July 2009
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Thanks to Our Sponsor
|
|
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
|
Dear Fellow SARMA Members,
I hope each of you is enjoying your summer and the many pleasant pastimes it has to offer! Personally, I was fortunate enough to spend Independence Day in Boston, where I had the opportunity to visit the U.S.S. Constitution, the world's oldest commissioned warship. As I stood on the decks of this historic ship, I found myself thinking that here was perhaps one of the earliest examples of a public policy decision in America aimed at mitigating the risk of terrorism.
Built in 1797, the Constitution represented a key part of America's efforts to counter the risk to U.S.-flagged merchant shipping and the national economy posed by the Barbary pirates. While it is no small irony that the U.S. Navy and the navies of many other nations are currently engaged in addressing similar problems off the Horn of Africa more than 200 years later, it is also worth noting that there was no measured way for these early decision-makers to consider the costs and benefits of undertaking the costly warship construction program that produced the Constitution. While their decision ultimately proved to be the right one, similar challenges persist for policy-makers to this day.
In this regard, SARMA fulfills a unique and important role. As the only association dedicated to the profession of security risk management, SARMA provides a source of unbiased information for our nation's leaders who, especially in these challenging economic times, are charged with making tough choices about where and how to invest in homeland security. In addition, the association serves as a vehicle for the professional development of those who contribute to this process.
In its first years, SARMA has already had an impact in both of these areas. Some of the key accomplishments of the past year include:
- Supporting the development of a draft homeland security presidential directive on risk management;
- Providing a position paper to the Obama transition team on ways to enhance federal security risk management efforts;
- Providing the necessary resources to expand the common knowledge base project;
- Updating the association's bylaws and articles of incorporation;
- Implementing a robust new committee structure to broaden the base of participation in SARMA's operations and recruiting respected members of the profession to serve in key roles;
- Hiring the association's first executive director and its first newsletter editor;
- Enhancing connectivity with SARMA's members by increasing the frequency of the association's newsletter to a monthly publication and recruiting a permanent administrator for the SARMA LinkedIn site;
- Developing close ties with other like-minded professional associations, such as ASIS International, the OPSEC Professionals Society (OPS) and the Operations Security Professional's Association (OSPA);
- Continuing to support university programs, such as Penn State University's Security and Risk Analysis Club;
- Continuing to engage with other conferences to broaden SARMA's exposure; and
- Developing new relationships with key elements of the Department of Homeland Security.
In the coming weeks and months, I hope to hear from you about your thoughts on ways SARMA can expand on these gains. Some initial ideas include:
- Finalizing the SARMA strategic plan;
- Increasing our fundraising efforts;
- Reviewing SARMA's IT infrastructure and revising as necessary to more effectively support SARMA's mission and operational needs;
- Updating and revamping the current web site, along with hiring a web developer to support these activities;
- Completing formal affiliations with OPS and OSPA and further developing our relationship with ASIS;
- Establishing a professional certification program;
- Developing additional university partnerships;
- Implementing an ongoing calendar of events; and
- Establishing a government advisory panel to support our efforts to provide DHS and other federal agencies with unbiased advice and opinions.
As you enjoy this issue of The Risk Communicator, please also take a moment to consider ways in which you can contribute -- both to the future of SARMA as well as to the profession and the policy decisions it helps support. In this regard, one thing is certain: managing security risks effectively and affordably has only become more relevant since that day in 1797 when the U.S.S. Constitution slid down the ways to begin her long life of service.
Warm regards,
Kerry
Kerry L. Thomas
President
Security Analysis and Risk Management Association
|
News
|
|
Conference Report: Focus Groups Push Common Lexicon Forward
by Andrew Harter
Threat and vulnerability remain complicated issues, but thanks to the hard work and insight of its members at the third annual conference, SARMA's common lexicon project has made great progress on creating consensus on their exact meanings.
The SARMA common lexicon project works to find common meaning among state, federal, military, homeland security and academic practitioners of security risk management. The goal is to develop voluntary consensus standards over time that meet all the reputability guidelines that such standards require, creating a baseline that can be referenced by practitioners across the field.
The focus for this year's conference effort was on utilizing concept mapping
methodology to devolve definitions from across the community -- from DOD joint publications to the DHS Risk Lexicon -- into common concepts and elements. This allowed the focus groups to discuss the terms at a foundational level, identify their core concepts and highlight the changing nature of terminology over time, including the problems faced by the community in adapting older adversarial-based terms and usage to an all-hazards construct.
Brian Moon, a professional concept mapping consultant, facilitated the process, while the focus groups consisted of professionals with backgrounds in the Defense Intelligence Agency, Air Force, Federal Bureau of Investigation, and Department of Homeland Security.
Full concept maps are available in the common lexicon pages of SARMApedia, along with verbiage for additional subsidiary concepts currently being drafted as a result of the sessions.
After lengthy and spirited but collegial discussion, the conference groups agreed on the following definitions:
- Threat is the potential to cause harm or loss to an asset. Potential is measured in terms of capability and intent.
- Vulnerability is a characteristic of an asset that renders it susceptible to harm or loss.
Several next steps lie ahead for SARMA's common lexicon project. First,
SARMA continues to support lexicon development efforts within academia and federal agencies. Second, SARMA continues to gather and map more definitions and terms and hopes to convene additional focus groups in the next year to flesh them out.
Third, SARMA will continue to document and publish the results of focus groups both on SARMApedia and in additional sources to make them publicly available to risk practitioners. Finally, as the association grows in size, SARMA will present the definitions resulting from the focus group efforts to the membership for a voluntary consensus standard effort that will help certify the utility of the arrived-at definitions to the community.
SARMA calls to all within the membership to take an active part in this process.
Add definitions from your own sources and usage to ensure that they are included in the concept mapping process and encyclopedic reference material. Add your thoughts to the discussion pages for each term and engage in debate with others in the community. Sign up for the project committee and help guide and develop this initiative into its future and final stages. And if you have any questions, please do not hesitate to contact me.
Andrew Harter is the chairman of SARMA's Common Knowledge Base Committee and currently works for the Department of Defense. He can be reached at andrew.harter@sarma.org.
|
Is Your Organization Prepared for the Unexpected?
Make your organization and supply chain more resilient by learning how to implement and conduct internal audits according to the ASIS Organizational Resilience American National Standard: Security, Preparedness and Continuity Management Systems (ASIS SPC.1-2009).
This intensive, three-day course is designed for any organization that needs to establish, implement, maintain and improve an organizational resilience management system. Two dates are available: 15-17 July 2009 in Alexandria, VA; and 29-31 July 2009 in San Francisco, CA.
The ASIS SPC.1-2009 standard is currently under consideration for inclusion in the Department of Homeland Security's PS-Prep, and upon successful completion of the course you will receive an ASIS certificate acknowledging your ability to implement and internally audit against this standard.
More information on the Alexandria course is available here. Details about the San Francisco event can be found here.
|
Local Governments Back Off Emergency Alert Systems
An increasing number of cities are changing their minds about alert systems that notify residents by phone and email about pending and ongoing emergencies, USA Today reported.
Such systems -- which became extremely popular after the terrorist attacks of 2001 and again after the disastrous evacuation of New Orleans following Hurricane Katrina -- have since come under criticism for their expense and unreliability. In one case from last month in Colorado, for instance, 100,000 Fort Collins residents who should have been warned of an incoming tornado never got the message.
"Of course there's going to be hiccups along the way," a city official told the paper, noting that the tornado never did materialize and that a joint effort is underway by police authorities and the software company that installed the system to understand and fix what went wrong.
While not expensive by the standards of the broader homeland security industry, alert systems like the one in Fort Collins cost $95,000 a year to operate -- no small potatoes when it fails when it's most needed. Municipalities say they want cell phone companies to pick up the tab as part of their duty to provide emergency communications, but most have been resistant, wanting both to avoid the cost and the potential liability if the system fails.
Both the Federal Emergency Management Agency and the Federal Communications Commission are currently studying the matter, USA Today reports, and many states and municipalities are now holding off on signing new alert system contracts until federal regulators have weighed in. In the meantime, they are relying on more old-fashioned techniques. "We can't use technology as an excuse to forget the basics: knocking on people's doors, sending police cars down the road with a loudspeaker," said Kelly Huston, assistant secretary of the California Emergency Management Agency.
|
| Analysis |
|
Making Risk Decisions in the Chemical Sector
by David A. Moore
Prior to September 11th, 2001, owners of critical infrastructure in the chemical sector focused almost exclusively on preventing accidents. The common perception was that terrorism risks were managed adequately by law enforcement authorities and that the threat of a terrorist attack, particularly on American chemical facilities, was remote.
New federal regulations focused on the chemical industry have since forced it to take a serious look at terrorism as a major threat. In 2006, the Department of Homeland Security determined that "high risk chemical sites" needed to be regulated to ensure the risks were properly addressed by the entire sector, and in 2007 the Chemical Facility Anti-Terrorism Standards (CFATS) regulation came into law.
Together, these two legal regimes created a need for professionals able to measure and manage risk in a highly specialized environment. For experts at DHS, they must determine how to judge the acceptability of security plans submitted by industry for review. And for those working for industry, they must determine how best to meet those expectations and manage any other critical risks.
CFATS Background
DHS defined a linear process for screening facilities to determine the need to participate in CFATS, define their security risk, and then approve their site security plans.
The CFATS regulation requires sites which possess listed chemicals of interest (COIs) at or above a specific threshold quantity to complete a screening exercise (the Chemical Security Assessment Tool [CSAT] Top-Screen). The information collected through the top-screen allows DHS to issue a preliminary determination of risk. Facilities identified as "high risk" through the top-screen process are then required to prepare and submit a security vulnerability assessment (SVA), which identifies specific assets of concern to DHS and analyzes security vulnerabilities. It also provides information to DHS to develop a consequence estimate. This data is analyzed by DHS and a resulting tier determination made based on their analysis of the degree of risk of the facility with regard only to the COIs and assets in question.
The benefit of this approach is that sites are filtered on a risk basis using a rational process, so only the most significant national risks are considered. The disadvantage is that this process takes considerable time to implement, and the nature of the process is that the asset owner gets limited feedback in return. The actual basis of the tier ranking, including the specific consequences assumed, is not shared with the facility owner. This is contrary to typical security vulnerability assessment practice where such information is used to inform the asset owner and allow for risk decision-making to determine the best risk management approach. In fact, under the CFATS process the asset owner is unaware of:
- How DHS is analyzing the information provided by facilities;
- How tiering decisions are being made; and
- How the information submitted to DHS relates to actual security posture or potential gaps in security at the facility level.
Much of this is done to protect national security interests. The CSAT SVA, unlike many industry SVA methods, is mostly a data collection step for DHS and does not provide complete feedback on vulnerabilities and consequences. Nor does it assist in the identification of additional security needs or provide the asset owner with information for planning and executing an overall site security plan with a coherent resource estimate.
(Figure 1: The CFATS SVA and SSP approach vs. a Comprehensive Security Assessment)
Since many facilities will require security upgrades to meet DHS-mandated risk-based performance standards (RBPS), it is crucial that the investment in security systems, equipment and layers of protection meet the needs of DHS as well as the full range of critical assets, threats and vulnerabilities that a security manager needs to understand and address. For CFATS compliance and general chemical facility security, a detailed review of critical assets, vulnerabilities and existing security countermeasures (which will also be needed for comparison to the RBPS) is needed. A thorough gap analysis should identify:
- Differences in CFATS critical assets as compared to all processes and chemical storage areas or shipping areas that may be critical due to safety, replacement cost or business impact;
- Specific vulnerabilities as compared to the RBPS;
- Categories of security upgrades that will be required for CFATS compliance (i.e., restrict area perimeter, secure site assets, etc.);
- CFATS security upgrades that address the full range of critical assets, threats and vulnerabilities not explicitly considered under CFATS;
- Additional security investments required to meet the desired overall security posture of the facility;
- Optimization of the suite of security upgrades to meet both DHS and facility security goals;
- The level of performance necessary to satisfy each RBPS increases with the facility's tier (Tier 1 is the highest, Tier 4 is the lowest);
- Each facility must meet each RBPS applicable to the COI and security issues at the facility; and
- Facilities may implement layered security measures that in combination appropriately address the vulnerabilities and RBPS.
Lessons Learned
Given the limitations of DHS's CFATS approach, facilities must define their own risk approach while considering their minimum requirements. It is prudent to consider additional security issues so that the total security solution is not limited to anti-terrorism issues. The linear design of the CSAT tools used for CFATS compliance along with the confidential nature of the DHS assessment of risk may constrain the asset owner. Standard industry methodologies for conducting security vulnerability analyses may be helpful to a produce a more informed basis for the risk decisions and for justifying compliance with the CFATS requirements.
David A. Moore is president and CEO of the AcuTech Consulting Group
|
| Key Reports |
|
AIA: Design For Diplomacy
This new report about from the American Institute of Architects argues that "integrating security and design excellence is an achievable goal" for American embassies overseas, and lays out the conditions for "a new generation of secure, high performance embassies and diplomatic facilities that support the conduct of American diplomacy."
Get the report
Rockefeller Institute: The Role of the Federal Government in Megadisasters
In this June report from the Rockefeller Institute of Government, researchers Richard P. Nathan and Marc Landy consider legislation "authorizing the appointment by the president of an officer-in-charge with preauthorized discretionary funding [and] empowered to assemble and deploy experts, including experts seconded from federal agencies ... when megadisasters like [Hurricane Katrina] occur."
Get the report
Continuity of Government Commission: Presidential Succession
The second report from the Continuity of Government Commission "illustrates the weaknesses in the existing system of presidential
succession, ... goes on to explain the constitutional and
legislative basis for succession to the presidency, and provides
seven specific recommendations for how the flaws in the current
succession process may be fixed."
Get the report
|
Job Board
|
|
Risk Analyst: ABS Consulting
General Summary:
Perform research and analysis to solve problems in homeland security risk management in support of DHS clients. Tasks focus primarily on methodology development, metrics design, qualitative and quantitative analysis, modeling and simulation. Services client needs as necessary and coordinates the successful completion of tasks and projects to client specifications. Performs other internal assignments as necessary to meet business objectives and conform to ABS quality standards and procedures. Builds pragmatic and creative solutions to complex technical problems. Active security clearance required.
Principal Duties and Responsibilities:
- Handles client requests in a professional, timely, and accurate manner.
- Manages small projects in a manner consistent with ABS Group / Client standards and procedures.
- Performs specific technical tasks on specific projects as directed by applicable program managers.
- Develops creative, technically sound solutions to problems in homeland security risk management.
- Presents analysis and technical findings in clear, accessible, and concise prose.
- Produces high-quality, client-ready deliverables for tasks and ad hoc requests with minimal oversight.
Minimum Knowledge, Skills, and Abilities Required
- Must hold a bachelor's degree in a homeland security-related field, or bring at least one year of practical experience in a homeland security-related field along with a Bachelor's degree in a related technical discipline. Master's degree in a homeland security-related field preferred.
- Must be technically competent in homeland security risk analysis, methods and research design.
- Must possess strong written and verbal communications skills.
Additional Knowledge, Skills, and Abilities
- Advanced mathematics and statistics.
- Program evaluation and metrics design.
For more information on applying for this position, please contact Micah McCutchan via email or at (703) 682-7373.
| |
|
|
|
