May 2009
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Thanks to Our Sponsor
|
|
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
| Dear Fellow SARMA Members,
As we enter the busy home stretch leading up to SARMA's 3rd Annual Conference on Security Analysis and Risk Management in mid-June, I'm delighted to be able to share a number of exciting developments.
First, I am pleased to announce that, in conjunction with this year's conference, SARMA will present its first-ever Excellence in Public Service Award to former Secretary of Homeland Security Michael Chertoff. This award recognizes individuals who have strongly and consistently promoted security risk management principles and practices in government. At DHS, Secretary Chertoff elevated risk management as a key element of the Department's management agenda. It follows, then, that he would be the logical choice as the inaugural recipient of this important award. A separate article in this issue of The Risk Communicator provides further details on the award and the special evening reception to be held in Secretary Chertoff's honor on Monday, 15 June. Whether or not you plan on attending the remainder of the conference, this event is a must for your calendar!
SARMA's recent conference-related activity hasn't been confined to the Association's own events, however. In mid-May, a number of SARMA's senior leaders attended the 20th Annual National OPSEC Conference in San Antonio, Texas. During the event, SARMA's Immediate Past President, Ed Jopeck, delivered a well-received presentation on the similarities between the OPSEC and security risk management professions. Board Chairman Phil Lacombe and other SARMA officials also jointly co-hosted a reception with the OPSEC Professionals Society (OPS) and the Operations Security Professional's Association (OSPA) at which all three organizations' leaders pledged to continue working together in multiple ways -- from sharing best practices on training and certification programs to more ambitious forms of collaboration and resource sharing.
Within SARMA, there have also been significant developments relative to the agenda I pledged to pursue shortly after taking office last summer. Importantly, the SARMA Board of Directors approved revised bylaws at its last meeting, and has also drafted updated articles of incorporation for approval by the SARMA membership at the annual meeting during the upcoming conference. These updated foundational documents will help to ensure SARMA remains a vibrant and forward looking organization that is fully compliant with Federal and Virginia statutes.
Another priority of this agenda was to find ways of alleviating the growing burden being placed on our volunteer leaders and members as we expanded and branched out into new areas. As part of the ongoing strategic dialogue lead by Board Chair Lacombe and Executive Vice President John Paczkowski, we have concluded the time is right for SARMA to create the new position of Executive Director. The individual named to this position will have a broad range of responsibilities, from ensuring the steady growth of membership and outreach efforts and "deepening the bench" of people willing to devote their time and talents to SARMA, to supporting the association's leadership in its drive to ensure SARMA continues to influence public discourse over, and perceptions of, security risk management principles and practices. I will have more to announce in this regard at the annual meeting, including the identity of our first Executive Director.
I am excited by these much-needed organizational changes, and also gratified to see the excellent program our hard-working Conferences and Events team has developed for our Third Annual Conference. I certainly hope to see you in Arlington, Virginia, next month, and to have the opportunity to share our thoughts with you and listen to your comments and suggestions. Only through this kind of ongoing dialogue can we effectively combine our talents, expertise and energy, and work towards a more widely recognized and mature security analysis and risk management discipline.
Until then, please read on for much more news, analysis and insightful commentary...
Best regards,
Kerry
Kerry L. Thomas
President
Security Analysis and Risk Management Association
|
News
|
|
 Michael Chertoff to Receive SARMA Award
SARMA's Board of Directors is pleased to announce that the Honorable Michael Chertoff, former Secretary of Homeland Security, will be the first recipient of the SARMA Excellence in Public Service Award.
The award will be presented to Secretary Chertoff at a reception in his honor on the evening of 15 June 2009, just prior to the opening of SARMA's 3rd Annual Conference on Security Analysis and Risk Management. This year's conference, entitled "New Perspectives on Security Risk Management," is scheduled to run from 16-18 June at George Mason University Law School in Arlington, VA.
The SARMA Excellence in Public Service Award was created to salute individuals who have been instrumental in raising the visibility of security risk management practices and principles, and in steadfastly affirming their critical role in providing the nation with the security it needs at a price it can afford.
As head of the Department of Homeland Security (DHS) from 2005 until earlier this year, Secretary Chertoff championed the use of security risk management principles in making critical homeland security resource-allocation decisions.
"Secretary Chertoff's efforts to make risk management a centerpiece of the management agenda at DHS set in motion both important changes in the way we allocate homeland security funding in this country, as well as ongoing efforts to mature the security risk management profession itself," said SARMA President Kerry Thomas.
A former federal prosecutor and appellate court judge who also oversaw the Criminal Division of the Justice Department, Secretary Chertoff has remained active in defense and homeland security issues since leaving government. In March of this year, he announced the formation of Chertoff Group, a risk management firm that advises corporate clients and governmental entities on a range of security matters. Among the firm's founding principals are Gen. Michael Hayden, former Director of the CIA and NSA, as well as several former high-ranking DHS officials.
In addition to the award ceremony for Secretary Chertoff, this year's conference will feature a keynote presentation by Peter Verga, Principal Deputy Under Secretary of Defense for Policy, as well as presentations by Tina Gabbrielli, Director of DHS's Office of Risk Management and Analysis, and Roger Cressey, President of Good Harbor Consulting Group and former Director for Transnational Threats on the National Security Council.
The Chertoff reception will be held in the main GMU Law School conference room from 5:00 pm to 7:00 pm on Monday 15 June. The cost is $40 for SARMA members and $50 for non-members, which includes two free drink coupons. To register for both the conference and the reception, please click here. To view the latest updates to the three-day conference agenda, click here.
|
|
Analysis
|
|
Protecting US Sports Facilities in the Post-9/11 Era: A Continuous Improvement Model for Sport Event Security Management.
by Stacey A. Hall, Walter E. Cooper, Lou Marciani and James A. McGee
The Department of Homeland Security has identified major sporting events as high-value terrorist targets, due to their potential for mass casualties and catastrophic economic impact. Sport venues may also be utilized as multi-purpose facilities for music concerts, graduation ceremonies, disaster triage and evacuation shelters. The education and training of all key security personnel in such venues is therefore critical to ensure that effective security measures are implemented and that an all-hazards approach to emergency planning is employed.
Previous research has identified gaps in training and education of sport security management practices at the intercollegiate level. Specifically, there is a lack of: 1) effective incident command control; 2) emergency response preparedness; 3) evacuation capabilities; and 4) multi-agency collaboration and communication. According to one study, 62 percent of Division I athletic administrators reported having no formal training, education or certifications in event security management and requested assistance in conducting threat/risk assessments and training exercises.
The SESA System
Acknowledging the industry's need to educate and train sport security professionals and to provide consistency in security management practices, the National Center for Spectator Sports Safety and Security (NCS4) developed a continuous improvement process for the effective security management of sport venues -- the Sport Event Security Aware (SESA) system.
A panel of professional and academic sport security experts was tasked with identifying critical components of managing security at major sporting events. Panel members included retired FBI, CIA and Secret Service members with at least 20 years' experience, professional sport league security presidents and academic researchers with prior knowledge of sport security practices and DHS training.
The NCS4 panel of experts reached a consensus and presented the cyclical SESA continuous improvement system. The SESA system involves four key processes, including: 1) risk assessment; 2) training; 3) exercise; and 4) audit (see figure 1).
Figure 1: Sport Event Security Aware (SESA) System
Sport facilities should conduct a risk assessment to include the following seven components: 1) identification of a sport event security action team; 2) characterization of assets; 3) threat assessment; 4) vulnerability assessment; 5) consequence evaluation; 6) risk assessment; and 7) consequence reduction proposals.
Effective personnel training is another key component in protecting critical infrastructure such as sports stadiums and arenas. The sport organization should provide adequate resources for the recruitment, training and evaluation of personnel responsible for venue security. The three organizational levels requiring training are multi-agency leadership, supervisory managers and security line staff.
Sport organizations should conduct exercises to test plans in place and enhance the staff's awareness of roles and responsibilities during an incident scenario.
An external audit team assesses the organization's sport event security aware system process, which includes a review and analysis of the following ratings: 1) threat assessment; 2) vulnerability analysis of critical assets; 3) consequence evaluation; and 4) risk assessment.
Pilot Project
From May 2007 to March 2008, NCS4 completed risk assessments of sport venues at seven public universities in the state of Mississippi. Common security shortfalls were identified in relation to emergency preparedness, perimeter control, physical protection systems, access control, credentialing, training and interoperable communications. The security gaps included:
- Lack of emergency response and evacuation plans specific to their sport venue.
- Inadequate searching of the venue prior to an event, inadequate lock-down procedures and inadequate searches of fans and their belongings.
- Concession areas not properly secured.
- Inadequate signage concerning searches and restricted items.
- Lack of CCTV coverage of the sport venue or surrounding areas.
- Storage of dangerous chemicals inside the sport venue.
- Lack of accountability for vendors and their vehicles, and no security notification system.
- Inadequate training for response to weapons of mass destruction attacks and insufficient communication capabilities between the university and local responders.
To address some of these gaps, consequence reduction proposals were provided to the pilot participants. They included:
- Identification of a Sport Event Security Assessment Team
A sports event security team must be identified to
assess security operations and provide insight for future
actions pertaining to the sport venue. This team should
include local emergency responders and should practice and
exercise emergency/evacuation plans in cooperation with
multi-agency response services.
- Initiation of a responsible vendor program
Universities should consider initiating a responsible vendor
program, setting the standards for vendor and contractor
access to the campus and the venue. These groups would be
required to meet minimum access standards relating to
identification, insurance, background investigations and
uniforms.
- University participation in an ISAC
Universities are encouraged to participate in a stadium
security information sharing and analysis center (ISAC).
- Improving access control and physical security measures
Monthly safety/security meetings should be conducted to
address past security shortfalls and prepare for upcoming
events. Venue pass procedures need to be evaluated and
attention paid to identification, accurate record-keeping,
authorization areas, specific gate access, pass color
coding/numbering, holographic images and sign-in
procedures. Also, equipping the venue with an integrated
security management system is critical.
- Development and exercising of emergency/evacuation plans
A business continuity plan needs to be developed so that athletic departments may continue operations in light of an incident. The university and the local county's emergency management agency team should develop an emergency response plan with associated annexes, such as evacuation plans, for the campus. These plans should specifically address conditions such as heavy traffic and large crowds on campus and in the community during a sporting event.
Stacey A. Hall, Walter E. Cooper, Lou Marciani and James A. McGee are Directors at the National Center for Spectator Sports Safety and Security.
|
Commentary
|
|
Breaking Through: Political Influences on Risk Management Strategies
by Jeffrey R. Sural
Having spent the last decade working on policy issues in the legislative and executive branches and the private sector, I've witnessed first-hand how politics and personal agendas detrimentally affect policymaking. But while few would disagree that rent-seeking and log-rolling can as a general rule prevent the government from achieving the best policy outcomes, the problem is often less apparent -- but just as severe -- in the world of risk management.
One reason may be the perception of risk assessment as a purely objective exercise. In many ways risk management strategy is a numbers game. Using risk assessment tools, computer models and the best intelligence, it is reasonable to expect that trained experts should be able to objectively prioritize risk. But this view leaves out others aspects of risk management, including risk communication, resource limitations and politics.
While I was at the Transportation Security Administration, Assistant Secretary Kip Hawley decided to change security procedures to allow scissors and small tools through airport security checkpoints. It was a risked-based decision balancing the likelihood of scissors being used to crash or commandeer a commercial aircraft against the security measures in place and whether resources could be better used focusing on other threats.
When Mr. Hawley began to explain this decision to Congress, one congressman proposed what he must have thought was a clever solution: increase TSA funding to allow it to continue to confiscate scissors at the checkpoint. Mr. Hawley responded that no matter how much money was available he wouldn't spend it on preventing scissors from boarding airplanes. In this situation one could argue that Mr. Hawley made an analytical decision. But he also made a decision about resources, which at its heart is political.
But at other times political decisions are opportunistic. In the immediate aftermath of September 11, for instance, most congressmen were so eager to show off their credentials as war hawks that they seldom questioned the expenditures requested by the various security agencies. In some cases, the same congressmen compounded the problem by demanding greater resources for their districts and cheerleading on behalf of local defense contractors and consulting companies.
As a result Congress passed laws like the Implementing Recommendations of the 9/11 Commission Act, guaranteeing every state in the union 0.365 percent of the amount appropriated for the State Homeland Security Grant Program & Urban Area Security Initiative. This amount -- equaling tens of millions of dollars per state -- does not take into account the probable risks to the state, its potential vulnerabilities and the consequences of an event. And it fails to consider the measured impact on previous spending, something both the Government Accountability Office and Congress have recognized.
Risk management professionals may look unfavorably at this kind of bottom-up planning. How can local efforts fit into a national risk framework if each individual community is setting its own priorities? And what about political decisions taking into account public perception and public acceptance? These influences may lead to the misdirection of resources to other community needs or to unreasonable mandates and outright prohibitions on certain activities in the name of security. Both represent extremes that are harmful to a robust risk management strategy.
The more pragmatic view is that we have no choice in the matter. Politics will influence almost any risk management program overseen by elected politicians and implemented by bureaucrats. Therefore, learning how to manage political motivation and needs is critical to effective risk management planning.
To achieve best risk management practices within the political environment, it's a good policy to use quantitative risk-assessment tools to the greatest extent possible. Justifying decisions with objective data will help ward off politically opportunistic decisions and provide well-meaning elected leaders with evidence to justify spending on proven security initiatives. If a politician can show constituents that he or she is keeping them safe while being fiscally responsible, that politician will be your strongest advocate and your biggest champion.
And, perhaps just as important, risk management professionals should allow for risk-informed decision making. Because political leaders must consider subjective factors when making decisions, including public perception of a particular risk, the risk assessment must be balanced with these factors. Risk management is part of the system; it should not expect to rise above it. As George Orwell said, "In our age there is no such thing as 'keeping out of politics.'"
Jeffrey R. Sural is an attorney with the Legislative & Public Policy Group at the law firm of Alston & Bird LLP. He is a former Deputy Assistant Secretary for Legislative Affairs at the Department of Homeland Security and Assistant Administrator at the Transportation Security Administration.
|
|
Key Reports
|
|
The Federal Bureau of Investigation's Terrorist Watchlist Nomination Practices
The Department of Justice's Office of the Inspector General issued an audit report in May which finds that the FBI "failed to nominate many subjects in the terrorism investigations that we sampled, did not nominate many others in a timely fashion, and did not update or remove watchlist records as required."
Get the report
Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems
A May audit report from the Department of Transportation finds that "Web applications used in supporting ATC [air traffic control] systems operations are not properly secured to prevent attacks or unauthorized access. In addition, FAA has not established adequate intrusion-detection capability to monitor and detect potential
cyber security incidents at ATC facilities."
Get the report
DHS: Brief Documentary History of the Department of Homeland Security: 2001-2008
This organizational autobiography "tells the story of the creation and the organizational history of the first five years of the Department of Homeland Security through its founding documents. These documents include legislation, executive orders, commission reports and recommendations, reorganization plans, presidential directives, speeches, and organization charts."
Get the report
|
Job Board
|
|
Risk Analyst: ABS Consulting
General Summary:
Perform research and analysis to solve problems in homeland security risk management in support of DHS clients. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, modeling and simulation. Services client needs as necessary and coordinates the successful completion of tasks and projects to client specifications. Performs other internal assignments as necessary to meet business objectives and conform to ABS quality standards and procedures. Builds pragmatic and creative solutions to complex technical problems. Active security clearance required.
Principle Duties and Responsibilities:
- Handle client requests in a professional, timely, and accurate manner.
- Manages small projects in a manner consistent with ABS Group / Client standards and procedures.
- Performs specific technical tasks on specific projects as directed by applicable program managers.
- Develops creative, technically sound solutions to problems in homeland security risk management.
- Presents analysis and technical findings in clear, accessible, and concise prose.
- Produces high-quality, client ready deliverables for tasks and ad hoc requests with minimal oversight.
Minimum Knowledge, Skills, and Abilities Required
- Must hold a bachelor's degree in a homeland security-related field, or bring at least one year of practical experience in a homeland security-related field along with a Bachelor's degree in a related technical discipline. Master's degree in a homeland security-related field preferred.
- Must be technically competent in homeland security risk analysis, methods and research design.
- Must posses strong written and verbal communications skills.
Additional Knowledge, Skills, and Abilities
- Advanced mathematics and statistics.
- Program evaluation and metrics design.
For more information on applying for this position, please contact Micah McCutchan via email or at (703) 682-7373.
|
|
|
|
|
