How Corporate Security Changed After 9/11 John M. McCarthy Managing Partner Business Security Advisory Group www.bsag-cso.com The Business Security Advisory Group (BSAG) specializes in a broad range of corporate security consulting services including : Business continuity, Risk assessment and management, Regulatory compliance, Strategic security planning and policy development. Getting Ahead of the Problems www.bsag-cso.com Corporate Security’s responsibilities prior to 9/11 Corporate Security’s responsibilities post 9-11 Laws and regulations regulating the security industry post 9/11 Corporate Security in the 21st Century Investigations – violation of corporate policy and other corporate crimes Physical security – gates, guards, guns Executive protection – ensuring top executives and families were secure Corporate Security generally a middle management responsibility Corporate Security generally thought of as the “Corporate Cop” Corporate Security plans and programs generally responsive or reactive to immediate incidents – no long term planning Mostly reactive-incident happens, security responds – fire house mentality Stove Pipe thinking – Security programs sometimes contrary to Business Unit’s business plans and goals Law Enforcement Driven – security goal must be attained at all costs – no priorities September 10, 2001 September 11, 2001 Three thousand civilians murdered $80 Billion dollars in losses 11 Million people in developing countries pushed into poverty. Financial markets closed Air transportation system grounded Mail Processing – Protection of Offices 86% and Physical Travel – 85% Plants – 69% Protection of Employee Morale – Employees – 79% 69% Protection of Supply Chain Infrastructure – 75% Distribution – 51% Risk Assessment – Customer Security – 71% 50% * 3 Booz, Allen, Hamilton Survey – 11/01 Productivity – 47% Corporate Security gets the attention of Executive Management Corporate Security seen as a resource to the company not as a necessary evil Corporate Security an advisor to Executive Management and Business Units concerning comprehensive security programs for personnel and corporate asset protection Corporate Security reports to the “C” suite in many companies and is no longer a mid-level executive responsibility Corporate security executives become more business oriented in management style and program content Corporate Security becomes an enterprise function of the company Emergency plans include crisis management, disaster recovery and business continuity developed in a proactive environment Corporate Security executives now craft strategic and tactical security plans for business units. Plans and programs consider business goals and budgets All corporate security plans and programs are more proactive and include prevention of terrorist attack The Public Sector recognizes its greater responsibility to protect its citizens and assets Corporate Security deals more with federal, state and local officials as security regulations exponentially increase Public and private partnerships flourish as both attempt to craft meaningful emergency proactive plans, protective processes, security laws and regulations Corporate security plans and programs develop a legal compliance component as corporations comply with the new mandated legislation Corporate Security’s programs are more restrictive and costly as both terrorism and legislative compliance are emphasized Legislation* Access to Information Act Arming Pilots Against Terrorism Act Aviation and Transportation Security Act Bank Protection Act of 1968 Canadas Bill C-6 Childrens Online Privacy Protection Act (COPPA) Corporate Manslaughter and Corporate Homicide Act 2007(UK) Customs Modernization Act Cyber Security Enhancement Act of 2002 CyberCrime TreatyE-Signature Act European Union Data Protection Directive Executive Order 12958 – Information SharingExecutive Order 13224 – Doing Business w/ Terrorists Executive Order 13231 – Infrastructure Protection Executive Order 13234 – Legislation (Continued) Citizen Preparedness Family Educational Rights and Privacy Act Federal Anti-Tampering Act Federal Computer Security Bill – H.R. 1259Federal Hazardous Materials Law Foreign Corrupt Practices Act Homeland Security Act International Emergency Economic Powers Act Maritime Transportation Security Act of 2002 National Information Infrastructure Protection Act Notification and Federal Employee Anti-Discrimination and Retaliation Act Patriots Act Personal Information Protection and Electronic Documents Act Legislation (Continued) Presidential Directive 2 Presidential Directive 3 Presidential Directive 7 Presidential Directive 8 Public Health Security and Bioterrorism Preparedness & Response Act Robinson-Patman Anti-Trust Act Safe Explosives Act Safe Harbor Act The Occupational Safety and Health Act The Currency and Foreign Transactions Reporting Act Title 18 - Federal Sentencing Guidelines Trade Act of 2002 US Global Anti-Corruption Policy US The Currency and Foreign Transactions Reporting Act USA PATRIOT Act Voluntary Private Sector Preparedness Accreditation and Certification Program *Above information furnished by Security Executive Council Executive Orders*1 Common Name Brief Description Citation Effective Website Date Executive Order 12958 - Information Sharing Prescribed a uniform system for EO12958 Apr. 2001 http://frwebgate.access.gpo.gov/cgi- classifying, safeguarding and bin/getdoc.cgi?dbname=1995_register&docid=fr20 declassifying national security ap95-135.pdf Information Executive Order 13224 - Doing Business w/ Blocks property and prohibits EO13224 Sept. 2001 http://frwebgate.access.gpo.gov/cgi- Terrorists transactions with persons who commit, bin/getdoc.cgi?dbname=2001_register&docid=fr25 threaten to commit, or support se01-133.pdf terrorism Executive Order 13231 - Infrastructure Establishes a protection program to EO13231 Oct. 2001 http://www.whitehouse.gov/news/orders/ Protection safeguard information systems for critical infrastructure Executive Order 13234 - Citizen Establishes a Presidential Task Force EO13234 Nov. 2001 http://frwebgate.access.gpo.gov/cgi- Preparedness on citizen preparedness in the war on bin/getdoc.cgi?dbname=2001_register&docid=fr15 terrorism no01-130.pdf Presidential Directive 2 Seeks to combat terrorism through NSPD-2 Oct. 2001 http://www.whitehouse.gov/news/releases/2001/10 Immigration Policies; creates the /20011030-2.html Foreign Terrorist Tracking Task Force Presidential Directive 3 Design system to create a common HSPD-3 http://www.whitehouse.gov/news/releases/2002/03 vocabulary, context, and structure for /print/20020312-5.html ongoing national discussion about the nature of the threats to US and the appropriate measures that should be taken in response Presidential Directive 7 Established national policy for Federal HSPD-7 Dec. 2003 http://www.whitehouse.gov/news/releases/2003/12 departments and agencies to identify /print/20031217-5.html and prioritize US critical infrastructure and key resources and to protect them against terrorist attacks Presidential Directive 8 Established policies to strengthen HSPD-8 Dec. 2003 http://www.whitehouse.gov/news/releases/2003/12 preparedness of US to prevent and /print/20031217-5.html respond to threatened or actual terrorist attacks--requires national domestic all-hazards preparedness goal Statutes*1 Common Name Brief Description Responsible Government Effective Department Citation Date Website Homeland Security Act (incorporated Executive Establishes new Dept. of Homeland H.R. 5005; Nov. 2002 http://frwebgate.access.gpo.gov/cgi- Orders above) Department of Security Pub.L. 107-296 bin/getdoc.cgi?dbname=107_cong_public_laws&do Homeland Security, cid=f:publ296.107.pdf reorganization plan Foreign Corrupt Practices Act (FCPA) Prohibits corrupt Dept. of Justice 15 U.S.C. § 1977 http://www.usdoj.gov/criminal/fraud/fcpa.html payments to foreign 78dd-1, 78dd-2 (amended officials for the purpose 1998) of obtaining or keeping business. Cyber Security Enhancement Act of 2002 Established stronger Dept. of Homeland 6 U.S. C. § 145 Nov. 2002 http://www4.law.cornell.edu/uscode/6/145.html sentencing guidelines Security and policy statements to reflect the serious nature of certain computer crimes Federal Anti-Tampering Act (FAT) Establishes criminal Dept. of Health and 18 U.S.C. § Nov. 2003 http://www4.law.cornell.edu/uscode/18/1365.html penalties for tampering, Human Services (FDA) 1365 or attempting to tamper, with any consumer product that affects interstate or foreign commerce Statutes*1 Common Name Brief Description Responsible Citation Effective Website Government Date Department International Emergency Economic Powers Act Incorporates multiple Dept. of Homeland 50 U.S.C. § Nov. 2003 http://www4.law.cornell.edu/uscode/50/1701.html (IEEPA) executive orders re: Security 1701 et seq. economic actions against adverse countries (Burma, Sudan, Iraq, etc.) National Information Infrastructure Protection Act Provides for stricter Dept. of Homeland 18 U.S.C. § Jan. 1997 http://www4.law.cornell.edu/uscode/18/1030.html penalties to protect Security 1030 confidentiality, integrity and availability of systems and information Public Health Security and Bioterrorism Establishes national, Dept. of Homeland H.R. 3448 Jan. 2002 http://frwebgate.access.gpo.gov/cgi- Preparedness & Response Act (PHSBPR) state and local Security (DHHS) Pub. L. 107- bin/getdoc.cgi?dbname=107_cong_public_laws&do preparedness and 188 cid=f:publ188.107 response strategies, and procedures to protect US food, water, and drug supplies USA PATRIOT Act (a.k.a. Anti-Terrorism Act) Enhances powers to Dept. of Homeland H.R. 3162 Oct. 2001 http://www.eff.org/Privacy/Surveillance/Terrorism/hr both domestic law Security Pub.L. 107-56 3162.php enforcement and international intelligence agencies to deter and punish terrorism Statutes*1 Common Name Brief Description Responsible Citation Effective Website Government Date Department Maritime Transportation Security Act of 2002 Requires sectors of Dept. of Homeland 46 U.S.C. § Nov. 2002 http://www4.law.cornell.edu/uscode/46/2101.html (MTSA) maritime industry to Security (U.S. Coast 2101 et seq. complete security Guard) Pub.L. 107-295 assessments, develop security plans and implement security measures and procedures. Federal Hazardous Materials Law Establishes regulations Dept. of Homeland 49 U.S.C. § Jan. 1983 http://www4.law.cornell.edu/uscode/49/stIIIch51.ht for transport of Security (DOT) 5101 et seq. (amended ml hazardous materials via last in all modes 1999) Trade Act of 2002 Gave the president Dept. of Homeland Public Law Aug. 2002 http://frwebgate.access.gpo.gov/cgi- increased authority to Security (Customs) 107-210 bin/getdoc.cgi?dbname=107_cong_public_laws&do make it easier to trade cid=f:publ210.107 with other countries; also sought to protect workers displaced by jobs moving abroad Notification and Federal Employee Anti- Mandates that Federal Dept. of Homeland 5 U.S.C. § Oct. 2003 http://www4.law.cornell.edu/uscode/5/2302.html Discrimination and Retaliation Act (No FEAR Agencies be more Security 2302 et. seq. Act) accountable for Pub.L. 107-174 violations of anti- discrimination and whistleblower protection laws Statutes*1 Common Name Brief Description Responsible Citation Effective Website Government Date Department Customs Modernization Act (Mod Act) (Passed Sets out specific rules Dept. of Homeland H.R. 3450 Jan. 1993 http://thomas.loc.gov/cgi- as part of NAFTA) and requirements for Security (Customs) Pub. L 103-182 bin/query/C?c103:./temp/~c103xXsW4u importers, brokers, and others regarding recordkeeping Arming Pilots Against Terrorism Act (Sec. 1401 Establishes a program Dept. of Homeland Pub.L 107-296 Nov. 2002 http://frwebgate.access.gpo.gov/cgi- of Homeland Security Act) to deputize pilots Security (DOT) bin/getdoc.cgi?dbname=107_cong_public_laws&do cid=f:publ296.107.pdf Aviation and Transportation Security Act (ATSA) Established Dept. of Homeland S. 1447 Nov. 2001 http://frwebgate.access.gpo.gov/cgi- Transportation Security Security (DOT) Pub. L 107-71 bin/getdoc.cgi?dbname=107_cong_public_laws&do Association and cid=f:publ071.107.pdf centralized security system for the transportation industry Safe Explosives Act (Sec. 1122 of Homeland Amended section 18 Dept. of Homeland PL 107-296 Nov. 2002 http://frwebgate.access.gpo.gov/cgi- Security Act) USC 842(i) by adding Security (DOT) bin/getdoc.cgi?dbname=107_cong_public_laws&do several categories to cid=f:publ296.107.pdf list of person who may not lawfully ship, transport, or receive explosives in/out of US *1Above information furnished by the Security Executive Council Vicarious corporate executive liability for violation of some of the criminal and environmental laws Civil liability in money damages for tort law violations Criminal liability for companies and employees in foreign venues for violations of international laws and regulations Overarching federal statutes either mandate or furnish guidelines for fines and/or punishment for violation of statutes and regulations Corporate Security executives will be law enforcement and business qualified and also possess some technical security and management ability Chief Security Officer will report to Executive Management and have complete unfettered access to the “C” suite Corporate Security will have an enterprise component and deal with security matters in a manner business executives will understand Corporate Security plans and programs will be mostly pro-active and preventative anticipating security challenges and emergencies before they occur Corporate Security will use the team concept and interact with all the business units and service departments to ensure cost effective corporate security policy is practically implemented company wide. Corporate Security plans and programs will have to deal with the reality of government regulation and develop innovative methods to keep current with the laws and effect compliance Develop innovative methods to ensure security solutions are as multi-faceted as possible so that the cost and compliance components can be spread among other business units Corporate Security will re-orient its goals from strictly law enforcement objectives to ones that includes a business component e.g. provide metrics for security services that: Increase profitability Reduce costs Enhance the brand Improve customer relationships Reduce employee attrition Drug Testing Programs Employee Reduction Programs Investigative and Interview Training Background Inquiries Expatriate Mobilization Programs Workplace Violence Programs Crisis Management Programs Security Awareness Programs Domestic and Global Evacuation Programs QUESTIONS?
Pages to are hidden for
"Corporate It Policy - PowerPoint"Please download to view full document