asis international uk chapter newsletter no.3 2015

16
INTERNATIONAL TM Newsletter AUTUMN 2015 UNITED KINGDOM CHAPTER 208 Security risks and vulnerabilities have changed, and security departments develop new strategies and tactics. Today, a criminal gang thousands of miles away from your company’s offices can travel over the Internet, break into your building, steal intellectual property, turn off your surveillance cameras and unlock a door protected by an access control system. When you discover the plundered databases and the unlocked door, you might think the thief broke in by defeating your physical security systems and waste your time trying to strengthen those, when you should be strengthening your IT security systems. Of course, it works the other way, too. A thief can break into your building and IT department and carry off a couple of servers with the personal information of thousands of your customers. The point is, security threats and vulnerabilities have converged. Weaknesses in physical security technology put your IT data at risk just like weaknesses in IT security put your plant’s physical plant at risk. How has this happened? Advancing technology has improved cameras, access control systems, alarms and other physical security technology with many new features and capabilities, including IP features that enable you to plug these devices into an IP network — which is vulnerable to hackers. What You Need From Equipment Vendors A handful of physical security equipment vendors have focused on the problems created by this IP migration — but only a handful. Security directors can find those vendors by specifying that their products must be secured from an IT-side attack. Some vendors do provide inherently secure products or at least provide the software applications and hardware that you can use to secure the products yourself. You must also require vendors to provide a plan for configuring the security software and operating systems, server hardware and the protection systems for those tools. If the configuration is weak, hackers and criminals will find ways to get into the equipment. From there, they can break into your building and your firm’s IT system. ASIS UK Police Liaison receives OBE ASIS UK Police Liaison committee member Richard Stones CSyP has been awarded an OBE in the 2015 Birthday Honours for services to police and business. Richard was the first serving Police Officer worldwide to be awarded Chartered Security Professional status (CSyP) back in 2011 and is also a Fellow of the Security Institute and a Freeman of the Worshipful Company of Security Professionals. On receiving the award Richard said, “it’s great to be recognised in this way. I was shocked when I received the letter and initially thought it was a wind-up. I hope it will help raise the profile of ASIS particularly in policing circles where a closer collaboration with business and industry standard would help us all.” ASIS UK Chapter Chairman Andy Williams CPP said on hearing the news “With the Police service in the UK being subject to further budget reductions, the pressure on non- front line departments to reduce expenditure whilst improving efficiency is huge. In that context, it is particularly gratifying to see work that Richard has undertaken being rewarded in this way. As a former Police Officer myself, I am especially proud to have Richard working as part of the ASIS UK team in his Police Liaison role.” Richard, Staff Officer to the National Policing Lead for business crime reduction, holds an MSc in Security and Risk Management and is a Visiting Fellow at Derby University. The New World of Converged Security —Dave Tyson CPP ASIS NEWSLETTER OF THE YEAR – WINNER 2013, 2012, 2008 & 2003 – HONOURABLE MENTION 2011, 2006. continued page 14

Upload: asis-international-uk-chapter

Post on 23-Jul-2016

213 views

Category:

Documents


1 download

DESCRIPTION

 

TRANSCRIPT

INTERNATIONALTMNewsletter

AUTUMN 2015UNITED KINGDOM CHAPTER 208

Security risks and vulnerabilities have changed, andsecurity departments develop new strategies andtactics.

Today, a criminal gang thousands of miles away fromyour company’s offices can travel over the Internet,break into your building, steal intellectual property,turn off your surveillance cameras and unlock a doorprotected by an access control system.

When you discover the plundered databases and theunlocked door, you might think the thief broke in bydefeating your physical security systems and waste yourtime trying to strengthen those, when you should bestrengthening your IT security systems.

Of course, it works the other way, too. A thief can breakinto your building and IT department and carry off acouple of servers with the personal information ofthousands of your customers.

The point is, security threats and vulnerabilities haveconverged. Weaknesses in physical security technologyput your IT data at risk just like weaknesses in IT securityput your plant’s physical plant at risk.

How has this happened? Advancing technology hasimproved cameras, access control systems, alarms andother physical security technology with many newfeatures and capabilities, including IP features that

enable you to plug these devices into an IP network —which is vulnerable tohackers.

What You Need FromEquipment Vendors

A handful of physicalsecurity equipment vendorshave focused on theproblems created by this IPmigration — but only ahandful. Security directorscan find those vendors byspecifying that theirproducts must be securedfrom an IT-side attack.

Some vendors do provideinherently secure productsor at least provide the software applications andhardware that you can use to secure the productsyourself.

You must also require vendors to provide a plan forconfiguring the security software and operating systems,server hardware and the protection systems for thosetools. If the configuration is weak, hackers and criminalswill find ways to get into the equipment. From there, theycan break into your building and your firm’s IT system.

ASIS UK Police Liaisonreceives OBE

ASIS UK Police Liaisoncommittee member RichardStones CSyP has beenawarded an OBE in the 2015Birthday Honours for servicesto police and business.

Richard was the first servingPolice Officer worldwide to be

awarded Chartered Security Professional status (CSyP)back in 2011 and is also a Fellow of the Security Instituteand a Freeman of the Worshipful Company of SecurityProfessionals.

On receiving the award Richard said, “it’s great to berecognised in this way. I was shocked when I received theletter and initially thought it was a wind-up. I hope it will

help raise the profile of ASIS particularly in policing circleswhere a closer collaboration with business and industrystandard would help us all.”

ASIS UK Chapter Chairman Andy Williams CPP said onhearing the news “With the Police service in the UK beingsubject to further budget reductions, the pressure on non-front line departments to reduce expenditure whilstimproving efficiency is huge. In that context, it is particularlygratifying to see work that Richard has undertaken beingrewarded in this way.

As a former Police Officer myself, I am especially proud tohave Richard working as part of the ASIS UK team in hisPolice Liaison role.”

Richard, Staff Officer to the National Policing Lead forbusiness crime reduction, holds an MSc in Security andRisk Management and is a Visiting Fellow at DerbyUniversity.

The New World of Converged Security—Dave Tyson CPP

ASIS NEWSLETTER OF THE YEAR – WINNER 2013, 2012, 2008 & 2003 – HONOURABLE MENTION 2011, 2006.

continued page 14

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 1

www.asis.org.ukAUTUMN 20152

CHAIRMAN’S NOTES

According to recent press reports, Jihadi John maynow be surplus to the requirements of his ISISleaders. He must be wondering whether it would bebetter for him to be captured by the allied SpecialForces teams that are apparently searching for him,or to be dealt with by his leaders. Whilst, if thesereports are to be believed, some may wish tocelebrate his imminent fate, my hope is that theepisode acts as a stark warning, to those individualsand groups planning on travelling to join the fight,that no matter how good their work, they have a shelflife and when the day comes, there will be nocelebration or reward for their efforts.

Closer to home, it was excellent to read that sevenmen have been convicted of a number of smash andgrab jewellery robberies in London dating back to2007. The group who used motorcycles to make theirescape were sentenced to a 64 years between them.Two others, who were convicted of conspiracy tohandle stolen property, will be sentenced at a laterdate.

As I’ve reported in previous newsletters, fellowmembers of the Chapter leadership and I, arecontinuing to reform the administration and theChapter. You will have read about the huge financialturnaround that has been achieved in the past 18months, thanks in no small part to the incrediblygenerous sponsorship and exhibitor fees that wereceive, the decision at the AGM in December to votefor a change in the structure of the Chapter, frombeing an unincorporated body to being members of aCompany limited by guarantee and the formation of aChapter constitution. This is all taking time and agreat deal of effort, not least from Chris Brogan, towhom I would like to pay particular tribute. As Chapterlegal advisor, Treasurer and Company Secretary of theLimited by guarantee company, ASIS Chapter 208 Ltd,he has spent countless hours, leading us to a

position where we are fully compliant with all legalrequirements, laws and best practices. As with everymember of the leadership team, he has done all ofthis work voluntarily and in doing so, has saved usmany thousands of pounds.

Last but not least, I would like to remind you thatLondon has been chosen as the host for the 2016European Conference. This is a second opportunity injust 4 years to show off all that is best about UKSecurity and the men and women, up and down thecountry, who make us the world leaders.www.asisonline.org/London for more informationabout exhibiting or attending.

Enjoy your summer.

Best wishes, Andy

Andy Williams CPP

Chairman’s Notes

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 2

www.asis.org.uk AUTUMN 2015 3

CALENDAR

Calendar EventsSep 157th ASIS UK Autumn Seminar, SOAS, London22nd Security Institute Annual Conference28th - 31st 61st Annual Seminar and Exhibits, Anaheim,

California30th Retail Crime & Loss Prevention Conference,

London, 201530th JSAFE—Charity Dinner - Bookings Open

Oct 1515th Consec15th Global Resilience Summit, London19th - 20th Total Security Summit, Northamptonshire28th Security Twenty 15, Heathrow

Nov 15TBC ASIS 60th Birthday Party, London12th National Association of Healthcare Security

Conference, London12th Security Institute Remembrance Event17th - 19th IIPSEC, Birmingham25th Security and Fire Excellence Awards

Dec 152nd - 3rd Transport Security Expo3rd - 4th ASIS China Conference10th ASIS UK Winter Seminar & AGM, State Street

Bank, London

2016

Feb 1621st - 23rd 7th ASIS Middle East Conference, Dubai

Mar 169th ASIS UK Spring Seminar, PwC, London

April 166th- 8th 15th ASIS European Conference and Exhibition,

London6th Behind the scenes tours followed by Welcome

Party7th Conference followed by President’s Reception8th Conference followed by Chapter Reception at

the House of Lords19th - 20th Security and Counter Terror Expo, London27th - 28th 26th ASIS New York City Security Conference &

Expo

Jun 1621st - 23rd IFSEC

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 3

www.asis.org.ukAUTUMN 20154

CV

Your CV is amarketingdocument. Toomuchinformationpresented as acareer biographymay not achievethe results youare hoping for. Arecruiter or hiringmanager, whohas never metyou, will judgeyou by its contentand appearancealone, whetheryou deserve

further consideration for the role inwhich you have expressed interest.

A brief, clear, attractive CV willrecommend you more highly to arecruiter than will a long-winded,poorly designed one — even if thecontent is the same.

Here are a few tips for creating anenticing CV.

Be brief -

People who come from security, lawenforcement and intelligencebackgrounds may tend to includewordy explanations of their positionsand duties in an effort to be truthfuland precise. These are good qualitiesin a professional, but a CV must makean impact on its reader in 20 secondsor less, so in this case, brevity is key. Ifyou have led a certain type ofprogram, simply state that and moveon; unless the program is so unusualthat the reader may not understand itssignificance, there is no need toexplain it further. However, if youaccomplished something extraordinary

in that program — if you were a lossprevention manager and implementeda program that dropped yourshrinkage from 20 percent to nothing,for instance — you should considerincluding a bullet point that states theresults you achieved.

Tailor to the position

Context is King. You may have a 10-page list of positions and workexperience that are relevant to asecurity career in general, but arecruiter or hiring manager does notneed or want every little bit of thatinformation. You should focus on theareas highlighted in the jobdescription. Make a list of the keythings you have accomplished in thecourse of your career and then pickout the items that are relevant to theposition for which you are applying.

Pay attention to the design

Try to develop a CV that is visuallypleasing, easy to read, and that canimpact or interest someone within 20seconds. A page so dense with wordsthat it looks like an essay will likelyreceive little attention, because thepeople sorting through the stack ofCVs will consciously or unconsciouslytend to gravitate towards those thatlook clean and organised. A neat CValso conveys that you have goodcommunication and presentation skills

because you can synthesize a lot ofinformation into a small form andmake it visually and verbally appealingto the reader. Choose a layout that youlike and that is reflective of you as aperson.

Watch your wording

Use power verbs to start sentences.Don’t use “I” or “responsible for” —this phrase will make your CV soundlike a position description. Do not takeyour old company or organisation jobdescription and convert it to a CV.

Include as much contact info as youcan

Address, name, (work, home and cellphones, clearly marked as such) andemail(s) that you may be contacted on.

Include dates with every positionlisted

You can list month and year or evenjust year — but do not make therecruiter chase dates for you.

Outside impressions of content

Last, hand someone your CV and askthem to read it, then take it back fromthem after 20 seconds and ask themwhat it says and what their impressionis. This will give you a good idea ofwhat that all-important recruiter maythink.

James Butler is ManagingDirector, EMEA/APAC ofsecurity recruitment firm

SMR Group

Secure mobile access solutions by HID represent a revolutionary breakthrough in next gen technology by combining convenience, flexibility and the power of Seos. With a simple tap or use of our patented “Twist and Go” gesture technology, you’ll experience the most innovative way to make an entrance—no card required. And because it’s all powered by Seos, issuing, managing and revoking access couldn’t be easier—or more secure.

You’ll call it the most advanced way to use your mobile device. We call it, “your security connected.”

YOUR SECURITY. MOBILE | Visit us at hidglobal.com/WP-MobileAccess_Request.html

SECURE ACCESS.NO CARDREQUIRED.

Your CV remains a criticaldocument in your job searchJames Butler

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 4

www.asis.org.uk AUTUMN 2015 5

SUPER SAVER WEEK

There’s still time to submit abstracts for theEuropean Conference(www.asisonline.org/london) and we do want agood crop of speakers from the UK.

We are expecting in excess of 600 delegates at theConference and ideally looking to top the 700 whoattended The Hague in 2014.

If you’ve never attended an ASIS EuropeanConference before, I encourage you to make time andallocate some budget to attend.

In addition to the c.40 speakers, plenary sessionsand receptions, there are numerous networkingopportunities where you will be mixing with delegatesfrom 40 or 50 countries in an incredibly positiveatmosphere.

We are trying to make the event as affordable aspossible for members, especially those who are self-funding and we are working with the ASIS BrusselsBureau on a number of options.

One date for your diary is for Super Saver Weekwhich will run between 19 - 26 October when therewill be a chance to book at the best possible rate.

Following on from this the Early Booking Rate will runfrom 27 Oct 2015 - 3 March 2016.

There will also be the opportunity to pay in twoinstalments.

SUPER SAVER WEEK

Lenel® Introduces ‘Lite’ Version of OnGuard® WATCH to Visualize Critical Security Data

Lenel Systems International, Inc. today announced the launch of OnGuard WATCH lite 1.0 across Europe, Middle East and Africa. WATCH lite is a free version of the comprehensive, Web-based dashboard tool for OnGuard system users. The dashboard discovers and presents security data to security & IT professionals in a whole new way — enabling them to visualize the information at once to allow for quicker decisions, rather than scanning multiple reports. Lenel products are offered through UTC Fire & Security UK, which is part of UTC Building & Industrial Systems, a unit of United Technologies Corp. (NYSE:UTX).OnGuard WATCH lite places actionable information at the fingertips of key personnel. Users can monitor OnGuard system information through one graphical and intuitive interface to more efficiently manage the OnGuard system.“OnGuard WATCH lite is a great way for existing users to get a flavor of the benefits of this new dashboard,” said

James Wheeler, regional sales director, Lenel UK. “It helps them visualize important security data to get an overall snap-shot of OnGuard system performance — taking just seconds to understand system health. Additionally, it gives the user a sneak-peek into the new look and feel of the next generation of OnGuard systems, as well as underlying technologies such as the new Lenel Services Platform and evergreen browser support.”With OnGuard WATCH lite, users can quickly view:• Total counts of access panels,

readers, inputs, outputs, cardholders, active badges, visitors and visits

• Basic system information about OnGuard and Windows operating system, SQL server versions and service packs

• Database backup details• New badges created per day• Alarms generated per day• System performance such as CPU,

memory usage, hard drive, peak usage

• Error logs For additional ease of use, the date range can display a few days, months or years of captured data and deeper analysis can be conducted into hours and minutes.

OnGuard WATCH lite is free for customers with a valid software upgrade and support plan and is also available as a free 90 day trial for customers without a support plan. The full version of OnGuard WATCH will be available later this year through Lenel value-added resellers. For more information, visit www.lenel.com or follow @LenelSystems on Twitter.

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 5

www.asis.org.ukAUTUMN 20156

COMPLIANCE

In today’s competitive and risk-prone business environment,security practitioners need tounderstand whether their currentphysical security and accessmanagement systems are capableenough to minimise or completelyeliminate the risks caused bycontractors. In spite oforganisations hiring thousands ofcontractors to carry out differentkinds of work, this is one area thatis overlooked when it comes toidentifying risk and minimisingloss.

Contractors add great efficiency tothe business as they bringspecialised expertise to the job,but these contractors and thirdparty vendors are not included in

the same category as that ofemployees and hence are notsubjected to the same set ofpolicies as that of employees.Since they are an external entity,mostly they cannot be trusted atthe same level as that of regularemployees. They always pose aserious security threat to theorganisation and hence need to bevetted properly using rigid policies.

Imagine how dangerous a hostilecontractor could be for anorganisation if they continue tohave access to an area after beingterminated. In this paper wediscuss the value of a solutionwhich helps organisations inmanaging the entire lifecycle of acontractor by automating

processes around contractorrequisition and approval, accessand change management,badging, terminations, renewalsand reactivations.

In an organisation that needs tohire and manage contractoridentities and provide them with abadge and/or physical access, thefollowing aspects are looked at (orshould be) as part of theadministrative process:

Are access entitlements ofcontractors correct and as percompany policy?

Like employees, have contractorsbeen properly vetted and trainedbefore grant of access?

MANAGING COMPLIANCE AROUND PHYSICAL ACCESSMANAGEMENT FOR CONTRACTORS Dr Vibhor Gupta

ASIS International - UK Chapter

Autumn Seminar - September 7thHosted by SOAS, University of London

Thornhaugh Street, Russell Square, London WC1H 0XG

14:00 Registration, Coffee, Networking14:30 Chapter Business

SPEAKERS INCLUDE:Corin Dennison CPP, Adidas

“Corporate Security – the balance between security and brand “Frank Armstrong QPM – Former Assistant Commissioner CoLP

Dr Vibhor Gupta, Chapter Technology LeadEmerging Trends in Security Technology – What’s Next?

Dave Clark CPP PSP, Francis Crick InstituteThe Security Commonwealth ‐ our turn. The Security Commonwealth, what this means to ASIS.

18:00 Drinks, canapés and networking in the heart of Bloomsbury – our host has also arranged exclusives access to their Japanese inspired roof garden, created in

2001 and dedicated to Forgiveness – also nearby is the Tavistock Square 7/7 Memorial on the railings outside the BMA. Members and guests will also have access to the

Brunei Gallery Exhibition at SOAS.

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 6

COMPLIANCE

Are contractors enrolled andterminated from security systemsimmediately upon contractexpiration or their termination fromcontractor’s employer?

Is there a detailed audit trailavailable around access/badgerequisition and approval process?

Existing Challenges aroundContractor Access Management

“In our organisation, everydepartment has its own databaseand process of hiring contractorswith no audit trail into whysomeone got access to a restrictedarea.” – Director, Physical Securityof leading global electronicsmanufacturer

Present mechanism of managingcontractors involves severalmanual, redundant andpaper/email based steps aroundon-boarding, backgroundverification, training checks, role-based access determination andapproval. These processes areexecuted in a disjointed sequence.The access related information ismaintained in apaper/spreadsheet format andmanual updates are madewhenever changes are required.There is usually no proper way tomake sure that the securitypolicies are implemented properlyas they are enforced manually inso many instances. Currentmethods usually fail to captureand manage details of varioustransactions pertaining tocontractors such as who requestedfor the contractor, what was therequest justification, whoapproved/denied the request andthe reason for the decision.Maintaining details of thiscomplete audit trail is a manualprocess and involves a lot of costand time effort which still may notbe accurate.

Additionally, security practitionershave a regular need to associatephysical assets — metal keys,tokens, mobile phones, PCs, cartsand more — with the contractorsthey are provisioning these to.Present methods of issuing andtracking of physical assets are

manual leading tolost/stolen/missing assets.

Organisations are required tofollow the same set of externalregulations or internal standardsfor managing contractors like theyhave to for managing their ownemployees. However, thechallenges in recording, monitoringand reporting specific detailsinvolve a significant level of effort,which are often manual in natureand error prone thereby exposingthe organisation to a significantlevel of risk.

These problems are furthercompounded in largerorganisations spread acrossmultiple locations since eachlocation has its own policy of hiringcontractors, which seldom resultsin a multitude of databases. Dueto the existence of such silos andthe

lack of a central database, securityteams lack visibility and ability totake decisions aroundauthentication, authorisation andphysical access entitlements.

In order to assure complianceagainst external regulations andinternal audit requirements whilecomplying with cost pressures,there is a growing need inenterprises to optimize theiraccess management processesand administrative tasks aroundcontractors.

How to resolve these challengesaround physical accessmanagement for Contractors?

The need of the hour is to have apolicy-driven solution, which canautomate all current manualprocesses for provisioning andde-provisioning of contractors andvendors, ensuring that accurateverification related to contractorsis captured and stored within thesystem. A Physical Identity andAccess Management (PIAM)solution follows this idea at itscore. The basic capabilities of aPIAM solution in this regard are:

Centrally manage contractor dataand make site-specific data

available locally

Automate contractor managementprocesses and provide a singleweb interface to allow sponsors tomake requests for on-boarding andoff-boarding of contractors andsubsequently automate theapproval workflow

Automate security policiesgoverning contractor managementand associated compliance.Provide audit ready reports andthe ability to put internal controlsinto business processes to bringaccountability and visibility in thesecurity operation.

With a solid approach to PIAM,physical security practitioners canclosely connect their physical andlogical security infrastructures,quickly lowering operational costs,improving their compliancestanding and lowering their overalllevel of risk.

Examples (case studies) andConclusion

A global technology companygained better control byconsolidating multiple contractordatabases into a PIAM solution

A large utility company in NorthAmerica defined and enforced oneset of policies for on-/off-boardingof contractors through a PIAMsolution

Managing the lifecycle ofcontractors is complex butstrategically important to achievecost savings and ensure a moresecure and risk-free workplace.Ensuring that contractors aremanaged confidently in a fair andconsistent manner is important forthe enterprises trying to increaseperformance and reduce costs. APIAM solution offers a holisticapproach to identity and accessmanagement by integrating logicalsecurity with physical security to

secure the criticaloperating assets ofan organisation.

www.asis.org.uk AUTUMN 2015 7

Dr Vibhor Gupta, PhD Technology Lead ASIS UK Committee [email protected]

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 7

www.asis.org.ukAUTUMN 20158

MOBILE ACCESS

Merging Security and Conveniencewith Mobile Access

As companies merge security andconvenience at the door bytransforming smartphones and othermobile devices into trusted, easy-to-usedigital credentials that can replace keysand smart cards, there are certainthings to consider when choosing amobile access solution. To be certainthe solution works with the latestsmartphone technologies and is able toevolve with the mobile industry, itshould be rooted in a standards-basedcard technology that can be emulatedon a large number of mobile phones,tablets and wearables. To gainacceptance among employees andstudents, the user experience must beequal to that of physical cards. Firstimpressions last, and the solution maybe easily dismissed if it does not meetexpectations. The experience ofopening doors with mobile devicesmust be streamlined, intuitive andconvenient; the user should not berequired to perform too many steps. Aninteresting value proposition of mobileaccess is the possibility of sending andrevoking mobile identities in almost realtime, and for maximum benefit, themobile identity platform must bedesigned for administrator convenienceand efficiency. Mobile access presentsthe opportunity to dramatically alterhow we open doors and interact withour environment, and whenimplemented correctly, the future ofaccess control will come knocking.

Using a mobile device to gain access todifferent buildings is not only aboutsolving a particular problem. It is alsoabout doing things better, by embracingtechnological advances and delivering aconcept that will change how weinteract with readers and locks andopen doors using our mobile devices. Inthe era of mobility and cloudcomputing, enterprises and individualsare increasingly concerned about thesecurity and protection of their physicalenvironment. Correctly implemented,mobile access has the potential tochange how we open doors as it’s thefirst time in history we have a solutionwhich can increase both security andconvenience.

Technologies that support mobileaccess today

Confidence and education in the use ofcontactless applications and

technologies such as NFC, Bluetooth,mobile wallets, iBeam™ and iBeacon™are continuously growing and so is theunderstanding of what technologies arebest suited for mobile access control.No matter what the technology, mobiledevices offer an unparalleled way tochange the way we open doors.However, security administrators and ITdirectors will need to review whichmobile-related technologies will allowthem to best engage with theiremployees to create the optimal accessexperience on their premises.

Near Field Communication (NFC)

NFC was developed to address thedilemma of multiple contactlessstandards but its introduction intomobile devices has been less thansmooth. Emulating a contactless cardon a mobile device was up to veryrecently only possible via a SecureElement (SE), such as a SIM card. Anecosystem in the form of TrustedService Managers (TSM) had to besetup to support the SE centric modelwhich resulted in complex technicalintegrations and business modelswhich made it difficult to launchcontactless applications based on NFC.

In 2013 Google® introduced a new NFCfeature in Android™ 4.4 called Host-based Card Emulation (HCE). HCEallows a contactless card to beemulated in an App withoutdependencies on a SE. With HCE it ispossible to launch NFC services in ascalable and cost-effective way as longas a standards-based card technologyis used. Visa® and MasterCard® havereleased specifications on how to doVisa payWave® and MasterCardPayPass™ transactions using HCE, andHID Global® has launched a mobileaccess control solution with HCE basedon Seos. HCE will make NFC moreaccessible and versatile, so thatdevelopers will then expedite servicesto market which, in turn, will stimulateconsumer familiarity and encourageadoption. At the same time, however,the iPhone is a very popular device inthe enterprise segment and many areused in organisations around the worldtoday without NFC support. The numberof installed Android 4.4 devices isgrowing fast, but with the lack of NFC inthe iPhone 4 and iPhone 5, coupledwith the fact that NFC support in theiPhone 6 is currently only available forApplePay™, there is still questionablemarket penetration for HCE-based

solutions.

Bluetooth Smart

Bluetooth Smart was introduced intothe Bluetooth Standard in 2010 and,having gained a lot of traction inmarkets such as healthcare andfitness, is now finding its way into thepayment and coupon redemptionindustry. One of the success drivers forBluetooth Smart is the support thetechnology has received from Apple,who has supported Bluetooth Smartsince the iPhone 4S. Google addedBluetooth Smart to Android 4.3 and asof October 31, 2013, Bluetooth Smartis the only contactless technologycapable of supporting a service on thetwo major mobile operating systems,Android and iOS. Its low powerconsumption, eliminating the need forpairing and the long reading distancemakes Bluetooth Smart an interestingoption for mobile access control.

Bluetooth Smart

No requirement for pairing and lowpower consumption make BluetoothSmart, combined with a standards-based contactless card technology, agood technology for enabling mobileaccess

Readers may be placed on the safeside of the door or hidden

Open doors from a distance as you parkyour car, or if you want to open the doorfor someone ringing the door bell

Configure readers including firmwarewith a Bluetooth Smart-enabled device(such as a phone or tablet) Mobileoperating systems with support forBluetooth Smart

Click here to learn more aboutmanagement and securityconsiderations to help yourorganisation implement acomprehensive mobile access solution.In addition, gain further insights intomobile access trends.

Best Practices for Integrating Mobile into the AccessControl Architectureby Jaroslav Barton (Segment Director Physical Access Control EMEA at HID Global)

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 8

EDITORIAL

www.asis.org.ukwww.asis.org.uk AUTUMN 2015

As I sit here with a large skinny latte(with vanilla syrup and a couple ofbiscotti) reflecting on the role of ASISInternational and the UK Chapter inparticular, I do take some pride itwhat we are all about, what we haveachieved and are achieving.

Despite wicked rumours to thecontrary I was not one of the originalmembers when the organisationstarted sixty years ago (I cannotcomment on my co-vice chairmanGraham Bassett however), neitherwas I a member of the originalEuropean Chapter (44) nor a founderof what is now Chapter 208. In thatsense I and the rest of the Chapterleadership are, as Sir Isaac Newtonwrote, “standing on the shoulders ofgiants”.

However in the last few years we havebuilt on the work of our predecessorsboth in the quality of the offerings tomembers (seminars, newsletter,certifications etc.) and also ourstanding within the profession andour relationships with otherorganisations.

Looking through the newsletter manyof these relationships are obviousbut, not being one to miss anopportunity, I wanted to take thismoment to remind you of our reach.

We have a presence at many leadingsecurity events

• IFSEC• Counter Terror Expo (now Security

and Counter Terror Expo)• Security TWENTY 15 (x4)• Total Security Summit (x2)• IIPSEC• Transport Security Expo• Global Resilience Summit• National Association of Healthcare

Security Conference• Retail Crime Conference

We have regular editorial features inmany of the top security publications

• Professional Security Magazine• Risk UK• City Security Magazine• Security News Desk

Working with others we establishedthe Joint Security AssociationsFundraising Event (JSAFE) to raisemuch-needed money for relevant andworthwhile charities. This Year theevent is on 30th September.

The ASIS UK Chapter will be chairingthe newly established SecurityCommonwealth for the next 6months, working collegiately withother bodies.

As supporters of the Industry andParliament Trust, members are ableto attend events and discuss aspectsthat affect them with MPs, Peers,Civil Servants and other industryrepresentatives.

The partnerships we have establishedwith training providers offer membersproved routes to achieve the ASISBoard Certified Qualifications: CPP,PCI and PSP.

Other educational offerings willfollow.

We are also part of an internationalcommunity of 38,000 securityprofessionals and this network canprove invaluable to many.

With Conferences in the US, Chinaand Middle East we have globalcoverage and that's withoutmentioning the European Conferencewhich we have managed to attractback to the UK. This will be atremendous event and we hope tosee a huge number of UK membersthere.

The event will culminate in areception at the House of Lords on8th April 2016.

There are also webinars and otherstudy programmes.

Members can contribute to over 30Councils covering numerous verticalsand sectors, work on standards andguidelines (all of which are availablefree of charge to members) orsupport the work of the ASISFoundation.

Anyway, that’s enough from me andanyway my coffee is now at adrinkable temperature.

See you soon.

Mike Hurst

THOUGHTS FROM THE EDITOR

9

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 9

www.asis.org.ukAUTUMN 201510

AUGUST 1914: ENGLAND IN PEACE AND WAR.

August 1914: England in Peace and WarMark Rowe

Mark Rowe, perhapsbetter known to thesecurity community as theeditor of ProfessionalSecurity Magazine, writesabout his book, August1914: England in Peaceand War. The title explains itself, I hope. Iwanted to understand what life waslike in that watershed month, thatstarted as another summer monthand ended with England up to itsneck in a war in France it hadnever prepared for (does thatsound familiar?). Were people thenlike us, or different? In some waysa century ago feels so very far inthe past. Of all things, mobilephones feel as if they have made adifference. In some ways, 100years is not at all distant; all mygrandparents were alive then, forinstance.

While my book tells everydaystories from diaries, letters andnewspapers, some of it relates tosecurity management and I willkeep to that here. I was struck byhow rough and dangerous life was.Children fell into canals; heavy andhot things in factories scalded and

crushed workers; carts and trainsran you over; people at hometripped on steep stairs, even. Menseemed readier to start anargument and to settle it with theirfists. Was there more crime? Hardto say – for a start, I reckon thenand now much crime wentunreported. Certainly Englandwasn’t the happy and united placesome would like to believe – thenor now. When the outbreak of warthrew the economy out of joint andthrew many out of work, theauthorities feared the jobless mighttake to the countryside and causetrouble, and appointed specialconstables in a hurry.

England did have trouble-makers,who largely settled theirdifferences in the larger crisis ofAugust 1914: trade unionists, Irishrepublicans, and womencampaigning for the vote.Suffragettes we are meant to lookup to, as brave and on the rightside of history. Readingnewspapers of the time, I wasstruck by how discredited anddisliked the suffragettes were. Thevery fact that they had turned toviolence (hitting politicians withumbrellas, disrupting churchservices, breaking windows and

throwing eggs) and, if anything,were becoming ever more extreme(building bombs, spoiling letters inpostboxes, doing arson) was a signthat they had lost the argumentand were turning into Britain’s firstterrorists. I well remember readingat Lincoln county archives abooklet from the Met Police, aphoto-parade of arrested women.The document writer hadapologised because one of thewomen had only posed for a photowhile sticking her tongue out. Thatsaid it all for me – these womenwere not only nasty and anti-social,but childish with it.

The Beverley war memorial with the name of Arthur Ross, one of 400 men from the East Riding county town who died in the 1914-18 war

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 10

www.asis.org.uk AUTUMN 2015 11

The country was a kaleidoscope of all sorts, much as Iimagine it had been in 1814, was in 2014, and will bein 2114. I pulled together not only the well-off andfamous such as Winston Churchill (then widely hated ordistrusted) and his frankly silly and needy sister-in-lawGoonie, and the then unknown Alan Brooke, an Armyofficer who rose to become field-marshal in the nextwar, but diarists - a retired Gloucestershire teacherWilliam Swift; a Northampton Methodist preacher,William Pickbourne; Arthur Ross, a member of theChurch Lads Brigade in Beverley in East Yorkshire,keen to join the Army; besides the Staffordshirearistocrat’s son Gerald Legge. Ross was killed inFrance in 1918, Legge killed at Gallipoli in 1915.

Life could never be the same after August 1914. Asthe son of a Staffordshire railwayman, I neverexpected an earl’s son to be the hero in a book ofmine, but what I wanted hardly came into it; I couldonly do what the evidence in front of me told me to do.

August 1914: England in Peace and War is publishedby Chaplin Books, price £11.99. Visitwww.chaplinbooks.co.uk

Retail Crime & Loss Prevention 2015Wednesday 30September Etc Venues, Dexter House, Tower Hill, LondonOperational and Practical Solutions to Retail CrimeThis year's BRC Retail Crime Survey has revealed that UK retailers arefighting a rising tide of organised theft in store. Combined with thedramatic increase in fraud and ecrime and the commonly perceivedthreat to businesses posed by cyber-attacks, this means that retailersare facing an increasingly sophisticated criminal.

The BRC Crime and Loss Prevention conference brings together retailsecurity bosses, senior police representatives and business groups,providing an ideal forum for debating the major issues currentlyconcerning all parties.

12th November 2015

Chelsea Football Club Stamford Bridge Fulham Road London SW6 1HSFeaturing speakers with both a clinical and non-clinical background, the conference will enabledelegates to

network with colleagues from across the country.

The conference will be of particular interest to Healthcare Security Managers, Mental Health andDementiaLeads and those interested in methods that deal with challenging behaviour.

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 11

www.asis.org.ukAUTUMN 201512

ASIS WOMEN IN SECURITY

This year, for the first time, theChapter held two events at IFSEC,one focussing on the ASIS BoardLevel Certifications and CharteredSecurity Professional and the other

an ASIS Women in Security Event.

Chapter WiS Lead, Dawn HolmesCPP was joined by Rowena Fell CPPand ASIS International main boarddirector Godfried Hendricks CPP.

The event attracted women from arange of backgrounds, some wellestablished in their careers withsome others new to the sector.

Overall the event was a success andwe hope to repeat it next year atIFSEC.

Other WiS events are beingplanned.

Neil Wainman CPP, again manningthe stand at Security TWENTY 15,

this time in Newcastle.

The next event is on 28 October2015 at Heathrow.

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 12

TOTAL SECURITY SUMMIT

www.asis.org.uk AUTUMN 2015 13

Former UK ChapterConvergence Lead andcurrent Vice ChairmanASIS EuropeanConvergence/ESRMJames Willison, hasbeen appointed asAdvisor on Convergenceto the Mitie TSM Board.

James comments, “I amdelighted to be working withMitie and it is truly remarkablethat they are developing‘converged’ cyber physicalstrategies, partnerships andSMART technologies whichdemonstrate real leadershipand capability in these areas.”

Total Security Summitis on 19th and 20thOctober 2015 atthe Whittlebury HallHotel & Spa,Northants It is an event for senior levelsecurity professionals to meetleading service providersface-to-face to discussforthcoming projects in2016/17.

Meet with specifically chosensuppliers who offer a rangeof products and servicesfrom CCTV to access control,from risk management to firesolutions and everything inbetween. The two-dayprogramme is packed withinspiring and thought-provoking seminars as wellas unrivalled networkingopportunities.

Join suppliers alreadyconfirmed, which includeTyco, Axis, Atec, Gallagher,Traka and Cordant Security.

Attendance includes a VIPgala dinner, eveningentertainment and overnightaccommodation at theWhittlebury Hall Hotel.

To view the full seminar lineup please click here. Toconfirm your place pleasebook online. For moreinformation or to secure yourplace at the Summit, pleasecontact Alex King on 01992374086 or [email protected]

FOR SUPPLIERS...The Total Security Summithas a proven track record indelivering you quality buyerswithin the security industry.

Through a day-and-a-half of

personally selected, tailor-made meetings, network withkey decision-makers fromcompanies ranging fromApple to Amazon, MorganStanley to Mulberry - allseeking suppliers for projectsin 2016/17.

Packages include stands,electrics, Wi-Fi access,refreshments, meals andaccommodation.

For the full buyer list, furtherinformation, costs andavailability, please contactNick Stannard on 01992374092 or [email protected]

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 13

www.asis.org.uk14

THE NEW WORLD OF CONVERGED SECURITY

AUTUMN 2015

Take the time to set and maintainrobust user IDs and passwords inyour video cameras. Equallyimportant, don’t forget to delete thedefault user IDs and passwords setin the factory. There are only ahandful of factory settings, andattackers know them all. If you don’tdelete the default data, an attackerwill be able to break into thecameras.

In addition, physical security devicescontain programmed sets of rulesthat direct the operation of thedevice. For example, when anemployee presents an access controlcard to a reader, the system isprogrammed to search the reader orthe user database for the employee’sname and door permissions. If theemployee’s name is in the databasealong with permission to access thisdoor, the system will unlock it. Nopermission, no entry.

You have to protect the rulesprogrammed into your devices byencrypting them. Attackers canaccess and re-write un-secured rules.There are several types of encryptionused to protect rules. Whatever typeyou use, you must then secure theencryption itself against tampering.

The IT department’s security peoplecan help to protect the logicalcomponents of physical securitytechnology. They will want to help —they will have an abiding interest inprotecting physical security pathwaysonto the company network.

After installing and configuringphysical security software, it is agood idea to have a qualifiedtechnician test the strength of thelock by trying to break in. If the techcan break in, so can a hacker. Startover.

Physical and IT security consultantscan help with this task as well.

Helping To Defend IT

Just as the IT security people will helpsecure physical security devices toprotect their network and data fromattackers, the physical security peoplewill help protect the IT system frombecoming a path to physical securitysystems and devices.

One way physical security can helpdirectly is to monitor for roguehotspots while on patrol. Can securityofficers do that? Yes. With sometraining from IT, officers can carryinexpensive sensors that will sniff outhotspots passed during rounds. The ITsecurity staff will know which locationsare legitimate and which are not.

In the IT department itself, new andbetter tools can detect and mitigateattacks on the network. Someattacks may even be stopped beforeserious damage occurs.

A physical fence protects theperimeter of a company’s plant, whilefirewall technology protects theperimeter of the IT network. In fact,multiple layers of firewalls protectdepartments.

Today’s advanced firewalls and othersecurity tools also enableadministrators to watch networktraffic and spot threats as they arise,whether by a hacker or unwitting userbeing compromised.

As a further precaution, purchasingmanagers should focus on vendorsthat provide security for the devicesthey sell — computers, servers andmonitors — any device that connectsto the network. As noted earlier,physical security devices must haveinherent security as well.

For large networks at risk fromdebilitating denial of service attacks,current defensive softwareapplications can spot intrusionsalmost as they occur and talk tofiltering applications located at ISPsites. The filters can block the baddata and pass the good datathrough, thereby maintaining thenormal flow of business.

Needed: More Security

In today’s era of convergence, thesecurity profile of a facility isdramatically different.

Physical and logical securityprofessionals have always tried toprovide the least amount of securitynecessary. After all, too muchsecurity slows down the pace ofbusiness coming through the doorsand travelling across the network.

While minimum security remains the

goal, convergence has created a hostof new opportunities for internal andexternal hackers and criminals to findand take advantage of vulnerabilities.

Plugging these new holes takes moresecurity efforts. How much moresecurity does this require? Securityprofessionals are looking for thatpoint, but it is difficult to find today, atthe beginning of this new era.

Not long ago, for instance, a systemoperator in a large multinationalcompany came up with anastoundingly anti-secure idea. Heoutsourced his job to an individualworking in another country known forproviding outsourcing services.

The sysop surfed to a websiteoffering outsourcing services andhired someone to do his work for asmall percentage of his salary. Heprovided this individual with his username and password — a majorsecurity breach — and trained him todo his job.

Next, the employee installed awebcam and created a virtual privatenetwork. He secured the VPN with aVPN token and started a pornographybusiness. He collected pornographyfrom online sites and sold it tocustomers that he rounded up.

This has happened a number oftimes in recent years. Some havestarted pornography businesses.Others have come up with moretame business ideas. Whatever thebusiness, employees that outsourcetheir jobs not only commit fraudagainst their employers, but they alsocreate major security breaches thatcan cost their employers a bundle.

Convergence has made a whole newset of security problems possible,making more and more securitynecessary. How much security isnecessary in the era of convergence?Wherever the line gets drawn, it willbe at a level higher than it has everbeen before.

Dave N. Tyson, CPP CISSP is

President of ASIS International andSenior Director, Global InformationSecurity for SC Johnson & Son, Inc.

continued from page 1

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 14

www.asis.org.uk AUTUMN 2015 15

DUTY OF CARE

TheSMA’S New Flexible ASIS CPP PreparationProgramme is Proving a Success

Since TheSMA launched their newASIS Studyflex programmes thisSpring, security managers have beentaking advantage of the flexibleapproach to studying for the CPPexam.

Achieving this high level certificationis a big undertaking and many findthat following a formal distancelearning and classroom reviewprogramme seems to offer the bestroute to success. However, findingthe time to complete the requirednumber of hours study can provedifficult, and at times impossible,when assignment submissions andclassroom dates are fixed. Byenrolling on the TheSMA Studyflexprogramme, however, students have

a full twelve months to completetheir studies at their own pace.

Currently enrolled on the 2015programme are securityprofessionals from well-known publicand private sector organisations,including some based in high-riskcountries such as Afghanistan andIraq. Several of these professionalshave found that extremelychallenging roles and changingcompany priorities have meant thatthey have had neither theopportunity to complete the requiredassignments on time, nor to attendthe scheduled classroom reviews.The option to postpone thesubmission of assignments or re-schedule classroom reviews hastherefore proved invaluable, allowingstudents to combine effectively theirstudies with their day job.

With full support from ourtraining team, headed upby CPP mentor, BarryVincent, MA, MSc, CPP,PCI, FSyI, students on theStudyflex programme areable to work to a timetable

that best suits them. Whetherputting the course on hold for awhile; taking extra time to submit anassignment, or having a choice ofclassroom review dates, this flexibleapproach is designed to offermaximum support for ultimatesuccess in the exam.

Recognising that not everyone hasthe same learning styles, TheSMAcontimues to offer our two weekintensive exam preparationprogramme, catering for those whoprefer a fast track to sitting theexam.

For further details on any of our ASIS Exam PreparationProgrammes, please contactCaroline Bashford, Director ofTraining at TheSMA [email protected] or on +44 1491 699685.

The Joint Security AnnualFundraising Event will be heldon 30th September 2015 atthe Grange City Hotel, aspectacular five star venue.The Hotel is one of the best inthe city with the Roman Wallrunning through the barterrace and views overlookingthe Tower of London andTower Bridge. This will be aprestigious black tie event, andwill provide those attendingthe perfect opportunity tonetwork with colleagues,entertain guests or simplyenjoy a relaxed atmosphere,whilst at the same timehelping to support twooutstandingly worthwhilecharities.The ticket price of £85 includes predinner welcome champagne, 4 coursedinner (including a cheese platter)and bottles of wine on the table.

We will hope toraise money tosplit equallybetween the twochildren basedcharities. Thesetwo worthycharities are:

The City ofLondon PoliceCharity forChildren and

Embrace ChildVictims of Crime

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 15

ASIS aug15_ASIS_RiskUK_may15 07/08/2015 11:21 Page 16