Protecting the HVAC system from biological, chemical, and radiological weapons can be difficult. A paper by Michael MacDonald of Oak Ridge National Laboratory offers some guidance.The document helps security managers understand the various threats, pointing them to online sources for more detailed information. Also provided is an outline for performing vulnerability and threat assessments. In addition, the author explains how to reduce exposure to harmful agents and introduces readers to mitigation technologies and actions. The paper notes that no real-time biological sensor currently exists. Limited-efficacy chemical detectors and radiological sensors are available, but they are high in price.Also included is a fictitious case study that walks building managers through the process of securing a building’s HVAC system. Although targeted to managers in federal facilities, the guide is equally applicable to the private sector. Find the document online.
A government report, as well as its competing interpretations, has raised questions about when the latest passenger prescreening system for commercial flights will take wing. Secure Flight, the latest iteration of the scuttled Computer-Assisted Passenger Prescreening System II (CAPPS II), must overcome several serious challenges, according to a report by the Government Accountability Office (GAO). @ Link to the GAO report, the ACLU press release, the Leahy statement, and the Schneier blog via SM Online.
Five Fs, 4 Ds, 3 Cs, and 2 Bs. If you brought home a report card like this when you were a kid, you’d be grounded. The U.S. aviation security industry just brought home those grades, but don’t expect planes to be grounded any time soon. The “teacher” handing out these dismal marks is the Coalition of Airline Pilots Associations (CAPA), which brings together the 22,000-pilot-strong union membership of five airlines. The worst grades went to screening cargo, credentialing, crew training in self-defense, missile defense, and employee screening. In comments accompanying the report card, CAPA notes that “near total reliance” on the Known Shippers program for cargo screening is a “serious flaw.” Comments under credentialing note that the Transportation Security Administration has yet to deploy available biometric technology.
Here’s the breakdown of grades: Barely receiving a passing grade of D were perimeter security, threat intelligence, federal flight-deck officers on passenger planes, and federal flight-deck officers on cargo planes. Grades of C went to passenger screening, federal air marshals, and classroom training for crew. Faring best, with grades of B, were bag screening and passenger flight-deck doors. “The reinforced doors are installed and appear to be working well,” say the comments accompanying the report card.@ The comments and the report card can be accessed via SM Online.
If a student says to a gym teacher, “All jocks should be blown up,” should it be taken as a threat? Probably not if the student was laughing or obviously joking, but if the student has a history of making such pronouncements, the school might want to treat it as a legitimate threat. In general, the more specific the threat, the more seriously it should be taken, according to one of the latest entries into the Department of Justice’s Problem-Oriented Guides for Police, called “Bomb Threats in Schools.” The guide discusses the problem of bomb threats in schools, factors contributing to such threats, the right questions for administrators to ask themselves about the problem, and possible initiatives to prevent or respond to threats. Sixteen viable initiatives are presented, 9 involving prevention, 7 involving immediate response. For example, schools can develop a bomb-threat response plan. The guide points to an online tool developed by the Department of Homeland Security in conjunction with the New Mexico Institute of Mining and Technology for training and refresher courses on response planning. Immediate responses to a bomb threat may include recording the threat, analyzing it, evacuating the school, searching for a bomb, talking to the media, following up after the incident, and placing police officers in schools. The guide is on SM Online.
As in many sectors of the U.S. critical infrastructure, agriculture has made great strides in security since 9-11. A report by the Government Accountability Office (GAO) documents some of these achievements, such as ongoing vulnerability analyses conducted by the U.S. Department of Agriculture (USDA) and the Food and Drug Administration to determine which agriculture products are most vulnerable to terrorist attacks. But efforts elsewhere are lagging. For instance, many U.S. veterinarians lack training to identify signs of foreign animal diseases, and the USDA does not use “rapid diagnostic tools” to test animals at the site of a disease outbreak. Also, while imports have increased, agricultural inspections at ports of entry have decreased over the last two years. In addition, states aren’t receiving enough technical federal assistance in developing emergency plans to prepare them to deal with terrorism, the GAO auditors write. The auditors recommend 11 courses of action to improve the U.S. preparedness for agroterrorism. For instance, they call for expediting a USDA draft rule that would require veterinarians to be trained to recognize foreign animal diseases. SM Online has the full report.
Nonlethal weapons have been under the microscope since a woman was shot in the eye and killed by a pepper-spray-filled ball after the Boston Red Sox clinched the American League pennant last year. And the once-high-flying stock of Taser International plummeted back to earth at the beginning of this year when it announced that it had received an informal inquiry from the Securities and Exchange Commission about the safety of its products, which helped trigger a spate of lawsuits. The Potomac Institute for Policy Studies, an independent research body, has now released a paper concluding that “when stun technology is appropriately applied, it is relatively safe and clearly effective.” Examining the 72 cases identified by Amnesty International in which stun weapons have been associated with deaths, the authors found that “the probability of death after stun device administration to the body is from one in a thousand to one in one hundred thousand.” The report also notes that there is no federal regulatory oversight of nonlethal stun weapons, with the result that there are no widely accepted engineering standards for these weapons. The Potomac Institute, whose paper can be found via SM Online, calls for “industry-driven, government-endorsed standards.”
A Michigan appeals court has ruled that a union had a special duty to protect the personal information of a member. In the case, a third party committed identity theft against union members after stealing union rolls. (Audrey Bell et al v. Michigan Council 25 of the American Federation of State, County, and Municipal Employees, Michigan Court of Appeals, No. 246684, 2005)
A federal appeals court has ruled that an employer violated the Americans with Disabilities Act (ADA) by basing a hiring decision on a medical test before the applicants had completed the rest of the hiring process. The court also allowed the applicants’ invasion of privacy claim to proceed to trial because the employer could not prove that its extensive blood testing procedure was standard in the industry. (Leonel v. American Airlines, Inc., U.S. Court of Appeals for the Ninth Circuit, No. 03-15890, 2005).
The Transportation Security Administration (TSA) has announced that it will begin the final phase of its Hazmat Threat Assessment Program. Commercial truck drivers applying for a license to carry hazardous materials will be fingerprinted and will have to pass a criminal records check and an immigration status check before they are issued a license. (The drivers were already subjected to a background check to determine any terrorist affiliation during phase one of the program.) Those disqualified under the program can appeal the decision. Drivers who give up their current hazardous-materials license will not be required to undergo the final phase of the program. Drivers who pass the screening are required to be recertified at least every five years. @ The TSA’s announcement and details of the program are available at SM Online.
The 2006 U.S. Government budget (H. Con. Res. 95) proposed by the Bush administration does not include funding for the port security grant program. The program, which has distributed $565 million since its inception in 2002, would be replaced by the Targeted Infrastructure Protection program. The new program would offer a total of $600 million in grants. Under the Targeted Infrastructure Protection program, ports would compete with other transit systems, railroads, and buses for funding. The Coast Guard, along with container security initiatives and trade partnership programs, would, however, see an increase in funding from 2005. @ Details of the budget, which had passed both houses at press time and awaited the President’s signaure, are available at SM Online.
Two bills (H.R. 1069 and H.R. 1263), introduced by Rep. Melissa Bean (D-IL) and Rep. Cliff Stearns (R-FL) respectively, would require that data collection organizations notify consumers when their personal information has been compromised.
A bill (S. 376) introduced by Sen. Kay Bailey Hutchison (R-TX) would require that the government develop a system to increase the number of shipping containers physically inspected, monitored, and tracked within the United States. The bill would require that at least 50 percent of all ocean-borne shipping containers be inspected by 2007.
A bill (S. 467) introduced by Sen. Christopher Dodd (D-CT)would extend the Terrorism Risk Insurance Act of 2002 (TRIA) for three more years. The TRIA, which expires at the end of this year, would keep the program in place while a commission develops a transitional system to take its place. Without the TRIA, a government program that keeps insurance for terrorist attacks affordable, proponents of the bill argue that terrorism insurance would become unaffordable for most businesses.
A bill (H.B. 896) currently under consideration in the Texas Legislature would make it illegal for employers to ban firearms from their parking areas. Employers could not establish, maintain, or enforce any policy or rule that constitutes such a ban. The provision would allow employees who have a concealed-weapons permit to bring the guns to the workplace so long as they are kept in a locked vehicle. ASIS International has announced its opposition to such legislation, noting that employers have an obligation to provide a safe workplace and that bills such as H.B. 896 make accomplishing this impossible.
A bill ( S.B. 5157) that would allow state agencies to purchase different fingerprinting systems has been approved by the Washington Senate and is now pending in the House Criminal Justice and Corrections Committee. The bill would allow state agencies, including various law enforcement groups, to purchase any brand of fingerprinting system so long as the systems are interoperable. The bill would overturn a 1996 law that required all state agencies to purchase the same system.
Another bill (S.B. 5553), which would require fingerprint background checks for purposes not related to criminal activity to be submitted electronically, has been approved by the Senate Health, Services, and Corrections Committee. The proposed legislation is currently awaiting action in the Washington State House Ways and Means Committee.
The bill, which would have a significant effect on fingerprint background checks conducted during the hiring process, would provide $270,000 to help upgrade the current system. The proposed legislation also requires that the electronic fingerprints, such as those obtained by employers, be destroyed after the background check is complete.
Gene Moran was hired as a paralegal in a law firm. However, in conducting a background check after he began work, the company learned that Moran had several felony convictions. The company requested Moran's resignation. Moran asked for the records the company used to make its decision, citing the California Investigative Consumer Reporting Agencies Act (ICRA). The company mailed the information a day after receiving the request. Moran filed a lawsuit claiming that the firm violated the ICRA by not providing him with the information before it made its decision. A state appeals court found in favor of the firm, ruling that it had acted in good faith and had provided the information to Moran in a reasonable amount of time. (Moran v. Murtaugh, Miller, Meyer & Nelson, California Court of Appeal, No. G033706, 2005).
An Iowa appellate court has ruled that Harriet Remington, the owner of a horse ranch, is not liable for the death of Lori Darling, a visitor. In the case, Darling died after being thrown from one of the ranch's horses. Darling's estate claimed that a ranch employee who allowed her to ride the horse was the cause of Darling's death. Through the legal theory of vicarious liability, the estate claimed that Remington should be held liable for Darling's death. The court ruled that the fatal ride was in no way connected to the ranch or its operation. The fact that it occurred on the farm did not make it business-related. (Darling v. Remington, Iowa Court of Appeals, No. 5-103, 2005).
The federal government needs to play a greater role in protecting the IT infrastructure of the United States, according to two recent reports. The first report, from the President’s Information Technology Advisory Committee (PITAC), a group of independent experts appointed by the president to provide advice on IT issues, warns that the nation’s IT infrastructure “is highly vulnerable to attack.” Read the The PITAC report, Cyber Security: A Crisis of Prioritization, and the CRS report, Creating a National Framework for Cybersecurity.
One card that works across the government as an ID and for access is a step closer to reality. In accordance with Homeland Security Presidential Directive (HSPD) 12, the National Institute of Standards and Technology (NIST) has released a standard specifying the architecture and technical requirements for a common identification standard for federal employees and contractors, such as a smart card with embedded biometric data. The first part of the standard gives minimum requirements for a personal identity verification (PIV) system that meets the control and security objectives of HSPD 12, while the second part provides the technical requirements, such as card elements and system interfaces, to support the control and security objectives as well as to maintain interoperability. PIV-I mandates, for example, that a detailed background investigation be completed before ID credentials are issued. It also requires that the applicant appear in person at least once during the process and that he or she present two forms of identification in original form.The Federal Information Processing Standard 201, Personal Identity Verification of Federal Employees and Contractors, is available at SM Online.
If you’ve got all day to prowl around a single site devoted to IT security, let it be Infosyssec, a portal to everything you ever wanted to know—and lots that you never knew that you needed to know—about cybersecurity. Everything from breaking computer-security news stories to dozens of news groups and mail lists to scores of niche search engines to the latest antivirus alerts. The wealth of resources that can be found in this one venue makes Infosyssec well worth the visit.@ Find the site on SM Online.
Sarbanes-Oxley may help the public reclaim its confidence in Corporate America, but it’s costing corporations plenty, according to a survey of chief financial officers (CFOs) by Financial Executives International (FEI), a professional organization of CFOs and other senior financial executives. Costs for complying were estimated at $4.36 million, 39 percent more than the $3.14 million they expected to pay (based on a July 2004 estimate from a previous FEI survey).
The 217 public companies surveyed estimated internal costs of $1.34 million, $1.72 million for external costs and $1.34 million for auditor fees. The majority of respondents felt that giving investors more confidence in a company’s financial reports was a benefit of Sarbanes-Oxley, but 94 percent thought the costs of compliance would exceed the benefits, a position echoed in a survey conducted by Broadgate Consultants in which 83 percent of the 105 institutional analysts and portfolio managers surveyed felt that Sarbanes-Oxley should be modified to make compliance more cost effective. Similar concerns were voiced at a recent roundtable before the SEC. @ SM Online has highlights from FEI’s Sarbanes-Oxley Section 404 Implementation Survey as well as testimony from the SEC roundtab
One possible step on the road to converging the physical and IT security functions within an organization is investing in smart cards to secure physical access to a facility as well as logical access to critical systems. But is there a good return on investment (ROI) to do so? There is, according to The ROI Case for Secure Access, which reports the findings of a 53-company survey from IT research firm Datamonitor. The report estimates an annual savings of close to $2.5 million for an enterprise with 2,000 employees (of course thats not including the cost to deploy smart cards in the first place). Savings are realized by, for example, managing PKI certificates through the cards, cutting the number of password-related IT queries, and saving time via faster access to facilities.@ The full Datamonitor report is accessible at no charge through www.securitymanagement.com
Powered by: Phase2 Technology