ASIS International 208 NewsMike Hurst – Joint Editor Mike entered the security industry in 1998...

INSIDE THIS ISSUE:

Top security threats 1Committee Members 2Diary 3Community Support 4Summer Seminar 5Hotles in Russia 6Terrorism 8UK Intelligence 11BSI Information 12ASIS Standards 13Convergence 13Europe 14oops! 15

www.asis.org.uk

ASIS International

SUMMER 2010208 News

What are the top security threatsfacing the research sector?

ASIS Newsletter of the Year – Winner 2008, Honourable Mention 2006, Winner 2003

Because we all view securitydifferently and face differentthreats it is important for

organisations to carry some formalrisk assessment to identify the keyissues and gaps in the overall securityplan. Typically we see that there is alack of security awareness and wherepolicies are in place the staff areeither unaware of them or have notbeen trained in their effective use.Following a thorough review it isessential that key policies are put inplace and enforced, staff policies,network security and access to dataand facilities are some exampleswhich need to run alongside anappropriate communication andtraining process. But, where do youstart?

Agenda decided to carry out anumber of research security surveysto assess how different groups withinthe research sector viewed security.The survey was developed after areview to establish the top ten threatsfor the survey using information fromthe Centre for the Protection ofNational Infrastructure, MI5guidelines, Special Branch Police, theISO27001 Information ManagementSecurity System and the Secured byDesign Police accreditation. From thereview a list of ten security concernswas developed and a surveygenerated. In no order of priority theten primary potential threats wereidentified as:

Top Ten Security Threats • Own Staff/Agencies. Who has

access to our facilities? Are ourstaff and contractors staffedscreened?

• Data/Information Loss. Are weconfident that our data and ourdata held by third parties aresecure?

• Extremism/Terrorism. Howconcerned are we by the terrorist orextremist threats?

• Contingency/Business ContinuityPlanning. Have we got in placetested and updated contingencyplans?

• Physical Security/Access. Howconfident are we that our accesscontrols and physical securitymeasures are robust?

• Theft/Fraud. How concerned are weabout theft and fraud issues?

• Lack of Security Awareness. Areemployees security aware or ourweakest security link?

• Data/Information Storage andDisposal. Are we confident thataccess to sensitive data iscontrolled?

• Lack of Training/Competency. Arewe sure that our staff know what todo?

• Regulatory Compliance. Breaches ofthe Data Protection Act areincreasing, but what aboutemploying illegal workers or theinvestigation following an infiltrationor allegations?

The delegates at six researchconferences during 2008 and 2009were asked to rank the ten threatsindicated by giving a score of 10 tothe highest threat, 9 for the next andso one until finally giving 1 for theleast concerning threat.

In each case the survey exercisewas conducted as a part of a

Continued on page 4 . . .

ESSENTIALINFORMATIONJOINT EDITOR – Helene Carlsson (07802 864485)[email protected]

JOINT EDITOR – Mike Hurst(0845 644 6893)[email protected]

ADVERTISING – Graham Bassett (07961 123763);[email protected]

ADMIN. MANAGER – Jude Awdry,ASIS UK Chapter 208, PO Box 208,Princes Risborough, HP27 0YR.Tel: 01494 488599; Fax: 01494 488590;[email protected].

MEMBERSHIP ENQUIRIES – Nigel Flower, CPP (01276 684709 - [email protected])

PUBLISHERS – The 208 Newsletter ispublished by Chapter 208 of ASISInternational.

FREQUENCY – The 208 Newsletter ispublished four times per year, Spring,Summer, Autumn & Winter – pleasecontact the editorial team for deadlines.

IN GENERAL – The 208 Newsletterwelcomes articles & photographs, butwhile every care is taken, cannot be heldresponsible for any loss or damageincurred while in transit or in ourpossession. Please send all material tothe editors. The Newsletter may publisharticles in which the views expressed bythe author(s) are not necessarily those ofASIS.

ISSN N0 – 1350-4045

www.asis.org.ukSUMMER 20102

CHAIRMAN’S NOTES | EDITORIAL TEAM

The new look and energised committee, yourcommittee, have been in place less than nine monthsand have already achieved changes in the way weoperate and function as a Chapter. These changeshave not gone unnoticed by ASIS leadership in Europeand the US.

The Strategic committee working under the directionof Mike Hurst and the Operational committee lead byGraham Bassett are all working on multifarious projectsbut they all have one major focus and that is to raise theprofile of the UK Chapter, attracting new members whilstproviding a first class service and maintaining existingmembership.

As a committee we are able to plan formal andinformal events, obtain first classspeakers, excitingvenues, but all this hard work needs your support asmembers. We realise many of you may live and workoutside London and with diminishing budgets hitting noncore activities, it is not easy to commit yourselves to

attend one of the 4 annual formal ASIS UK Chaptermeetings. If all members attended just one meeting ayear we would see over 150+ members at each meeting.

We can assure you every effort is being made toensure we do not clash with other organisations’functions, bring down the cost of attending events andmaking them more user friendly in terms of timings andcontent structure. We welcome any suggestions you asmembers may have to assist us in developing a forwardthinking strategy that is perceived as being good for thefuture of the UK Chapter and its membership.

Thank you for your support and enjoy what is hopefullythe start of our summer.

Helene Carlsson – Joint EditorHelene has been working in thesecurity industry over 25 years, bothas a corporate security manager andas a consultant.She has worked with many differentclients specialising in non-IT security,Business Continuity and CrisisManagement.Helene has been a member of ASISsince 1989 and on the ASIS 208committee for over 15 years. She hasbeen actively involved on the Mediasub-committee for the same amountof time and is a strong supporter ofthe chapter and the international edgethe ASIS membership provides.Helene is working on the group writingthe standard for Asset Protection byPhysical Security Measures

Mike Hurst – Joint EditorMike entered the security industry in1998 and initially worked in Sales andGeneral Management roles.In 1992 he joined HJA Fire andSecurity, Recruitment Consultantswhere he is a Director. He recruits atall levels across a range of securitydisciplines.He is a Fellow of the Institute ofRecruitment Professionals (FRIP) andsits on the Validation Board of TheSecurity Institute (MSyl) and hascontributed numerous articles tosecurity publications. Mike is JointEditor of the Newsletter, Webmasterand set up and administers the ASIS208 Blog.Mike is Chapter 208 Vice Chairman -Strategy.

Helene

[email protected] [email protected] [email protected]

Mike

Graham

Graham Bassett – Advertising andSeminar ExhibitorsGraham has worked in the securityrecruitment profession for 20 yearsand is the founding director of GBRUKa London based recruitment firm.He was the founder Chairman of theBSIA Code of Ethics and was also onthe Executive Committee for the RECAssociation of Executive Recruiters,responsible for standards, member‘sbenefits and marketing.Like Mike he is a Fellow of theInstitute of Recruitment Professionals(FRIP) and a Member of the SecurityInstitute (MSyI).Graham is an avid supporter of takingASIS forward within the securityprofession and welcomes yourcommercial support of the Chapter.Graham is Chapter 208 Vice Chairman– Operations, responsible forSeminars, Advertising, Exhibitors andSponsorship.

Editorial Team

Chairman’s notes

Mike Alexander

www.asis.org.uk SUMMER 2010 3

DIARY

WILLIAMSMANAGEMENTCOMMUNICATION

Burnhill Business Centre 50 Burnhill Road, BeckenhamKent BR3 3LA

Telephone: +44 (0) 020 8 249 6088email: [email protected]

www.williamscommunication.co.uk

S P E C I A L I S T V I D E O P R O D U C T I O N

Williams Management Communication specialise in producing training films for major publiccompanies, central and local government, NGOs andleading professional bodies.

Our programmes focus on managing risk, security,H&S, BCP and partnershipissues. We have extensiveexpertise in video productionand practical experience of the issues organisations face.Programmes are viewed via clients’ corporate intranetand on dvd.

ASIS DIARYJULY6th - Exclusive Analysis breakfast briefing15th - ASC Business Club22nd – CoLCPA Meeting28th – SyI Members Evening, London

AUGUST12th—ASIS Breakfast Briefing, Manchester19th – Pegasus Lunch

SEPTEMBER14th – CoLCPA meeting14th - UK visit from ASIS Int. President15th – ASIS Members’ Meeting, London 16th – Pegasus Lunch22nd ASIS Breakfast Briefing, Bristol22nd – SyI Members Evening, LondonWCoSP Commissioners Dinner

OCTOBER7th – CVOC Dinner12th – 15th 56th Annual Seminar &Exhibition, Dallas, Texas21st CoLCPA meeting30th – SyI Annual Ball

NOVEMBER11th – Remembrance Lecture, London17th & 18th – EasyFairs Security23rd – CoLCPA Meeting

DECEMBER2nd – SyI Christmas Curry Night, London9th – ASIS Members’ Meeting, London16th CoLCPA Christmas Drinks

2011

February20th—22nd ASIS Middle East Conference,Bahrain

April03rd – 06th ASIS European Conference,Vienna

We are hoping to arrange some moreBreakfast Briefings and regional meetingsover the next few months.


COMMUNITY SUPPORT

presentation entitled “DelayeringResearch Facility Security”. Theresults are shown in Graph 1:

Association of UniversityChief Security OfficersResultsThe chief security officers wereprimarily concerned withdata/information loss followed byphysical security/access and lack ofsecurity awareness.Contingency/business continuityplanning also scored highly alongwith data/information storage anddisposal and theft/fraud. Lowestscoring were regulatory compliance,extremism/terrorism and lack oftraining/competency.

Research Facility Personnel Results Data and information loss wasalso the main concern for thefacility managers although theydid not score it as highly as thearchivists. Physical security/accessand lack of security awarenesswere ranked the next two highestfor this group overall with the nextfour highest concerns being ownstaff/agencies,extremism/terrorism, contingencyplanning/business continuityplanning and data/informationstorage and disposal. The lowestscoring threat was regulatorycompliance.

UK Science ParkAssociation Results There were two main for thescience parks with physicalsecurity/access and theft/fraud jointhighest with lack of securityawareness also scoring highly. Thenext two highest concerns were thelack of security awareness anddata/information loss. The next fourhighest were contingency/businesscontinuity planning, data/informationstorage and disposal,extremism/terrorism and ownstaff/agencies. The lowest concernwas regulatory compliance.

Scientific Archivist Group ResultsThe primary concern for thearchivists was data and informationloss which scored very highly. Thearchivists’ next concerns revolvedaround four key issues; the first wasphysical security/access, the secondwas concerns over their ownstaff/agencies, the third was lack ofsecurity training/competency andthe fourth was lack of securityawareness. All other scores wererelatively low withextremism/terrorism being scored asthe lowest concern.

The results indicate that some ofthe primary concerns are similaracross all four groups and Graph 2shows the mean results.

USEFUL RESOURCES:www.securedbydesign.comwww.mi5.gov.ukwww.cpni.gov.ukwww.bis.gov.ukwww.ico.gov.uk/www.bsi-uk.com/InformationSecuritywww.nationalarchives.gov.ukwww.londonprepared.gov.uk/businesscontinuity/assessingyourrisk/

Graph 1: Top Ten Security Threats Results

Graph 2: Top Ten Security Threats Means

If you would like any moreinformation about this articleplease do not hesitate to contactthe author, Norman Mortell BA(Hons), Director of Operations,Agenda Security Services,[email protected]


SUMMER SEMINAR

This was the first time that we have had an afternoonseminar and judging by the attendance and thefeedback, we have received, it was a big success. So

much so that we have decided to have the 15th Septemberand 9th December meetings in the afternoon as well.

We have not abandoned the morning format but we wantto give this new structure a fair run and will review in theNew Year.

Thanks go to our hosts Nomura International, the event

sponsor, Wilson James and exhibitors • Arc Training International,• Citicus Ltd,• Esoteric Ltd,• i-comply and • Lynx Security

We must also thank our speakers for giving us their timeand expertise. (Simon Oxley, Steve Kemsley, Kevan McCroneand David Anley)

Summer SeminarMike Hurst, Vice Chairman, Strategy


RUSSIAN SECURITY

General Overview and StatisticsDue to economy recession, thenumber of foreign visitors whocame to Russia in 2009 hassignificantly decreased. Thus, forexample, according to official data,during 9 months of 2009,2,600,000 foreigners visitedMoscow, which is 15% less thanfor the same period of 2008.

In its turn, this could not leavethe hotel business in the countryunaffected. Thus, the level of hoteloccupation in Moscow and SaintPetersburg depending on hotellevel on the average was reducedby 8 to 30% with the 3-star hotelsand below taking the biggestdamage.

Such situation made manyhotels reduce prices, in somecases average room rate (ARR)was reduced by 40%. In that case,statistics shows that 4-star hotelssuffered most from price reductionin both ruble and dollar equivalent.To compare, this figure dropped by50% in Amsterdam, by 20% inPrague, by 13% in Paris.

However, according to forecastsof the Government of Moscow, in2010, the inflow of foreign touriststo Moscow is expected to rise tothe level of 2008 at least – i.e.more than 4 million people.

Thus, for the period of 2009, 9new hotels of different segmentswere opened in Moscow. In 2010,there are plans to open 11 morehotels. Moreover, currently, thereare 129 hotel projects of differentstar category for 11,800 roomswith different completion status,including 78 projects at the designand construction stage and 51projects at the stage of surveywork. In total, according to theofficial city development plan, in2010-2011, Moscow should have556 hotels of different segments.In Moscow, there is a network ofsmall (private) hotels, which isquite small for such city, togetherwith two dozens of Soviet-style

hotels of different segments(Pekin, Izmailovo, Kosmos, Zarya,Vostok, etc.); however, the hotelclimate in Moscow is defined bylarge international chains, such asMarriott, Hyatt, Radisson,Kempinski, Novotel, Holiday Inn,Hilton, Crowne Plaza, Park Inn,IBIS, Ritz Carlton, Savoy, etc.

Saint Petersburg has a similarsituation – in 2009, 9 hotels wereput into operation and another 8new hotels are scheduled for2010. According to Investmentand Strategic Project Committee,there are 561 hotels (25,800rooms) in Saint Petersburg. Thisincludes 185 small (private) hotelshaving about 6,000 rooms. As arule, such hotels are located in thevery center of Saint Petersburg,near major attractions. Suchinternational upscale segmentchains as Grand Hotel, Astoria,Kempinski, Sokos, Corinthia,Taleon Imperial Hotel, FourSeasons, Radisson, Novotel,Renaissance, Angleterre andMarriott operate in the city.Midscale segment is representedby Oktyabrskaya, Moscow, Azimut,Rossiya, Nevsky Grand, etc.

According to different data,there are totally 4,500-5,000hotels in Russia. Based on thestatistics above, Moscow andSaint Petersburg account for morethan 20-25% for the whole hotelpool of the country; therefore,these two cities basically definethe key trends and the specifics ofhotel business development inRussia. Thus, as a rule, the so-called million-plus cities (citieswith the population of more than1,000,000 people) have from oneto five dozen hotels in private andmidscale segment. The latestmodern trends are the increasingnumber of hotels in upscalesegment in such cities asYekaterinburg (Hyatt), Kazan, Perm(Hilton), Sochi (Radisson),Vladivostok, Kaliningrad,

Novosibirsk, Krasnodar, Rostov-on-Don, Volgograd, etc.

Basically, hotel business inRussia ‘let in’ large internationalplayers relatively recently (no morethan 15-20 years ago), therefore,the market is considered to beyoung in these terms. Moreover,the state often owns a controllingblock of shares in hotelcompanies, which are mostlyfranchises of large internationalbrands and are managed by localhoteliers.

Key Security Trends & AspectsIt is no secret that the criminalsituation in Russia in general isevidently improving over the lastseveral years. This definitelychanged the hotel business of thecountry.

Below, the modern securityaspects are reviewed usingexamples of upscale and a largepart of midscale hotels:

Nearly all hotels of Russiatraditionally have a securitymanager and their internal securityservice. Most often, a guardservice company and/or anextradepartmental guarddepartment of the Ministry ofInternal Affairs perform thefunctions of internal securityservice.

Standards and securityassurance goals in hotelspertaining to large internationalchains and in local hotels arequite similar in theory, but cansubstantially differ in practice. It isfirst of all determined by the levelof skilled security servicepersonnel, their professionaltraining and the level of theirmotivation.

As per the Russian legislation,when arriving at a hotel, all guests(even the ones with Russiancitizenship, outside of the city oftheir registration) are to betemporarily registered. It isrecommended to have such

HOTELS IN RUSSIA – KEY SECURITY ASPECTSBy Dmitry Budanov Chairman ASIS Russian Chapter in co-authorship with SPHERE members


RUSSIAN SECURITY

registration as well as the addressand the telephone of a hotel athand outside the hotel at all timesin order not to have any problemswith law enforcement authorities,which can demand to see yourdocuments.

Nearly all upscale segmenthotels and most lower-segmenthotels have either their own taxiservice or an agreement with anexternal taxi company. Therefore,when booking a hotel, one canalso demand an airport pick-upservice, as well as use this serviceduring the whole period of stayingat the hotel. As a rule, the numberof cars is limited, therefore youshould book in advance; the costof such service may be higher thanin a regular taxi or a so-calledgypsy taxi.

The majority of hotels do nothave any technical inspectionmeans at the hotel entrance. As arule, the entrance is free foreveryone; however, there is facecontrol of a different degree ofstrictness. In provincial cities, youmay be stopped at the entrance

and asked where you are going. In hotels having good

restaurants, bars, business centersand wellness clubs, the access isfully open for those externalvisitors who use these facilities.

The cases of theft in upscalesegment hotels are quite rareregardless of the city. Hotelspertaining to large internationalchains are equipped with modernCCTV and access control devices.At some hotels, electronic locks athotel room doors are equippedwith a memory chip allowing tostore all operations for each lock.In any case, the rooms in mosthotels of all segments have safes(paid or free); in case there are nosafes, the valuables anddocuments can always be storedat the reception.

The problem for most hotels arepickpockets. You would neverdistinguish them from otherpeople. They ‘work’ in hotel halls,where it can be especiallycrowded, and in restaurants/bars.Never leave your valuables,wallets, documents or money in

pockets of your jackets or outergarments when you take them offand put them on the commoncoat rack or chair back. Alwayskeep bags with your belongings orlaptops visible. Drunk people arean especially easy target forpickpockets.

Russia in general and nearly anylarge city in the country are well-known for their nightlife. Inconnection with that fact, there isone serious problem – prostitution.In Soviet times, the situation wassometimes absurd – in somehotels, especially the ones forforeign tourists, prostitutes werede facto a part of ‘the list ofadditional services’ provided totravelers! The logic was simple: onthe one hand, it allowed hotelmanagers ‘monitor’ the situation,since all such hotels had a ‘staff’of prostitutes, which changedinsignificantly over time.Prostitutes valued their positionand did not steal from clients. Themanagement and security serviceemployees also earned theirinterest. Everyone was happy. On


RUSSIAN SECURITY

Terrorism in Greece: the reason why it is still “alive”!

the other hand, it is well-knownthat the prostitution has alwaysbeen and is controlled byorganized crime groups, whichimposed their game rules on hotelmanagement and severelypunished in case the latter refusedto cooperate.

Currently, the situation withprostitution has slightly changed,but it has not completelydisappeared, especially inprovincial towns and in somemiddle and lower segment hotels,where this ‘service’ can still beoffered on the phone or knockingat the door of your room. In thiscase, do not try to argue and/orcomplain to an administrator andsecurity (as a rule, they are a partof the game), but refuse calmlyand confidently. In large chainhotels in Moscow and SaintPetersburg you may still seeexpensive prostitutes late at nightin local bars.

Moscow, Saint Petersburg andmany large cities of the countryare notoriously well-known for a

large number of incidents whenforeign guests and other visitorsbecome victims of casualacquaintances from night clubsand bars, which use special drugsand/or the situation to rob their‘clients’ in their hotel rooms. Thereis an evident reason why suchincidents are, as a rule, non-reportable. Security service andadministration will most certainlyrefuse to help you.

Every Russian hotel has a so-called safety passport approved atthe level of a local city hall. Thisdocument is issued by respectivemonitoring agencies and describesin detail all safety measuresobligatory and provided for in everyhotel. Most hotels regularly holdtheoretical and practical coursestraining how to react in case of anemergency. A part of courses areheld with the participation ofRussian Federation Ministry ofEmergencies, Ministry of InternalAffairs, Civil Defense, etc.

Most hotels of largeinternational chains are managed

by foreign nationals, who shouldassure continuity of internationalstandards and control the requiredlevel of services.

Finally, the summary of basicsecurity guidelines (from theRussia Travel Risk Guide): whenchecking in, request that your visaand migration card be registeredand returned to you ASAP so thatyou have it when you go outside.Store valuables in a safe. Usediscretion in giving out personaland business information tostrangers. Politely hang up if youreceive a harassing phone call andreport it to the manager. Refrainfrom inviting strangers to yourroom. Always inquire beforeopening your door. Beware ofvulnerability of information whenusing business centers and WiFinetworks – industrial espionage,hacking, etc. is common.

Note: This article uses some researchand statistical materials of KnightFrank and North West Consulting.

May the 5th 2010: three bankemployees, all of themaround 30 years old, lost

their life after a firebomb attackagainst a bank’s branch, downtownAthens during a big protest againstthe austere measures the Greekgovernment had to enforce in orderto be granted loans from itsEuropean Union partners and theInternational Monetary Fund. Whatdifferentiated the three victims of thelatest terroristic attack in the Greekcapital was that for the first time thefirebomb didn’t belong to the handsof members of a terroristic group butto unidentified yet “representatives”of an anarchist movement, which isbased in an Athens’ area, calledExarcheia. This “movement” is basedon old members of captured terroristgroups and young “rebels”, most of

them children of rich parents.Ironically, it was only a few weeks

before the lethal bank attack, whenthe Greek police have announced, inlate April, the arrest of six leadingmembers of “Revolutionary Struggle”(“Epanastatikos Agonas”), the mostviolent terrorist group attempting inGreece since the capture of the“November 17th” death squad. Forthose who aren’t familiar with itshistory, “Revolutionary Struggle”prompted (amongst other attacksagainst even cabinet members) themissile (light anti- armour rocket)attack against the United Statesembassy in Athens, in January 2007.

Ruthless…Greek media, political analysts, evenpoliticians fear that Greek economiccrisis will lead to an almost certain

surge, not only of commoncriminality figures, but also to therise of a new generation of terroristicgroups. Moreover, they are afraidthat these new groups will be evenmore ruthless, compared to thoseactivated in the past.

On that point, we should takecarefully into consideration the workdone by the Minister for theProtection of the Citizen, Mr. MichalisChrissochoidis. His politicalopponents, but also his partycolleagues who are not pleased withhis success, characterize him inpublic as lucky. The truth, though, isthat he is systematic and well-timed!Please notice that he was alsoMinister (of Public Security at thetime) when “November 17th” wascaptured in 2001. At that time, hewas also been given a prize from the


TERRORISM

F.B.I. Their main argument is thatboth “November 17th” and“Revolutionary Struggle” were brokendown after two incidental events: abomb which exploded in the handsof one of “November 17th” members(Savvas Xiros) nine years ago andafter a bizarre shooting incident inMarch this year and the subsequentdeath of a robber (Labros Foundas),who is considered to be member ofthe “Revolutionary Struggle”.

Looking deeply“It was a black day for democracy.Forces which are used to blindviolence, with openly antidemocraticand antisocial goals and behavior,took advantage of the peacefulprotest of the workers, causing thedeath of three citizens andjeopardizing the lives of many more.They also tried to invade theParliament. I want to reassure thefamilies of the citizens gone that theassassins will be captured. I alsowant to mention the only way tomarginalize the forces of blindviolence, which ostensibly plead onthe economic crisis in order tospread disaster and pain, is theresponsible stance of each one ofus”. These were the words used byMr. Chrissochoidis to mark not onlyhis frustration for the death of threecivilians, but also to focus on what isa common knowledge in Greece.

What’s that? Terrorism is stillactive in Greece not only becausethe police doesn’t seem to be ableto follow its successes with newones. Those who know how politicsis run in this beautiful and historiccountry in the eastern Mediterraneansea point out one crucial factor,using a simple example: it wasDecember 2008 when Greece turned“upside down” after the publicuprising which followed the killing ofa 15 year old student (Alexandros

Grigoropoulos) by a policeman inExarcheia. Only a year and a halflater the killings of the three bankemployees were, surely, a shock forthe Greek society but they didn’thave the impact of Grigoropoulosdeath: some dozen flowers and twoor three silent protests with candleswere the only events that remindedGreeks of what the consequences ofterrorism can be. It’s indicatory thata week after the assassination of thethree bank employees a bombexploded close to the Korydallospenitentiary, where the“Revolutionary Struggle” membersare held. It was a sympathy actionfor the detainees!

Furthermore, a careful observer ofGreek politics has to examine thecontroversial political past of thiscountry. It was only 36 years agowhen democracy was restituted inGreece after the military dictatorship,which lasted for seven black years.Greek people have never stopped toaccuse the U.S. as the headmasterof the junta. It was on that anti-American feeling terrorist groupsformed up their execution machines.Especially “November 17th” recruitedmembers from the leftist part of theGreek community which was broughtup with the feeling that for all thedisasters of the Greek nation therewas only one to blame: the Americangovernment, no matter who was inthe White House in different periodsof time. On the other hand, theterrorists could have neveraccomplished their goals if theydidn’t achieve to take a considerableportion of Greek society on theirside. The previous point gives us alsothe answer in the question why Italyor Germany, to mention twoEuropean countries, which facedterrorists aggression in the past,managed to eradicate the problemand Greece not only hasn’t yet

accomplished it, but terroristicarguments are embodied in thepublic rhetorics of left wingparliamentary parties. Even thoughthey denounce violence, theyconstantly declare their confirmedaversion for the currentConstitution…

Unprognosed consequencesToday, the Greek political system isfacing probably its most crucialchallenge since the fall of thedictatorship in 1974: it will eitherchange for the benefit of the peopleor it will collapse, giving place tochaos to erupt with unprognosedconsequences. During the May’sprotest, when the three bankemployees were killed, a lot ofpeople yelled: “burn, burn thebrothel parliament”! A few years agothis slogan would have represented aminority amongst Greeks. But notnow. It’s almost 20 years since theday the British professor PaulWilkinson was quoted saying:“Fighting terrorism is like being agoalkeeper. You can make a hundredbrilliant saves, but the only shotpeople remember is the one thatgets past you”. That’s a quote theGreek government should learn howto address…

Angelos AgrafiotisChairperson of ASIS International

Aegean Chapter

Background Checks that Work for You!

We take nothing at face value, if somebody tries to join your organisation and has lied, mislead you or used fake, false or stolen documents then we will find them!Let Agenda take out the guess work and provides you with a robust, fast and cost effective screening process for your job candidates and contract personnel.

Agenda Security Services provides all of the expertise, advice and support that you require with specific expertise in meeting the requirements of the Government’s Baseline Personnel Screening requirement. Agenda’s background checks and screening procedures are the most rigorous and comprehensive that you will find and include identity checks, employment rights checks, criminal checks, social web site reviews and many more screening services provided from a comprehensive menu of services designed to specifically meet your needs!

T: 08456 44 55 46 E: [email protected] W: www.agenda-security.co.uk


UK INTELLIGENCE AND SECURITY COMMITTEE

The UK’s Intelligence andSecurity Committee (ISC) isan independent committee,

established by the IntelligenceServices Act 1994 to examine thepolicy, administration andexpenditure of the three UKintelligence Agencies: the SecurityService, the Secret IntelligenceService (SIS) and the GovernmentCommunications Headquarters(GCHQ). The Committee alsoexamines the work of the JointIntelligence Committee, theAssessments Staff and theIntelligence and SecuritySecretariat in the Cabinet Office,and the Defence Intelligence Staff(DIS). The committee has recentlypublished its annual report for2009–2010 (dated 5 March2010) and it contains someinteresting insights into thenational effort expended oncounter terrorism; predominantlythe PURSUE and PROTECT strandsof CONTEST. Understandably thepublic version of the report has hadsensitive informationcomprehensively redacted.

However there were someinteresting observations on agencyfunding. For instance the combinedbudget for the three principalintelligence and security agenciesfor 2008/09 was £2,033m (anincrease of 15% on the previousyear). Also published was theagreed budget for 2009/10 whichis £2,203m (an increase of 8%),and the 2010/11 settlementappears to be £2,354m (a furtherincrease of 7%). So year-on-year itlooks like the UK is committed toincrease spending on nationalintelligence and security (andcounter terrorism is set to benefit).

The report also offered up someinsights into the effort expended oncounter terrorism:

The Security Service devoted74% of its effort to internationalcounter-terrorism (ICT) (a 6%increase on the previous year). TheService plans to increase its effortslightly on ICT to 75% during2009/10. However, it is unlikelythat there will be a further increasebeyond this level since there is noscope for the Service to cut itsnon-ICT work further. During2008/09, the Security Serviceallocated 13% to Irish-relatedterrorism; this is set to increaseduring 2009/10 to 18%. As anaside: During 2008/09 the Serviceallocated 3% of its overall effort tohostile foreign activity in the UK.The main threats continue to beposed by Russia and China, both inthe conventional and cyber spheres(worrying for old counter espionagetypes like the author).

SIS allocated approximately 37%of its effort to ICT during 2008/09.The Christmas Day Detroit bombplot and the resulting increasedfocus on al-Qaeda in the ArabianPeninsula highlighted anotherchallenge for the Service – beingable to respond quickly andeffectively to the evolvinginternational terrorist threat.

GCHQ’s work on counter-terrorism remained steady in2008/09 at around a third of theagency’s overall output.

The report was fairly acerbic inits criticism of developinginteragency activities throughtechnology. There was a briefupdate on a pan-departmentalintelligence sharing tool (known asSCOPE), which has been beset withdevelopment issues. The decisionto abandon SCOPE Phase 2, whichwould have’ joined up’ a 10government departments e.g. theHome Office, HM Revenue andCustoms, the Serious Organised

Crime Agency and the DIS; has“appalled” the committee, becauseof the “waste of tens of millions ofpounds”. However, the task ofjoining up such a disparatecommunity of intelligence producersand users was always going to be achallenge and one that hasovermatched the SCOPE project.

With a new Treasury team inplace we can expect all controllingdepartments to be putting theirsecurity and intelligence agenciesthrough a fine sieve in terms offuture spend in these austeretimes. Next year’s report shouldmake interesting reading in termsof indicating where priorities mightbe focused and also how agenciesdemonstrate value for money –‘spook for buck’.

Observations on the last UK Intelligence andSecurity Committee Report 2009-2010

Chris Tomlinson

Chris Tomlinson is a principalconsultant at Arup Security

Consulting, which he joined aftermore than 20 years in defenceintelligence and security. His

specialities are global risk analysisand security master planning and

he is one of Arup’s leadgeopolitical risk analysts,

responsible for Europe includingthe Russian Federation. He has amasters’ degree in Security and

Risk Management which he gainedfrom the University of Leicester.


BSI

Renzo Marchini LLP Dechertbackground: international commercial solicitor,specialising in IT, e-commerce,information security and dataprotection law; currently authoringa book on Cloud Law forpublication by BSI in autumn2010.

What is Cloud Computing?According to Wikipedia, it isInternet-based computing,whereby shared resources,software and information areprovided to computers and otherdevices on-demand, like theelectricity grid. There are threeservice models, software(salesforce.com), platform (MSAzure) and infrastructure (AmazonEC2) and four deploymentmodels, storage, servers, networksand virtualisation.

Customer benefits include: easylow set up costs, easy scalability,easy access, no customermaintenance; costs based onusage. In distributed systems 85%of computing capacity sits idle(IBM 2009); 69% of Americansuse cloud computing, webmail,store data on line or s/ware (Pewresearch centre 2009); 47% ofbusinesses with 250+ employeesalready use some cloudcomputing in two or more areas ofbusiness (IDC survey 2009),SMEs planning to use cloudcomputing 22% 2008, 50% 2009(Easynet Connect 2010).

Comparison between softwareas a service (SaaS) and softwarelicensing (SL); in the former(SaaS): the provider provides theinfrastructure, remote access,subscription based, continuousupdate, data with provider, (SL):customer’s server, physicaldelivery, licence fee, releaseschedules, data with customer.

Key Data Protection andInformation Security issues

Who is responsible for dataprotection and compliance/ who isthe data controller? The Data Controller, the personwho determines the purposes forwhich or manner in which anypersonal data is processed• The Data Processor, any person

who processes on behalf of thecontroller

• Data Controllers have dataprotection act liabilities (DPA),processors have none, bothmay want indemnities

• But - can’t rely on the contractsExample, SWIFT systems, used

by banks to transfer fundsbetween banks, the US Govt andacross borders. Has a HQ inBrussels and undertakes work inSwitzerland. But SWIFT’s hadliabilities under section 29 of DPA,SWIFT decided what data wasprocessed, what standards andsecurity standards were used andthe location of the data centre.SWIFT was found to be thecontroller. • Regulatory guidance, UK has

the DPA, Germany has asystem, but there is no systemat the EU level.

• What are the securityrequirements? Can these bedelegated to the cloudprovider?

• Does it matter where the datais? Cross border issues

Issues in Cloud Contracts;service charges; service levelagreements; liability for data andownership of the data: 7thPrinciple Security (Article 17),customer able to audit inconventional data but can’t do soin Cloud systems

Security risks;shared infrastructures (perhapswith business competitors),encrypted transmission,passwords, acting/ provingunauthorised access and

disclosure, physical security;Security policies due diligence andmonitoring (Certification,ISO27000, SAS70).

Who is responsible for dataprotection - who is the controller -where is the data (cross-borderissues). Many Cloud providers areUS based, so which DP lawsapply? What happens in transfersoutside of EU/EEA? Eighth dataprinciple (DPA) - data must besafeguarded and not transferredoutside the EEA unless adequatesafeguards are in place. But,where is the data? What if thecountry is not “adequate”, needto undertake a self assessmentand risk assessment.

Service Level Agreements arechanging and evolving; forexample, some contracts offer alevel of 95% guaranteedavailability: but for what period,what are the exceptions and whatis level of compensation, what arethe termination entitlements?

Liability: the provider acceptsNO liability for data loss, breach ofsecurity, integrity: but, one breachaffects all customers. USContracts have a multi-tenancyagreement.

Conclusions: For compliance - understandingwho is responsible, who is thedata controller is critical, eventhen in litigation, it could be heldotherwise.

In the worst case scenario ifthe provider goes out of businessthe data will be lost; manyproviders are Silicon Valley start-ups, small to medium sizedenterprises.

Recommendations are toconduct a self risk assessment orhave a third party conduct the riskassessment; then develop andmanage a data back-up protocol.

Once the risks are specified itmay be possible to underwrite therisk.

BSI Information Security Conference 13 May 2010: Cloud ComputingAllison Wylde, ASIS UK Committee


CONVERGENCE

Just a reminder that thereare seventeen Guides,Standards and Reports

that members can downloadfree of charge fromwww.asisonline.org.

If you have any difficulty indownloading them, pleasecontact Vice Chairman MikeHurst—[email protected]

GuidelinesBusiness Continuity Guideline:A Practical Approach forEmergency Preparedness,Crisis Management, andDisaster Recovery (2005)Chief Security Officer Guideline(2008) Facilities PhysicalSecurity Measures Guideline

(2009) General Security RiskAssessment Guideline (2003)Information Asset ProtectionGuideline (2007)Preemployment BackgroundScreening Guideline (2009)Private Security OfficerSelection and TrainingGuideline (2004) ThreatAdvisory System ResponseGuideline (2008) WorkplaceViolence Prevention andResponse Guideline (2005)Standards Chief SecurityOfficer (CSO) OrganizationalStandard (2008)Organizational Resilience:Security, Preparedness andContinuity ManagementSystems - Requirements withGuidance for Use Standard

(2009)

CRISP Reports Connecting Research inSecurity to Practice

Preventing Burglary inCommercial and InstitutionalSettings: A Place Managementand Partnerships ApproachOrganized Retail Crime:Assessing the Risk andDeveloping Effective StrategiesFrom the Ground Up: Securityfor Tall Buildings PreventingGun Violence in the WorkplaceStrategies to Detect andPrevent Workplace DishonestyLost Laptops = Lost Data:Measuring Costs, ManagingThreats

ASIS Standards and Guidelines

Security Convergence – The way forward James Willison, ASIS UK Committe Convergence Lead

As many of you know, ASISUK together with the SyI,the ISAF, PwC and other

leading security organisationsrecently published a paperwhich highlighted theimportance of convergedsecurity risks and the need for aco-ordinated response. This hasreceived very encouragingsupport from those in theinformation security and physicalsecurity arenas. It has also beenacknowledged by the NationalFederation of Fraud Forums andthe Business ContinuityInstitute. For those who wouldlike to read more, please visitthe ISAF’s website atwww.theisaf.org.

So, what next? Those whocontributed to the report agreed

that increasingly what isrequired is a respect for eachother's area of expertise, arecognition that we cannot solvethe problem on our own andthat by sharing good practiceand common reportingstrategies we will identifyvulnerabilities in our systemsbefore either a member of staffor a cyber criminal exploitsthem. Allison Wylde and Irecently attended the BSIconference on current bestpractice for Information Securityand it was noteworthy thatseveral of the speakersemphasised that the people inan organisation are often theweakest link. Of course it iscrucial that we also updatesystems and sustain a balanced

strategy. I have met manyphysical security leaders whomaintain that those from thetraditional security field oftenhave considerable experience ininvestigations, identifying risksposed by criminals anddeveloping effective strategies tofollow and arrest the peopleconcerned. It is this kind ofexpertise which our colleaguesin the information security fieldmost admire and respect. It issomething which needs to beemphasised more as our workbecomes increasingly integrated.As Allison’s article considers theissue of cloud computing, who,we may ask, will be involved inthe investigation and arrest ofthose who steal data in thefuture?

www.asis.org.uk14

EUROPE

SUMMER 2010

Well travelled ASIS members willknow that all countries have theirown unique preferences andprejudices when it comes tosecurity – the UK, of course, is veryimportant and is a global leader inmany regards. It has lead the wayin developing new technology andin applying it effectively.

But in the alarms sector UKinstallers have been unusually slowto harness IP technology. Whilstmany notable end-users have goneahead, explored and adopted IPalarms for themselves (eg. majorretailers, banks and utilities) in themarket as a whole there is still adefault reliance on BT Redcare.

Not only is this unnecessary, it isvery limiting. IP alarmcommunication systems are provinga valuable and liberating technologyfor security planners around theworld and if this is an area that youhaven’t looked into yet, then youshould because communicationssystems, like businesses, don’tstop at the border.

Globally, IP alarms havecontinued to evolve and are nowoutstripping the old fixed-linetechnology, giving securitydepartments more control, moreinformation, greater robustness andreliability – and costing themsignificantly less.

In country after country theformer state-monopoly providershave lost their hold, and the clockis ticking for those that still retainit. Globally, from Scandinavia toAustralia IP has freed-up themarket and is allowing innovation,competition and all the benefitsthat brings.

So far the UK has been anunusual case – but that ischanging. Here, BT may still be thedominant provider, but much lessso than it was. A few years ago,before IP came along, Redcare’sfixed lines were certainly the bestsolution. But that is no longer true.Security planners now are askingfor the benefits of more flexiblealternatives for alarm transmission,

not least significantly lower costsand a significantly smarter service.

This is a hugely exciting time forthe market. Alarm ReceivingCentres now have at their fingertipstechnical resources that they’venever had before, such ascomplete overview and full controlover all their monitored alarms. Forexample, Chiron’s technology is thefirst to allow them to see in closedetail how their systems areperforming, both in real time andhistorically. We’ve just made onebig jump, with the introduction ofIRIS Secure Apps, and we arepressing ahead with thedevelopment of new IP-basedservices such as Social Care andVisual Verification. These will comein below the current CCTV costthreshold and link Alarm monitoringwith Visual notification in a moreintegrated way.

Ian Tredinnick is CEO of ChironSecurity Communications

It was a great disappointment thatso many of us were preventedfrom travelling to Lisbon, not justthe “amizade” but also so thatour European volunteer leaderscan meet in person , which we dotwice a year . This is important aswe welcome new appointees andget them up to speed on thedirection of Europe and to ensurewe keep to the overall agenda setby SRVP - Godfried Hendricks.With a region that stretches fromIceland and Scandinavia in thenorth, Turkey and Israel in the Eastand Iberia in the South, we havemany cultures, languages andobservances’ that as a globalsociety ASIS embraces.

In our region we have a body,the European Advisory Committee(EAC) ,that allows us to reviewpoints that the SRVP and RVP’shave set. All this is in support ofthe ASIS International global plan.At our UK Chapter meeting atNomura (excellent seminar andgreat networking) the question wasasked on how ASIS is supportingthe profession of security inEurope. Since the advent of theEAC and the establishment of anoffice in Brussels, ASIS hasengaged in many standardsinitiatives, EEAP, ERT, andincreasingly standards that have aBSi or ISO origin that are nowbeing adopted by countries and

regions. The Department ofHomeland Security in the US verymuch embraces ASIS goodpractice built on consensusthrough international liaison.

As a professional associationASIS has been instrumental injoining up the security profession.Excellent practice is shown inNorth America where ASIS hasbeen the vocal point of reason,which we in Europe seek toemanate so that we engage theEU and all the way to Russia. Thenews that civil strife is on ourdoorstep in Kyrgyzstan with bitterfighting between the ethnic frontsis a reminder that in a post USSRcolonial world , has made ill fitting

Connecting EuropePeter French MBE CPP, Chairman ASIS European Advisory Council

UK security planners play catch up with alarmsIan Tredinnick


OOPS!

bed mates of many ethnic groups.The private sector cannot ignoresuch conflict as oil & gold reserveswill attract increased privateinward investment which playssuch a large part in keeping thelocal economy stable in a verypoor parts of the world. Thismight be exaggerated in the lightof the pollution in the Gulf ofMexico as environmentalistswithdraw their ridged opposition toinland wells and mines. Withstability of the STANS a politicalhot potato, companies seekingexploration licences will needsecurity practitioners to provideintegrity of operations, whilst

engaging with local displacedcommunities.

ASIS members have manyexperts in such hostile regions sowe share that knowledge at ourannual and regional seminars. Oneforum for greater integration isthrough the Chief Security Officer(CSO) Roundtable. Since itslaunch we are seeing anincreasing chatter on policy,cooperation on in-companyprocedures and risk awarenessdevelopment that rivals manyother Associations. What is it thatsets the CSO Roundtable apart?Well certainly the quality of themembers from global players.

Every CSO member wants topromulgate good practice. TheCSO web site is packed with bestpractice that is available tomembers. Progress so far,includes extensive user advice onthe Ash Cloud, members sharedpolicies and travel advices, lettingyou interpret rather than inventyour response. ASIS Europe seeksto support all the globaldevelopments on behalf of thesecurity professional, as the abilityto share our experiences is thehallmark of a business professionenabling and nurturing itsstandards in the widestexpression.

OOPS!

'Snoopy' tried to break into prison

Police have arrested a man whowas trying to break into prison tospring an inmate while dressed asSnoopy.

Jail workers were stunned whenconfronted by the Peanuts characterwaving a gun, reports The Sun.

When the comic-strip beagleand an accomplice failed to break

down a staff door, they peltedprison officers' cars with concretemissiles.

A prison service source said:"It's not every day you see a giantcartoon dog going on therampage after trying to break intoa prison.

"They weren't exactlyinconspicuous - but it was takenseriously because they appearedto have a gun. They caused a realcommotion and it was only laterthey were found to be armed witha water pistol."

The duo were arrested and itthen emerged they had targetedthe wrong jail - the family memberthey wanted to free wasimprisoned elsewhere.

Snoopy and his un-costumedsidekick tried to get into HMP Isleof Wight's Albany site, while therelative was in the complex'sCamp Hill jail.

A Hampshire Constabularyspokesman said two men, aged 43and 21, were arrested on suspicionof criminal damage and detainedunder the Mental Health Act

As part of the Great British Bike Ride, four seasonedsecurity practitioners have come together torepresent the UK Security Profession in cycling fromLand’s End to Twickenham (1st to 4th September)to raise money for three charities, Help for Heroes,the RFU Injured Rugby Players Foundation and theRPA Benevolent Fund.

Former Chapter Chairman Derek Webster,accompanied by fellow keep fit enthusiast ChrisBrogan, Norman Russell CPP (former Head of GroupSecurity for Barclays) and T-Mobile’s UK SecurityManager Nigel Horsfall.

Our Vice Chairman Mike Hurst is acting as Team

Manager (non-playing) and fund raiser.They are hoping to raise at least £10,000 and

they have already launched Facebook and LinkedInGroups (Security Cyclists Charity Fundraising): pleasejoin and show your support.

Please donate via the bloghttp://securitycyclists.blogspot.com/

Or direct viahttp://uk.virginmoneygiving.com/SecurityIndustryBikers

ASIS International 208 NewsMike Hurst – Joint Editor Mike entered the security industry in 1998...

Documents

Transcript of ASIS International 208 NewsMike Hurst – Joint Editor Mike entered the security industry in 1998...