenience. Technologies that support mobile access today Confidence and education in the use of contactless applications and
technologies such as NFC, Bluetooth, mobile wallets, iBeam™ and iBeacon™ are continuously growing and so is the understanding of what technologies are best suited for mobile access control. No matter what the technology, mobile devices offer an unparalleled way to change the way we open doors. However, security administrators and IT directors will need to review which mobile-related technologies will allow them to best engage with their employees to create the optimal access experience on their premises. Near Field Communication (NFC) NFC was developed to address the dilemma of multiple contactless standards but its introduction into mobile devices has been less than smooth. Emulating a contactless card on a mobile device was up to very recently only possible via a Secure Element (SE), such as a SIM card. An ecosystem in the form of Trusted Service Managers (TSM) had to be setup to support the SE centric model which resulted in complex technical integrations and business models which made it difficult to launch contactless applications based on NFC. In 2013 Google® introduced a new NFC feature in Android™ 4.4 called Hostbased Card Emulation (HCE). HCE allows a contactless card to be emulated in an App without dependencies on a SE. With HCE it is possible to launch NFC services in a scalable and cost-effective way as long as a standards-based card technology is used. Visa® and MasterCard® have released specifications on how to do Visa payWave® and MasterCard PayPass™ transactions using HCE, and HID Global® has launched a mobile access control solution with HCE based on Seos. HCE will make NFC more accessible and versatile, so that developers will then expedite services to market which, in turn, will stimulate consumer familiarity and encourage adoption. At the same time, however, the iPhone is a very popular device in the enterprise segment and many are used in organisations around the world today without NFC support. The number of installed Android 4.4 devices is growing fast, but with the lack of NFC in the iPhone 4 and iPhone 5, coupled with the fact that NFC support in the iPhone 6 is currently only available for ApplePay™, there is still questionable market penetration for HCE-based
solutions. Bluetooth Smart Bluetooth Smart was introduced into the Bluetooth Standard in 2010 and, having gained a lot of traction in markets such as healthcare and fitness, is now finding its way into the payment and coupon redemption industry. One of the success drivers for Bluetooth Smart is the support the technology has received from Apple, who has supported Bluetooth Smart since the iPhone 4S. Google added Bluetooth Smart to Android 4.3 and as of October 31, 2013, Bluetooth Smart is the only contactless technology capable of supporting a service on the two major mobile operating systems, Android and iOS. Its low power consumption, eliminating the need for pairing and the long reading distance makes Bluetooth Smart an interesting option for mobile access control. Bluetooth Smart No requirement for pairing and low power consumption make Bluetooth Smart, combined with a standardsbased contactless card technology, a good technology for enabling mobile access Readers may be placed on the safe side of the door or hidden Open doors from a distance as you park your car, or if you want to open the door for someone ringing the door bell Configure readers including firmware with a Bluetooth Smart-enabled device (such as a phone or tablet) Mobile operating systems with support for Bluetooth Smart Click here to learn more about management and security considerations to help your organisation implement a comprehensive mobile access solution. In addition, gain further insights into mobile access trends.
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 9
THOUGHTS FROM THE EDITOR
As I sit here with a large skinny latte (with vanilla syrup and a couple of biscotti) reflecting on the role of ASIS International and the UK Chapter in particular, I do take some pride it what we are all about, what we have achieved and are achieving. Despite wicked rumours to the contrary I was not one of the original members when the organisation started sixty years ago (I cannot comment on my co-vice chairman Graham Bassett however), neither was I a member of the original European Chapter (44) nor a founder of what is now Chapter 208. In that sense I and the rest of the Chapter leadership are, as Sir Isaac Newton wrote, “standing on the shoulders of giants”. However in the last few years we have built on the work of our predecessors both in the quality of the offerings to members (seminars, newsletter, certifications etc.) and also our standing within the profession and our relationships with other organisations.
Looking through the newsletter many of these relationships are obvious but, not being one to miss an opportunity, I wanted to take this moment to remind you of our reach.
The partnerships we have established with training providers offer members proved routes to achieve the ASIS Board Certified Qualifications: CPP, PCI and PSP.
We have a presence at many leading security events
Other educational offerings will follow.
• IFSEC • Counter Terror Expo (now Security and Counter Terror Expo) • Security TWENTY 15 (x4) • Total Security Summit (x2) • IIPSEC • Transport Security Expo • Global Resilience Summit • National Association of Healthcare Security Conference • Retail Crime Conference We have regular editorial features in many of the top security publications • Professional Security Magazine • Risk UK • City Security Magazine • Security News Desk Working with others we established the Joint Security Associations Fundraising Event (JSAFE) to raise much-needed money for relevant and worthwhile charities. This Year the event is on 30th September. The ASIS UK Chapter will be chairing the newly established Security Commonwealth for the next 6 months, working collegiately with other bodies. As supporters of the Industry and Parliament Trust, members are able to attend events and discuss aspects that affect them with MPs, Peers, Civil Servants and other industry representatives.
We are also part of an international community of 38,000 security professionals and this network can prove invaluable to many. With Conferences in the US, China and Middle East we have global coverage and that's without mentioning the European Conference which we have managed to attract back to the UK. This will be a tremendous event and we hope to see a huge number of UK members there. The event will culminate in a reception at the House of Lords on 8th April 2016. There are also webinars and other study programmes. Members can contribute to over 30 Councils covering numerous verticals and sectors, work on standards and guidelines (all of which are available free of charge to members) or support the work of the ASIS Foundation. Anyway, that’s enough from me and anyway my coffee is now at a drinkable temperature. See you soon. Mike Hurst
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 10
AUGUST 1914: ENGLAND IN PEACE AND WAR.
August 1914: England in Peace and War Mark Rowe Mark Rowe, perhaps better known to the security community as the editor of Professional Security Magazine, writes about his book, August 1914: England in Peace and War. The title explains itself, I hope. I wanted to understand what life was like in that watershed month, that started as another summer month and ended with England up to its neck in a war in France it had never prepared for (does that sound familiar?). Were people then like us, or different? In some ways a century ago feels so very far in the past. Of all things, mobile phones feel as if they have made a difference. In some ways, 100 years is not at all distant; all my grandparents were alive then, for instance. While my book tells everyday stories from diaries, letters and newspapers, some of it relates to security management and I will keep to that here. I was struck by how rough and dangerous life was. Children fell into canals; heavy and hot things in factories scalded and
crushed workers; carts and trains ran you over; people at home tripped on steep stairs, even. Men seemed readier to start an argument and to settle it with their fists. Was there more crime? Hard to say – for a start, I reckon then and now much crime went unreported. Certainly England wasn’t the happy and united place some would like to believe – then or now. When the outbreak of war threw the economy out of joint and threw many out of work, the authorities feared the jobless might take to the countryside and cause trouble, and appointed special constables in a hurry. England did have trouble-makers, who largely settled their differences in the larger crisis of August 1914: trade unionists, Irish republicans, and women campaigning for the vote. Suffragettes we are meant to look up to, as brave and on the right side of history. Reading newspapers of the time, I was struck by how discredited and disliked the suffragettes were. The very fact that they had turned to violence (hitting politicians with umbrellas, disrupting church services, breaking windows and
throwing eggs) and, if anything, were becoming ever more extreme (building bombs, spoiling letters in postboxes, doing arson) was a sign that they had lost the argument and were turning into Britain’s first terrorists. I well remember reading at Lincoln county archives a booklet from the Met Police, a photo-parade of arrested women. The document writer had apologised because one of the women had only posed for a photo while sticking her tongue out. That said it all for me – these women were not only nasty and anti-social, but childish with it.
The Beverley war memorial with the name of Arthur Ross, one of 400 men from the East Riding county town who died in the 1914-18 war
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 11
The country was a kaleidoscope of all sorts, much as I imagine it had been in 1814, was in 2014, and will be in 2114. I pulled together not only the well-off and famous such as Winston Churchill (then widely hated or distrusted) and his frankly silly and needy sister-in-law Goonie, and the then unknown Alan Brooke, an Army officer who rose to become field-marshal in the next war, but diarists - a retired Gloucestershire teacher William Swift; a Northampton Methodist preacher, William Pickbourne; Arthur Ross, a member of the Church Lads Brigade in Beverley in East Yorkshire, keen to join the Army; besides the Staffordshire aristocrat’s son Gerald Legge. Ross was killed in France in 1918, Legge killed at Gallipoli in 1915. Life could never be the same after August 1914. As the son of a Staffordshire railwayman, I never expected an earl’s son to be the hero in a book of mine, but what I wanted hardly came into it; I could only do what the evidence in front of me told me to do. August 1914: England in Peace and War is published by Chaplin Books, price £11.99. Visit www.chaplinbooks.co.uk
Retail Crime & Loss Prevention 2015Wednesday 30 September Etc Venues, Dexter House, Tower Hill, London Operational and Practical Solutions to Retail Crime This year's BRC Retail Crime Survey has revealed that UK retailers are fighting a rising tide of organised theft in store. Combined with the dramatic increase in fraud and ecrime and the commonly perceived threat to businesses posed by cyber-attacks, this means that retailers are facing an increasingly sophisticated criminal. The BRC Crime and Loss Prevention conference brings together retail security bosses, senior police representatives and business groups, providing an ideal forum for debating the major issues currently concerning all parties.
12th November 2015
Chelsea Football Club Stamford Bridge Fulham Road London SW6 1HS Featuring speakers with both a clinical and non-clinical background, the conference will enabledelegates to network with colleagues from across the country. The conference will be of particular interest to Healthcare Security Managers, Mental Health andDementia Leads and those interested in methods that deal with challenging behaviour.
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 12
ASIS WOMEN IN SECURITY
an ASIS Women in Security Event. Chapter WiS Lead, Dawn Holmes CPP was joined by Rowena Fell CPP and ASIS International main board director Godfried Hendricks CPP. The event attracted women from a range of backgrounds, some well established in their careers with some others new to the sector. This year, for the first time, the Chapter held two events at IFSEC, one focussing on the ASIS Board Level Certifications and Chartered Security Professional and the other
Overall the event was a success and we hope to repeat it next year at IFSEC. Other WiS events are being planned.
Neil Wainman CPP, again manning the stand at Security TWENTY 15, this time in Newcastle. The next event is on 28 October 2015 at Heathrow.
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 13
TOTAL SECURITY SUMMIT
Former UK Chapter Convergence Lead and current Vice Chairman ASIS European Convergence/ESRM James Willison, has been appointed as Advisor on Convergence to the Mitie TSM Board.
Total Security Summit is on 19th and 20th October 2015 at the Whittlebury Hall Hotel & Spa, Northants It is an event for senior level security professionals to meet leading service providers face-to-face to discuss forthcoming projects in 2016/17. Meet with specifically chosen suppliers who offer a range of products and services from CCTV to access control, from risk management to fire solutions and everything in between. The two-day programme is packed with inspiring and thoughtprovoking seminars as well as unrivalled networking opportunities.
James comments, “I am delighted to be working with Mitie and it is truly remarkable that they are developing ‘converged’ cyber physical strategies, partnerships and SMART technologies which demonstrate real leadership and capability in these areas.”
Join suppliers already confirmed, which include Tyco, Axis, Atec, Gallagher, Traka and Cordant Security. Attendance includes a VIP gala dinner, evening entertainment and overnight accommodation at the Whittlebury Hall Hotel. To view the full seminar line up please click here. To confirm your place please book online. For more information or to secure your place at the Summit, please contact Alex King on 01992 374086 or email email@example.com
FOR SUPPLIERS... The Total Security Summit has a proven track record in delivering you quality buyers within the security industry. Through a day-and-a-half of
personally selected, tailormade meetings, network with key decision-makers from companies ranging from Apple to Amazon, Morgan Stanley to Mulberry - all seeking suppliers for projects in 2016/17. Packages include stands, electrics, Wi-Fi access, refreshments, meals and accommodation. For the full buyer list, further information, costs and availability, please contact Nick Stannard on 01992 374092 or email firstname.lastname@example.org
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 14
THE NEW WORLD OF CONVERGED SECURITY
continued from page 1
Take the time to set and maintain robust user IDs and passwords in your video cameras. Equally important, don’t forget to delete the default user IDs and passwords set in the factory. There are only a handful of factory settings, and attackers know them all. If you don’t delete the default data, an attacker will be able to break into the cameras. In addition, physical security devices contain programmed sets of rules that direct the operation of the device. For example, when an employee presents an access control card to a reader, the system is programmed to search the reader or the user database for the employee’s name and door permissions. If the employee’s name is in the database along with permission to access this door, the system will unlock it. No permission, no entry. You have to protect the rules programmed into your devices by encrypting them. Attackers can access and re-write un-secured rules. There are several types of encryption used to protect rules. Whatever type you use, you must then secure the encryption itself against tampering. The IT department’s security people can help to protect the logical components of physical security technology. They will want to help — they will have an abiding interest in protecting physical security pathways onto the company network. After installing and configuring physical security software, it is a good idea to have a qualified technician test the strength of the lock by trying to break in. If the tech can break in, so can a hacker. Start over. Physical and IT security consultants can help with this task as well. Helping To Defend IT Just as the IT security people will help secure physical security devices to protect their network and data from attackers, the physical security people will help protect the IT system from becoming a path to physical security systems and devices.
One way physical security can help directly is to monitor for rogue hotspots while on patrol. Can security officers do that? Yes. With some training from IT, officers can carry inexpensive sensors that will sniff out hotspots passed during rounds. The IT security staff will know which locations are legitimate and which are not. In the IT department itself, new and better tools can detect and mitigate attacks on the network. Some attacks may even be stopped before serious damage occurs. A physical fence protects the perimeter of a company’s plant, while firewall technology protects the perimeter of the IT network. In fact, multiple layers of firewalls protect departments. Today’s advanced firewalls and other security tools also enable administrators to watch network traffic and spot threats as they arise, whether by a hacker or unwitting user being compromised. As a further precaution, purchasing managers should focus on vendors that provide security for the devices they sell — computers, servers and monitors — any device that connects to the network. As noted earlier, physical security devices must have inherent security as well. For large networks at risk from debilitating denial of service attacks, current defensive software applications can spot intrusions almost as they occur and talk to filtering applications located at ISP sites. The filters can block the bad data and pass the good data through, thereby maintaining the normal flow of business. Needed: More Security In today’s era of convergence, the security profile of a facility is dramatically different. Physical and logical security professionals have always tried to provide the least amount of security necessary. After all, too much security slows down the pace of business coming through the doors and travelling across the network. While minimum security remains the
goal, convergence has created a host of new opportunities for internal and external hackers and criminals to find and take advantage of vulnerabilities. Plugging these new holes takes more security efforts. How much more security does this require? Security professionals are looking for that point, but it is difficult to find today, at the beginning of this new era. Not long ago, for instance, a system operator in a large multinational company came up with an astoundingly anti-secure idea. He outsourced his job to an individual working in another country known for providing outsourcing services. The sysop surfed to a website offering outsourcing services and hired someone to do his work for a small percentage of his salary. He provided this individual with his user name and password — a major security breach — and trained him to do his job. Next, the employee installed a webcam and created a virtual private network. He secured the VPN with a VPN token and started a pornography business. He collected pornography from online sites and sold it to customers that he rounded up. This has happened a number of times in recent years. Some have started pornography businesses. Others have come up with more tame business ideas. Whatever the business, employees that outsource their jobs not only commit fraud against their employers, but they also create major security breaches that can cost their employers a bundle. Convergence has made a whole new set of security problems possible, making more and more security necessary. How much security is necessary in the era of convergence? Wherever the line gets drawn, it will be at a level higher than it has ever been before.
Dave N. Tyson, CPP CISSP is President of ASIS International and Senior Director, Global Information Security for SC Johnson & Son, Inc.
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 15
DUTY OF CARE
TheSMAâ€™S New Flexible ASIS CPP Preparation Programme is Proving a Success a full twelve months to complete their studies at their own pace.
Since TheSMA launched their new ASIS Studyflex programmes this Spring, security managers have been taking advantage of the flexible approach to studying for the CPP exam. Achieving this high level certification is a big undertaking and many find that following a formal distance learning and classroom review programme seems to offer the best route to success. However, finding the time to complete the required number of hours study can prove difficult, and at times impossible, when assignment submissions and classroom dates are fixed. By enrolling on the TheSMA Studyflex programme, however, students have
The Joint Security Annual Fundraising Event will be held on 30th September 2015 at the Grange City Hotel, a spectacular five star venue. The Hotel is one of the best in the city with the Roman Wall running through the bar terrace and views overlooking the Tower of London and Tower Bridge. This will be a prestigious black tie event, and will provide those attending the perfect opportunity to network with colleagues, entertain guests or simply enjoy a relaxed atmosphere, whilst at the same time helping to support two outstandingly worthwhile charities.
Currently enrolled on the 2015 programme are security professionals from well-known public and private sector organisations, including some based in high-risk countries such as Afghanistan and Iraq. Several of these professionals have found that extremely challenging roles and changing company priorities have meant that they have had neither the opportunity to complete the required assignments on time, nor to attend the scheduled classroom reviews. The option to postpone the submission of assignments or reschedule classroom reviews has therefore proved invaluable, allowing students to combine effectively their studies with their day job.
that best suits them. Whether putting the course on hold for a while; taking extra time to submit an assignment, or having a choice of classroom review dates, this flexible approach is designed to offer maximum support for ultimate success in the exam. Recognising that not everyone has the same learning styles, TheSMA contimues to offer our two week intensive exam preparation programme, catering for those who prefer a fast track to sitting the exam. For further details on any of our ASIS Exam Preparation Programmes, please contact Caroline Bashford, Director of Training at TheSMA at email@example.com or on +44 1491 699685.
With full support from our training team, headed up by CPP mentor, Barry Vincent, MA, MSc, CPP, PCI, FSyI, students on the Studyflex programme are able to work to a timetable
We will hope to raise money to split equally between the two children based charities. These two worthy charities are: The City of London Police Charity for Children and Embrace Child Victims of Crime
The ticket price of ÂŁ85 includes pre dinner welcome champagne, 4 course dinner (including a cheese platter) and bottles of wine on the table.
ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 16