December 2010
| 
|
Thanks to our Gold-Level Corporate Patron
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Legal Matters
|
Copyright 2010
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
| Dear Fellow SARMA Members,
It seems hard to believe that another year has passed, but the calendar and cold weather say otherwise. Looking back, 2010 has certainly been a year filled with reminders of the myriad risks we face in today's world. The year opened on the heels of the attempted attack on a Northwest Airlines flight bound for Detroit, Michigan. We have since seen a massive earthquake devastate the island nation of Haiti, record floods inflict significant damage on the city of Nashville, and a failed attempt to bomb Times Square in New York City. Now, the year is ending much as it began, with bomb plots targeting U.S.-bound aircraft and a Christmas tree lighting ceremony in Portland, Oregon.
There are important reminders in these events. The first is that the challenges we face are not one-dimensional. It is therefore critical that we continue to view security risk through an all-hazards prism. Likewise, since these risks can never be fully eliminated, addressing them in a manner that is both rational and affordable requires a sound risk management strategy that focuses on enhanced societal resilience as the outcome. Finally, achieving this in a meaningful way requires the alignment of key national policies and programs, as well as a convergence of public- and private-sector homeland security risk management interests.
Throughout the year, SARMA has worked hard to keep the spotlight on these issues, as well as continue to grow and mature the organization and advance the discipline of security risk management. Some highlights from the past year include:
- Conducting three highly successful events: 1) Relevance of Risk Management and Information Sharing to Homeland Security, March 10; 2) Achieving Enterprise Resilience, June 17; and 3) the 4th Annual Conference October 5-7;
- Providing input to the Quadrennial Homeland Security Review and the Homeland Security National Risk Assessment process;
- Implementation of revised Articles of Incorporation and Bylaws;
- Expansion of the Board of Directors from nine to 11 Directors;
- Establishment of a new, more robust committee structure;
- Completion of SARMA's first Strategic Plan to guide the future of the Association;
- Expansion of the SARMA LinkedIn page to over 400 active users; and
- Establishment of a SARMA Facebook page.
In the coming weeks and months, I hope to hear your thoughts on ways that SARMA can expand on these efforts in 2011. Some areas where I believe we can start include:
- Establishing the foundations of a professional risk training and certification program;
- Expanding the scope of our current university partnerships;
- Preparing for our fifth annual conference, and for additional events throughout 2011; and
- Establishing a government advisory panel to support SARMA's growing efforts to meet federal executive and legislative branch requirements for unbiased advice and opinions on security risk management issues.
While these represent important steps toward achieving the goals and objectives identified in the Association's new Strategic Plan, they cannot be accomplished without the necessary funding and active involvement of our membership. As a largely volunteer organization, both are critical. Therefore, in the coming year, we will redouble our efforts to increase corporate sponsorships and seek other sources of funding to ensure the Association's financial stability. Likewise, we must fill key committee vacancies, including the chairmanships of our Conferences & Events Committee and Membership & Outreach Committee. As we enter 2011, I ask each of you consider ways you can contribute.
Wishing you and your families a safe and enjoyable holiday season, and a prosperous new year!
Kerry
Kerry L. Thomas
President
|
Corporate Patron Profile
| |  Integration Innovation, Inc. (i3)
Founded in 2007, i3 is a rapidly growing small business headquartered in Huntsville, Alabama. Located in five branch offices and 20 customer/project sites worldwide, the firm's 150+ dedicated and talented employees offer a diverse set of technical specialties and capabilities. Its technical services are organized into five business units:
- Systems and Software Engineering Division is a recognized provider of analytical and engineering services for Government and Commercial clients, including systems architecture, software development and engineering, training systems development and support, business support services, L-V-C modeling and simulation, anti-terrorism and security training, systems integration, robotic systems development and UXO/range clearance operations.
- IT and Commercial Services are provided through i3's commercial data center subsidiary Servercorps in partnership with the University of South Alabama. Servercorps services include the full range of IT managed hosting, co-location and IT services support.
- Operations and Training Group emphasizes warfighter support in functional mission areas such as fixed and rotary wing flight training, joint fires training, space operations, homeland defense and theater security cooperation.
- Tactical C4 Services support all aspects of the Army's battle command modernization programs, including software, hardware, capability set, Future Combat System, and software blocking. These programs support the Army's C4ISR development and test and evaluation initiatives.
- International Security Services, also known as Men of Valor (MOV), provide highly specialized security services and training to government, non-government, commercial, and private customers. The nucleus of MOV is made up of former American and Filipino special operations personnel with extensive weapons and explosives skills, accompanied by a full complement of professional, administrative, logistical, mechanical and construction capabilities to enable any security effort.
Risk management and security analysis efforts at i3 are centered in its Integrated Defense Technologies Office located in Panama City, FL. Drawing on their vast experience with military security (including Joint Staff, Air Force, and Navy anti-terrorism programs, security engineering, USAF Security Forces and ground combat training), these professionals have developed an innovative Integrated Defense Risk Management Process (IDRMP) methodology and supporting software tool called ForcePRO. Implemented in Air Force Instruction 31-101 Integrated Defense, USAF security planners are using IDRMP and ForcePRO to identify risks and develop effective risk mitigation strategies.
Simple in concept, ForcePRO was field tested at over 50 Air Force installations in the U.S., Europe and Southwest Asia. The assessment meets Defense Department requirements for security risk assessments, is highly flexible and enables security analysts to combine volumes of information into actionable, understandable and defendable courses of action to reduce risks and measurably improve security. The success of IDRMP and ForcePRO has attracted the attention of the Navy, which plans to implement a similar program for U.S. Navy ashore installations. The Army hopes to also evaluate the tool at a demonstration project in the very near future.
For more information about i3, please visit the firm's website. |
Insight
|
| Protecting Federal Buildings: A Close Look at RAMPART
By Dr. Phillip Pohl, Madison Link, Robert Browitt, and Bobby Deitch
RAMPART (Risk Assessment Method - Property Analysis and Ranking Tool) is a software tool for performing a screening-level risk assessment on a federal building. It was developed beginning in 1998 in response to the 1995 bombing of the Alfred P. Murrah Building in Oklahoma City and the damage caused by Hurricane Andrew in 1992. RAMPART asks interview questions that most building managers would know the answers to or would be able to obtain answers to. Large databases on crime, natural hazards, and federal agencies, and expert assessments of the response of various construction types to the hazards are built in. After the interview is complete, RAMPART uses the databases and user responses to determine the building's relative level of risk of death, injury, mission loss, property loss, contents loss, use loss and first responder loss for each inside crime, outside crime, earthquake, flood, fire, hurricane, infrastructure loss, terrorism, tornado and winter storm.
In 2009-2010, the DHS-led Interagency Security Committee (ISC) completed a set of standards for federal building security based on design basis threats (DBTs) for 29 specific hazards. Initially, federal buildings were divided into five Federal Security Levels (FSLs) to determine their protection requirements. The long term goal, however, is to perform a sufficient risk assessment on every federal building to determine threat levels for each of the 29 hazards. The Level of Protection (LOP) can then be adjusted in a building-specific manner to meet the threat. These security requirements are intended to make sure that each building has reasonable protection against the hazards it faces, while also ensuring that no building spends an excessive amount of resources.
RAMPART V. 5.0 automates the ISC's process for determining the FSL and required LOPs, in addition to performing the original risk assessment. For buildings that are not constructed or currently leased by the government, RAMPART 5.0 produces a list of ISC requirements that matches the level of hazard. In buildings that are constructed and inhabited, it compares the building's design and security to the ISC requirements. It highlights all cases in which the building is below the minimum requirement. If the building is above requirements and reducing the protective measures already in place could feasibly save money, it brings this to the user's attention.
FSL Determination
The "FSL Determination: Baseline" screen asks specific ISC questions about mission, symbolic value, population, size and potential threat to tenants. (See image below.) All questions must be answered before the software will allow the user to move to the next screen ("FSL Determination: Intangibles"). In accordance with the ISC's process, the user may raise or lower the FSL by one level or assign a Level 5 score. The user is required to document the intangible factors by typing into a text box, and the text becomes part of the report.
Identify and Assess Risks
The largest segment of the interview, with more than 160 questions for a typical existing building, is devoted to identifying and assessing risks. It may take four to six hours for a first-time user to answer the questions, which are divided among several tabs. These questions may be answered in any order; however, the software will not calculate scores or move to the "Risks = Baseline LOP?" screen until all questions on all of the "Identify and Assess Risks" tabs are answered, including:
- Threat Indicators asks questions to determine some of the threats the building faces.
- Tenants asks questions about the government departments and agencies occupying the building and about any non-federal uses of the building.
- Occupancy Patterns asks questions about how many people use the building and how often and for how long they are there.
- Contents asks questions about the contents of the building, exclusive of the real property.
- Real Property asks questions about the value -- both monetary and intangible -- of the real property, exclusive of the contents.
- Building Construction asks questions about the materials and design of the building's structure.
- Building Security asks questions about the design of the building's security systems. This is by far the largest set of questions in the interview.
- Disaster Resilience asks about backup systems the building has for vital support infrastructure.
Risk Calculations
The most important scores come in the "Risks = LOP?" step after the interview is complete. These include the hazard-specific threat levels and the assessed existing Level of Protection for each of the 29 ISC hazards. The hazard-specific threats are computed relative to the DBTs and normalized to the 1 to 5 values that are used in the ISC's approach.
Clicking on "Other Charts" from the "Risks = LOP?" step displays the building's risks of death, injury, mission loss, content loss, property loss, use loss and first responder loss for each inside and outside crime, earthquake, flood, fire, hurricane, infrastructure loss, terrorism, tornado and winter storm.
Output
Several options are available for printing some or all of the RAMPART questions and results. The user can also click "Export Scores" to save the chart values as a .csv (comma-separated variables) file, which can be imported and recognized by a wide range of software.
The report that is automatically generated is populated with the results of the FSL and risk calculations along with the mitigative steps necessary to protect the facility accordingly.
Status
The RAMPART software is based on the .NET framework and runs on all Windows operating systems. It is being tested by multiple government agencies and is being validated by DHS for compliant use in meeting the ISC standards. All indications are that it is working accurately and demonstrates the ease of use necessary for continued adoption in overall facility security.
Phil Pohl is a member of the technical staff at Sandia National Laboratories. Madison Link is vice president of Ducks in a Row, Inc. Robert Browitt is president of Architrave, Inc. Bobby Deitch is the Program Manager and with the General Services Administration.
|
Key Reports
|
| FBI: National Information Sharing Strategy
A new strategy document from the FBI "provides the foundation to shape and implement information sharing initiatives with the FBI's many mission partners, including federal agencies, state, local and tribal officials, foreign government counterparts, and private sector stakeholders."
Get the report
DHS: Assessment of Federal Emergency Management Agency's Emergency Support Function Roles and Responsibilities
A new report from DHS's inspector general finds that FEMA "generally has fulfilled its Emergency Support Function roles and responsibilities" but notes that it should "improve its coordination with stakeholders and its operational readiness" and is not currently "conducting long-term recovery exercises."
Get the report
DOJ: Audit of the United States Marshals Service's Oversight of its Judicial Facilities Security Program
An audit report by the Department of Justice's inspector general finds significant weaknesses in the US Marshals Service's ability to protect court facilities, including inability by multiple district offices to detect mock bombs and fraudulent contracting activities.
Get the report
|
Jobs
|
| ABS Consulting: Senior Cyber Security Consultant
ABS Consulting is seeking seeking qualified individuals to provide chemical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security.
View the notice
ABS Consulting: Senior Chemical Security Consultant
ABS Consulting is seeking qualified individuals to provide chemical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security.
View the notice
ABS Consulting: Chemical Facility Security Consultant
ABS Consulting is seeking talented individuals to provide physical security, chemical security, and/or cyber security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security.
View the notice
ABS Consulting: Senior Physical Security Consultant
ABS Consulting is seeking qualified individuals to provide physical security analyses of vulnerability assessments and security plans for chemical facilities regulated by the Department of Homeland Security.
View the notice
NMR Consulting: Senior Risk Officer
NMR Consulting is seeking candidates for a position responsible for developing and managing a risk management program in support of a large government contract involving infrastructure upgrades and enhancements at Ft. Meade, Maryland.
View the notice
NMR Consulting: Senior Risk Officer
NMR Consulting is seeking candidates for a position responsible for moving a project from Northern Virginia to the Ft. Meade, Maryland area. The successful applicant may also support efforts on other contracts.
View the notice
SRA: Security Risk Analyst Position
SRA International Inc. is seeking candidates for a security risk analyst position. The successful candidate will use their experience to plan, organize and carry out analytical studies of complex security risk management problems, as well as plan and implement potential technical or programmatic solutions to those problems.
View the notice
Corporate Security Analyst Position in Switzerland
SMR Group, an international executive search firm whose global practice is focused exclusively on professional- and executive-level corporate security positions, is seeking candidates for the position of Corporate Security Analyst, located in Switzerland. The Corporate Security Analyst will be responsible for protecting business operations and associates throughout the organization from external threats by the collection, analysis and dissemination of strategic and tactical threat assessments, and production of both analytical and intelligence products designed to support investigations and protective security operations.
View the notice
Risk Analyst Position With Centra Technology
Arlington, VA-based CENTRA Technology, Inc. is seeking talented professionals to provide technical and national security analysis for the U.S. Government, especially in the area of homeland security risk analysis. Successful candidates will perform security risk analysis; threat, vulnerability, and consequence analysis supporting risk analysis; and security risk management. They also will develop, assess, document, institutionalize, and apply risk management processes and methodologies to inform policy and programmatic decisions.
View the notice
|
|
|
|
|
