"We deliver for you," the U.S. Postal Service likes to say in its ads. Delivery of physical security for its facilities hasn't been as regular, however. GAO site visits to 13 "core facilities revealed a number of security problems," including unaccounted-for keys, deactivated alarms, unlocked gates, unsecured stamps, and employees without ID badges. On the positive side, the USPS has specified security requirements for core facilities and has made gains in carrying these out. @ SM Online has the GAO report on the audit.
Ancient civilizations, such as the Chaldeans, tried to predict the future by studying the movement of the planets and stars. Today's intelligence analysts face a similarly daunting task as they try to predict future terrorist movements by sifting through thousands of reports, data bits, tips, records, and electronic transmissions. Creating a methodology for detecting constellations of evidence is a top priority for the intelligence community. The RAND Corporation may have found a way to do just that. A monograph by RAND explains the approach in detail. @ Out of the Ordinary: Finding Hidden Threats by Analyzing Unusual Behavior .
Property owners and security professionals should look at risk assessment in a holistic context, according to a new report prepared at the University of Pennsylvania's Wharton School on behalf of the Building and Fire Research Laboratory at the National Institute of Standards and Technology (NIST). Read the NIST report, Risk Analysis for Extreme Events: Economic Incentives for Reducing Future Losses .
Only about 17 percent of police chiefs believe that terrorism or violent crime are "extremely serious" or "quite serious" problems in their communities. By contrast, 63 percent believe that drug abuse reaches that level of gravity. The figures come from a survey commissioned by the Police Foundation and Drug Strategies. @ Survey results are on SM Online.
A national response plan that establishes a comprehensive all-hazards approach to domestic incidents has been issued by the Department of Homeland Security. The plan was developed with private industry help and incorporates best practices and procedures from incident management disciplines. @ Get it via SM Online.
Saudi Arabia holds one-quarter of the world's proven oil reserves, making security of its oil infrastructure essential to the global economy. A report by the Center for Strategic and International Studies cites the kingdom's "weakest link" as its 10,700 miles of pipeline. Still, security is taken so seriously there that "most foreseeable assaults are likely to be quickly confined and any resulting damage is likely to be repaired relatively quickly," says the report. @ Read it at SM Online.
When Tommy Thompson resigned as secretary of the Department of Health and Human Services, his parting words included a stark warning that the nation's food supply was an inviting and vulnerable terrorist target. Recognizing the need to beef up food-chain security, the United States Department of Agriculture, in partnership with the Agricultural and Food Transporters Conference and the Conference of the American Trucking Associations, has developed a guide for secure transport of food. Secure practices are provided for drivers and for commercial agricultural and food transporters. The latter, for example, are urged to protect their water supply system, such as by locking wellheads, pump houses, and water storage tanks. They should also assess their facilities for potential sabotage of bulk ingredients, such as by ensuring that access to corn syrup, flour, and other foodstuffs is controlled. The jointly developed food safety guidelines were fashioned as a result of a survey of 24,000 commercial agricultural and food transporters to identify vulnerabilities in food transportation. The sponsoring organizations hope the guidelines help industry. Get them via SM Online.
Some mathematicians believe that virtually everything can be boiled down to numbers and equations. True or not, researchers are currently drawing on statistics and formulas to better identify the causes of terrorism. Read the paper by linking at SM Online.
Malaysia and Japan use video surveillance to oversee public places. Italy uses the technology to monitor transportation. And Germany uses it to collect tolls. That's just a small sample of countries adopting public-area surveillance, notes an annual report by watchdog group Privacy International.SM Online takes you to the report.
The Office of the Comptroller of the Currency (OCC) has issued guidance to financial institutions about when OCC will cite banks for violations or take other enforcement actions against them to prevent money laundering. @ The guidance is available through SM Online.
A new Maryland law (formerly H.B. 666) will require the state to issue regulations governing the release of the location and specified nature of biological agents. This information will be made available to specific law enforcement jurisdictions that are located near the agents. However, such information will be kept confidential from the general public and unauthorized persons.
After reviewing comments made to its interim rule, the Transportation Security Administration (TSA) has issued an interim final rule regarding security threat assessments of commercial truck drivers who transport hazardous material. The rule will take effect May 31, 2005. @ To read the entire interim final rule, visit SM Online.
In a recent report, the Government Accountability Office (GAO) reviewed the Coast Guard's progress in conducting threat assessments on the nation's most valuable ports. @ The full report is available at SM Online.
A new rule proposed by the Transportation Security Administration (TSA) would impose additional requirements on companies that ship cargo via aircraft. The rule would require that companies conduct background checks on workers who handle air cargo but do not operate within a secure area. Currently, only those employees in secure areas of operation are screened. Checks will also be required for all people traveling on an all-cargo aircraft regardless of their job. @ The rule can be found at Security Management Online
A new Maryland law (formerly S.B. 377) will prohibit the release of public records that identify or contain information about individuals or companies that maintain alarms or security systems. In an emergency situation, the records could be released to authorized personnel.
Under a new law (formerly S.B. 550), companies that provide nursing services must meet certain state requirements. Before a nursing-referral agency can obtain a license in the state, its owners must undergo a background check from the Maryland Department of Health and Mental Hygiene. It must also submit proof that it has a viable complaint-investigation process.
A new Florida law (formerly S.B. 124) requires that the state's chief of domestic security initiatives work with state agencies, universities, and community colleges to conduct security assessments for all of the buildings, facilities, and structures operated by these groups. With the assistance of employees within these groups, the chief will compile the assessments and present them to the governor and to lawmakers. The governor and lawmakers must also be informed if any state agency, university, or community college fails to cooperate with the assessment process. The law allows the chief to conduct follow-up assessments to ensure that the security assessments remain current.@ Under the law, the chief is also mandated to work with local governments and private industry to develop security assessments. The assessments are mandatory for state-funded agencies and organizations; however, private industry and local municipalities have the option of conducting assessments with the chief's help. The costs must be borne by the local government or the private company involved.
A federal appeals court has ruled that a government drug-testing policy did not impinge on the constitutional rights of an employee. In the case, Robert Relford was arrested for drug possession. He attempted to hide the fact from his supervisor at the Lexington-Fayette Urban County Government. However, the supervisor learned of the arrest and told Relford to submit to drug counseling. During the counseling, Relford was chosen for a random drug test. He failed the test and was terminated. The court ruled that testing employees who are participating in a rehabilitation program is constitutional. (Relford v. Lexington-Fayette Urban County Government, U.S. Court of Appeals for the Sixth Circuit, No. 03-5600, 2004)
The Department of Homeland Security (DHS) has made many improvements in its information security program, according to the agency's Inspector General (IG). However, he notes in a new report that the agency still lacks "an accurate and complete system inventory." An effort is being made to create such an inventory with assistance from an outside contractor, but without an inventory in place, the IG was unable to determine whether systems have been properly certified and accredited. Read the report.
The number of security professionals will nearly double, rising to 2.1 million by 2008, predicts the International Information Systems Security Certification Consortium, or (ISC)2. The rate of growth will vary by region, however, according to the group's Global Information Security Workforce Study. For example, growth of about 12 percent annually is anticipated in the Americas, while growth of about 18.3 percent is expected in the Asia/Pacific region. The study, conducted by market intelligence firm IDC, was based on a questionnaire filled out by 5,371 respondents from more than 80 countries.
Stories about IT security pass from fact to hyperbole all too quickly when vendors or government officials focus on the dramatic rather than the factual elements of an anecdote. How to separate the truthful from the fanciful? Noted IT security guru Mich Kabay, associate professor of information assurance at Norwich University, has created a database of more than 5,000 "interesting or significant events" related to IT security going back to 1995. The events, cataloged both in PDF format and MS Access, are classified using a taxonomy of hundreds of keywords on topics ranging from identity theft to virus hoaxes. You'll probably find the perfect IT story to illustrate your next presentation. @ Just point your browser to www.securitymanagement.com to link to the database, this month's A Site to See.
A British financial services firm discovered that a fake Web site bearing its name had been set up, presumably to "phish" for customer passwords and account information. Unfortunately, it took ten days before the firm could find out a way to have the site taken down. (They ultimately went to the U.S. Secret Service for help in getting the American Internet service provider to take down the site.) @ Countering Financial Crime Risks in Information Security: Financial Crime Sector Report is available through www.securitymanagement.com.
What are the benefits of using free and open-source software (FOSS) rather than a proprietary software product? And what are the risks? These questions are examined by the Federal Deposit Insurance Corporation (FDIC) in a guidance letter to financial institutions.
Rep. Mary Bono (R-CA) has reintroduced a bill that would require that consumers receive "a clear and conspicuous notice" prior to software being loaded onto their computers. H.R. 29, titled the Securely Protect Yourself Against Cyber Trespass Act (SPY Act), is cosponsored by lawmakers from both sides of the aisle. It was first introduced in 2004 and passed the House in October. However, the bill was not passed by the Senate before the end of the 108th Congress. The SPY Act is meant to protect consumers from spyware, programs that are surreptitiously loaded onto a computer that are able to track and gather the consumer's data, including which sites were visited or even sensitive information such as credit card numbers. The Federal Trade Commission would be responsible for enforcing the SPY Act and would be authorized to fine offenders as much as $3 million per violation.
Government IT managers spend three hours each day completing information security compliance reports, according to research from Intelligent Decisions, a systems integrator that interviewed more than two dozen government security professionals. But patch management tops their list of concerns. @ More from Federal Information Security Officer Survey Results is at SM Online.
According to statistics released by MessageLabs, a managed e-mail security services provider that scans e-mail for its clients, 73.2 percent of the messages it scanned in 2004 were spam. Of the 147 billion e-mails it scanned, it found that 1 in 16 contained a virus (MyDoom ranked first). And more than 18 million phishing e-mails were intercepted, from a low of 337,050 in January to 4,522,495 in November, jumping nearly tenfold between June and July. @ MessageLabs Intelligence Annual E-mail Security Report 2004 is available through SM Online. .
The Department of Homeland Security has awarded $9 million in grants to 12 information technology projects under the Information Technology and Evaluation Program (ITEP), which aims to improve information-sharing capabilities. The projects, selected from 113 proposals, include an Arizona program to enhance wireless security for first responders, a port security communications network in Rhode Island, and an XML-based facial imaging system for use by law enforcement and other first responders in North Carolina. @ Learn more about ITEP by visiting SM Online. @ Link to the project and a research paper from NIST via SM Online.
Powered by: Phase2 Technology