While the Nuclear Regulatory Commission (NRC) has bolstered security at nuclear plants since 9-11, the GAO cannot yet say whether each plant "has taken reasonable and appropriate steps to address the new design-basis threat," which establishes the maximum terrorist threat that a facility must defend against. Security plans reviewed by GAO lacked "important site-specific information," including where responding guards were to be stationed. Moreover, the GAO noted that the NRC isn't sharing with plants lessons learned from inspections at those plants.
Because significant changes in large organizations can take at least five to seven years, Congress might want to address the transformation of the intelligence community by lengthening the terms of directors, testified the GAO's J. Christopher Mihm before the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, of the Committee on Governmental Affairs. He also spoke about how the FBI has been matching special agents and analysts with critical skills to address its top priorities, a model that the intelligence community might want to follow.
Yes, there really is a company operating on the Internet as Degrees-R-Us, and GAO auditors purchased bogus degrees from a fictitious university from the company, according to Robert J. Cramer, who testified before the House Subcommittee on 21st Century Competitiveness, Committee on Education and the Workforce. The GAO also set up its own diploma mill and was able to obtain certification from the Department of Education to enroll in the Federal Family Education Loan Program. Finally, GAO auditors determined that some senior-level federal employees have obtained degrees from diploma mills, though specific numbers couldn't be determined.
If you're the victim of a biological attack, should you quarantine yourself at home or go to a hospital? If you're in a high-rise during a nuclear attack, where should you go? A reference card by the RAND Corporation answers these questions, explaining how individuals should prepare for and respond to nuclear, biological, chemical, and radiological attacks. @ Get the card via SM Online.
A survey of mid-size to large companies that are members of the American Management Association shows that fewer have emergency action plans in 2004, 61 percent, than had them in 2003, 64 percent. The number of groups that had a crisis management team also slipped in that same period, from 52 percent to 44 percent. Though part of the difference may be due to the margin of error, it suggests at the very least that the numbers are flat. @ Link via SM Online to a survey summary.
Police in New Orleans and Orlando have created special units dedicated to protecting tourists. Officers are trained to be sociable with tourists, and the units are allied with tourism associations and organizations, according to a new problem-oriented-policing guide on tourist crime developed by the U.S. Department of Justice. Hotels and other sectors of the tourism industry in those cities are strongly encouraged to perform background checks on employees, and police urge that these staff members be heavily punished if found guilty of crime against tourists. Other jurisdictions make it easier for victimized tourists to testify against criminals; Hawaii, for example, has enacted a statute allowing victims to testify from their homes via teleconferencing. Various other measures are in use around the United States, such as creating business-improvement districts in downtown areas, and encouraging hotels to adopt practices to reduce guest victimization, including requiring guests to show identification before entering the building. Disney World uses crime prevention through environmental design techniques to protect visitors. "Virtually every pool, fountain, and flower garden serves both as a visual attraction and a means to direct visitors away from, or toward, particular locations," the guide says. The document is on SM Online.
A global anti-money-laundering survey conducted by KPMG suggests that money laundering has captured bank executives' attention because of potential impact on profits. Anti-money-laundering (AML) "has become a key issue for senior management because the possibility of an AML-related failure now poses significant potential reputational risk, both domestically and for banks' international operations," says the report. Attention to AML measures has increased even as the cost of complying with money-laundering regulations has jumped by 61 pe, bankrcent over the past three years, according to the survey, with most of this increase devoted to transaction monitoring and staff training. Two-thirds of the 209 responding banks, representing 41 countries, indicated that they have generated more suspicious activity reports over the last three years. "This can be attributed in part to increased use of electronic monitoring systems," say the report's authors, "suggesting that the marked investment in these tools has proved beneficial; it also confirms the benefits accruing from the increased investment in training confirmed by the survey." Find the 51-page report on SM Online.
In the oft-spoofed television ad for a personal alarm, an elderly woman cries "I've fallen and I can't get up." As security professionals are well aware, it's not just the elderly and infirm who benefit from duress systems. Correctional officers, who are constantly at risk of being attacked, also need a quick way to call for assistance. The National Institute of Justice and the Department of Defense have pulled together information on commercial systems and prepared a selection guide for correctional officers. Correctional Officer Duress Systems: Selection Guide provides detailed information on nine commercially available systems and vendor contact information. The guide divides duress alarms into three types. First are panic-button alarms, which are often found in banks. Second are identification alarms, which officers carry; they work by broadcasting a wireless signal to a nearby sensor, which forwards the alarm to a central console. Third are identification/location alarms, which are similar to ID alarms but can also track corrections staff and pinpoint alarm locations. The guide describes the benefits and drawbacks of each type of alarm. For example, while identification/location alarms provide the most information, they are also most costly and difficult to install. Links to both the report and a summary of it can be found on SM Online.
The government's Project Bioshield, which requires that the government and private industry produce and stockpile vaccines to protect Americans in the event of a terror attack, became P.L. 108-276. The law has three parts. The first directs the Public Health Service to conduct research and development on biomedical countermeasures through the Director of the National Institutes of Health and the Director of the National Institute of Allergy and Infectious Diseases. The second provides these agencies with contracting authority to procure effective countermeasures such as vaccines and serums against chemical, biological, radiological, and nuclear agents. The third allows the Secretary of Health and Human Services to approve promising new drugs and devices on an emergency basis.
Cargo security has been considered in many forms during the 108th Congress. Two measures became law, but numerous others failed to receive congressional approval. A cargo security amendment added to the 2004 Department of Homeland Security appropriations bill became P.L. 108-90.
A bill designed to enhance computer security at government facilities became P.L. 108-281. The law authorizes the Judicial Conference of the United States to enact rules to protect the privacy and security of documents that are filed electronically with the government. The rules must consider the best practices currently in use in federal and state courts to protect information security. The final rule, according to the new law, should be uniformly applied across the judicial system.
A law (P.L. 108-277) exempts off-duty and retired law enforcement personnel from compliance with concealed weapons except in certain circumstances. The law does not supercede state laws that allow private property owners to ban firearms on their property. Similarly, the law does not apply to state or local government buildings where firearms are prohibited.
A bill designed to limit the amount of unsolicited e-mail sent via the Internet became P.L. 108-187. The act defines unsolicited e-mail as any message with the primary purpose of commercial advertisement or promotion of a commercial product or service. Such messages must include a notice that they are an advertisement or solicitation and must provide a valid return e-mail address to allow recipients to opt out of future messages. The sender has 10 days to stop sending messages after the opt-out request has been received.
A bill that would make it illegal to tamper with document-authentication features in an effort to commit fraud was included in P.L. 108-21, the Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today (PROTECT) Act of 2003. Under the new law, it is illegal to tamper with authentication features such as holograms, watermarks, or any other item designed to prove a document is valid and unaltered. The law also makes it illegal to use a false authentication feature--a feature that is genuine in origin but is used without authorization, or a feature that has been altered.
A bill (H.R. 1731) designed to increase criminal penalties for identity theft was signed into law (P.L. 108-275) by the President. The law creates the crime of aggravated identity theft for crimes that involve felonies, such as bank or mail fraud. This crime carries a sentence of two additional years in prison added to the felony conviction. Those who commit identity theft while also perpetrating a criminal act will be given an additional five years in prison.
A law (P.L. 108-159) renewing the expiring provisions of the Fair Credit Reporting Act includes a provision stating that information about certain internal investigations need not be communicated to the target of the investigation until the inquiry is completed.
Two bills (S. 957 and H.R. 1889), introduced by Sen. Barbara Boxer (D-CA) and Rep. Nita Lowey (D-NY) respectively, would have required that aircraft cabin-crew members be certified and trained on security and safety procedures. Despite bipartisan support, neither bill garnered committee approval.
A measure designed specifically to address security aboard commercial buses (S. 929) was approved by the Senate and referred to the House, but the House never acted on it.
A bill (S. 994) that would have required operators of certain chemical storage facilities to develop security plans was approved by the Senate Committee on Environment and Public Works but was not considered by the full Senate.
A bill (S. 1053) making it illegal to discriminate against someone on the basis of genetic information was approved by the Senate but was not taken up by the House of Representatives. The bill would have prohibited discriminatory acts by health insurance companies and employers.
Two bills that would have required enhanced security at nuclear power plants were introduced in the 108th Congress but neither was approved. S. 1043 would have required that the government classify threats against power plants; coordinate federal, state, and local security efforts; review the adequacy of existing security plans; and revise hiring and training standards for private security officers serving at nuclear power plants. H.R. 2951 would have prohibited the operation of any nuclear power plant unless it had a government-certified radiological emergency response plan. Such plans would be have been required to provide reasonable assurance that public health and safety was not endangered by the operation of the facility.
Two bills were introduced to address port security issues. The first bill (S. 1400) was approved by the Senate but was not considered in the House. The bill would have established an integrated coastal-observation system with several goals, including fighting terrorism and monitoring storm activity. The system would also have collected data on the marine environment and ocean life. Another Senate bill (S. 193), which would have required that the Department of Energy evaluate radiation detection systems for use at U.S. seaports, failed to win approval in its Senate committee. The system would have been used to detect the presence of a dirty bomb being smuggled into the U.S. aboard a cargo vessel.
One bill (S. 1350) considered by lawmakers would have required that companies victimized by an electronic security breach notify customers that their information may have been compromised. The bill, which was similar to one that took effect in California this year, was considered in committee, where hearings were held, but was not brought to a vote.
Several bills introduced in the 108th Congress would have given companies tax breaks or incentives to purchase security equipment. Such equipment included physical security devices and fire-safety technology.
A carefully watched bill (S. 1743) that would have allowed employers to search the FBI database when doing background checks on security officer applicants was approved by the Senate and was subject to hearings in the House Education and Workforce Committee's Subcommittee on Employer-Employee Relations. However, the bill did not garner the subcommittee's approval.
A bill (S. 216) that would have established a Private Security Industry Task Force within the Department of Homeland Security was introduced but was not actively considered by lawmakers in this congressional session.
A bill (S. 620) that would have provided federal grants to install sprinklers or other fire suppression or prevention technologies in college and university dorms died in committee. The funds could have been used by public and private institutions to provide fire-safety equipment in all campus housing including sorority and fraternity houses.
Several new bills introduced by lawmakers focused on helping states respond to acts of terrorism. The bills would have established grant programs to help fund states' first responder activities; the bills also would have established grants for terrorism-related training and technical assistance for state officials.
The Federal Trade Commission (FTC) has been at the forefront of efforts to contain the onslaught of spam that still plagues e-mail in-boxes across the world. Most of its efforts have relied on using legal action as a stick. Now it's trying the carrot as well. The report first notes that it is still too early to assess the effectiveness of the law, which has been in effect for slightly less than a year. There are some "significant hurdles" facing the FTC in these cases, according to the report: identifying the source of spam, developing enough evidence to hold a person liable for spam, and obtaining monetary rewards (the theoretical maximum civil penalties are typically mitigated by factors such as the defendant's ability to pay, for example). Read A CAN-SPAM Informant Reward System: A Report to Congress report.
Throwing money at information security has never been a particularly effective way of preventing or solving IT problems. Indeed, the Department of Energy (DOE) is finding that throwing $2.7 billion (the amount estimated for fiscal year 2004) at its computer security issues may not do the job. The agency's inspector general, Gregory H. Friedman, noted in a recent evaluation of systems that while DOE "continues to improve its unclassified cyber security program," there are still many problems that "could expose critical systems to compromise." Read th inspector general's full report
Hacking for Bobby Fischer. he world of online chess, which offers big rewards to contest winners, presents a potentially lucrative target for unscrupulous players with hacking skills and some knowledge of cryptanalysis. And it may not be hard to checkmate these insecure sites, according to the findings of security researchers from the University of Colorado at Boulder.
A financial services research organization has launched a new initiative to address the phishing problems that have been plaguing the sector. The three-phase project, to be conducted with the collaboration of other industry groups, will first look at technical requirements for counterphishing solutions and consider and test plans. The second phase will be used to implement pilots, assess results, and provide recommendations for the most promising solutions. The third and final phase will be dedicated to implementing these recommendations.
Anyone with $699 to spare can buy a magnetic stripe code reader/writer that can, according to a sales pitch, "change any information you'd like including balance and credit information" after a single swipe of the card. Seventy bucks at the same site will buy you a keystroke logger with an 8,000-stroke memory, while for a mere $25 you can get a product that claims to be able make it "impossible for a video or still camera to take a legible photograph of your license plate number." Think you know your enemy? You'd better check out the hacker technology Web page that is this month's Site to See to find out whether you really do, and whether you know what kind of technology he or she has access to.
Getting government agencies to share security information means first identifying the networks involved. A congressional briefing by the Government Accountability Office identified nine agencies and 34 networks that support homeland security functions (two of these networks are still under development). The briefing outlines each network and gives examples of how they might work together for counterterrorism efforts. Information Technology: Major Federal Networks That Support Homeland Security Functions is available via SM Online.
What is the top obstacle to effective information security? According to the results of a recent Ernst & Young infosec survey, it's the lack of security awareness by users. Yet only 28 percent of the respondents indicated that their organizations made employee awareness training on IT security issues a top priority, and less than half provided employees with ongoing training in security. The survey's respondents included CIOs, CSOs, CISOs, and other top executives from more than 1,200 organizations. @ Link to the Ernst & Young Global Information Security Survey 2004 through SM Online.
More than half of the organizations polled by the IT Governance Institute revealed that they regularly include IT subjects on their boards' agenda. That may indicate IT's increasing profile, but it also may reflect the fact that all but 7 percent of respondents said that they had experienced IT problems in the last year. @ The IT Governance Global Status Report. is available for $100.
A mom-and-pop company with a dozen employees and an organizational behemoth like the Department of Defense both need to secure their computer networks. But not all networks need the same level of protection. A new draft publication of the National Institute of Standards and Technology (NIST) provides recommended sets of security controls for low-, moderate-, and high-impact computer networks. @ The final version of NIST Special Publication 800-53 will be published next month. Link to it via SM Online.
Powered by: Phase2 Technology