How Corporate Security Changed After 9/11

How Corporate Security Changed After 9/11

John M. McCarthyManaging PartnerBusiness Security Advisory Groupwww.bsag-cso.com

The Business Security Advisory Group (BSAG) specializes in a broad range of corporate security consulting services including :

Business continuity, Risk assessment and management, Regulatory compliance, Strategic security planning and policy development.

Getting Ahead of the Problemswww.bsag-cso.com

Corporate Security’s responsibilities prior to 9/11

Corporate Security’s responsibilities post 9-11

Laws and regulations regulating the security industry post 9/11

Corporate Security in the 21st Century

Investigations – violation of corporate policy and other corporate crimes

Physical security – gates, guards, guns

Executive protection – ensuring top executives and families were secure

Corporate Security generally a middle management responsibility

Corporate Security generally thought of as the “Corporate Cop”

Corporate Security plans and programs generally responsive or reactive to immediate incidents – no long term planning

Mostly reactive-incident happens, security responds – fire house mentality

Stove Pipe thinking – Security programs sometimes contrary to Business Unit’s business plans and goals

Law Enforcement Driven – security goal must be attained at all costs – no priorities

September 10, 2001 September 11, 2001

Three thousand civilians murdered

$80 Billion dollars in losses

11 Million people in developing countries pushed into poverty.

Financial markets closed

Air transportation system grounded

Mail Processing – 86%

Travel – 85% Protection of

Employees – 79% Protection of

Infrastructure – 75% Risk Assessment –

71%*3 Booz, Allen, Hamilton Survey – 11/01

Protection of Offices and Physical Plants – 69%

Employee Morale – 69%

Supply Chain Distribution – 51%

Customer Security – 50%

Productivity – 47%

Corporate Security gets the attention of Executive Management

Corporate Security seen as a resource to the company not as a necessary evil

Corporate Security an advisor to Executive Management and Business Units concerning comprehensive security programs for personnel and corporate asset protection

Corporate Security reports to the “C” suite in many companies and is no longer a mid-level executive responsibility

Corporate security executives become more business oriented in management style and program content

Corporate Security becomes an enterprise function of the company

Emergency plans include crisis management, disaster recovery and business continuity developed in a proactive environment

Corporate Security executives now craft strategic and tactical security plans for business units.

Plans and programs consider business goals and budgets

All corporate security plans and programs are more proactive and include prevention of terrorist attack

The Public Sector recognizes its greater responsibility to protect its citizens and assets

Corporate Security deals more with federal, state and local officials as security regulations exponentially increase

Public and private partnerships flourish as both attempt to craft meaningful emergency proactive plans, protective processes, security laws and regulations

Corporate security plans and programs develop a legal compliance component as corporations comply with the new mandated legislation

Corporate Security’s programs are more restrictive and costly as both terrorism and legislative compliance are emphasized

Legislation*Access to Information Act Arming Pilots Against Terrorism ActAviation and Transportation Security ActBank Protection Act of 1968 Canadas Bill C-6Childrens Online Privacy Protection Act (COPPA)Corporate Manslaughter and Corporate Homicide Act 2007(UK)Customs Modernization ActCyber Security Enhancement Act of 2002CyberCrime TreatyE-Signature ActEuropean Union Data Protection DirectiveExecutive Order 12958 – Information SharingExecutive Order 13224 –Doing Business w/ TerroristsExecutive Order 13231 – Infrastructure ProtectionExecutive Order 13234 –

Legislation (Continued)

Citizen PreparednessFamily Educational Rights and Privacy Act Federal Anti-Tampering ActFederal Computer Security Bill –H.R. 1259Federal Hazardous Materials LawForeign Corrupt Practices ActHomeland Security ActInternational Emergency Economic Powers ActMaritime Transportation Security Act of 2002National Information Infrastructure Protection ActNotification and Federal Employee Anti-Discrimination and Retaliation ActPatriots ActPersonal Information Protection and Electronic Documents Act

Legislation (Continued)

Presidential Directive 2Presidential Directive 3Presidential Directive 7Presidential Directive 8Public Health Security and Bioterrorism Preparedness & Response ActRobinson-Patman Anti-Trust ActSafe Explosives ActSafe Harbor ActThe Occupational Safety and Health Act The Currency and Foreign Transactions Reporting ActTitle 18 - Federal Sentencing GuidelinesTrade Act of 2002US Global Anti-Corruption PolicyUS The Currency and Foreign Transactions Reporting ActUSA PATRIOT ActVoluntary Private Sector Preparedness Accreditation and Certification Program*Above information furnished by Security Executive Council

Executive Orders*1

Common Name Brief Description Citation Effective Date

Website

Executive Order 12958 - Information Sharing Prescribed a uniform system for classifying, safeguarding and declassifying national security Information

EO12958 Apr. 2001 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=1995_register&docid=fr20ap95-135.pdf

Executive Order 13224 - Doing Business w/ Terrorists

Blocks property and prohibits transactions with persons who commit, threaten to commit, or support terrorism

EO13224 Sept. 2001 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2001_register&docid=fr25se01-133.pdf

Executive Order 13231 - Infrastructure Protection

Establishes a protection program to safeguard information systems for critical infrastructure

EO13231 Oct. 2001 http://www.whitehouse.gov/news/orders/

Executive Order 13234 - Citizen Preparedness

Establishes a Presidential Task Force on citizen preparedness in the war on terrorism

EO13234 Nov. 2001 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2001_register&docid=fr15no01-130.pdf

Presidential Directive 2 Seeks to combat terrorism through Immigration Policies; creates the Foreign Terrorist Tracking Task Force

NSPD-2 Oct. 2001 http://www.whitehouse.gov/news/releases/2001/10/20011030-2.html

Presidential Directive 3 Design system to create a common vocabulary, context, and structure for ongoing national discussion about the nature of the threats to US and the appropriate measures that should be taken in response

HSPD-3 http://www.whitehouse.gov/news/releases/2002/03/print/20020312-5.html

Presidential Directive 7 Established national policy for Federal departments and agencies to identify and prioritize US critical infrastructure and key resources and to protect them against terrorist attacks

HSPD-7 Dec. 2003 http://www.whitehouse.gov/news/releases/2003/12/print/20031217-5.html

Presidential Directive 8 Established policies to strengthen preparedness of US to prevent and respond to threatened or actual terrorist attacks--requires national domestic all-hazards preparedness goal

HSPD-8 Dec. 2003 http://www.whitehouse.gov/news/releases/2003/12/print/20031217-5.html

Statutes*1

Common Name Brief Description Responsible Government Effective Department Citation Date Website

Homeland Security Act (incorporated Executive Orders above)

Establishes new Department of Homeland Security, reorganization plan

Dept. of Homeland Security

H.R. 5005; Pub.L. 107-296

Nov. 2002 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ296.107.pdf

Foreign Corrupt Practices Act (FCPA) Prohibits corrupt payments to foreign officials for the purpose of obtaining or keeping business.

Dept. of Justice 15 U.S.C. § 78dd-1, 78dd-2

1977 (amended 1998)

http://www.usdoj.gov/criminal/fraud/fcpa.html

Cyber Security Enhancement Act of 2002 Established stronger sentencing guidelines and policy statements to reflect the serious nature of certain computer crimes


6 U.S. C. § 145 Nov. 2002 http://www4.law.cornell.edu/uscode/6/145.html

Federal Anti-Tampering Act (FAT) Establishes criminal penalties for tampering, or attempting to tamper, with any consumer product that affects interstate or foreign commerce

Dept. of Health and Human Services (FDA)

18 U.S.C. § 1365

Nov. 2003 http://www4.law.cornell.edu/uscode/18/1365.html

Statutes*1

Common Name Brief Description Responsible Government Department

Citation Effective Date

Website

International Emergency Economic Powers Act (IEEPA)

Incorporates multiple executive orders re: economic actions against adverse countries (Burma, Sudan, Iraq, etc.)


50 U.S.C. § 1701 et seq.


National Information Infrastructure Protection Act Provides for stricter penalties to protect confidentiality, integrity and availability of systems and information


18 U.S.C. § 1030

Jan. 1997 http://www4.law.cornell.edu/uscode/18/1030.html

Public Health Security and Bioterrorism Preparedness & Response Act (PHSBPR)

Establishes national, state and local preparedness and response strategies, and procedures to protect US food, water, and drug supplies

Dept. of Homeland Security (DHHS)

H.R. 3448 Pub. L. 107-188

Jan. 2002 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ188.107

USA PATRIOT Act (a.k.a. Anti-Terrorism Act) Enhances powers to both domestic law enforcement and international intelligence agencies to deter and punish terrorism


H.R. 3162Pub.L. 107-56

Oct. 2001 http://www.eff.org/Privacy/Surveillance/Terrorism/hr3162.php

Statutes*1



Website

Maritime Transportation Security Act of 2002 (MTSA)

Requires sectors of maritime industry to complete security assessments, develop security plans and implement security measures and procedures.

Dept. of Homeland Security (U.S. Coast Guard)

46 U.S.C. § 2101 et seq. Pub.L. 107-295


Federal Hazardous Materials Law Establishes regulations for transport of hazardous materials via all modes

Dept. of Homeland Security (DOT)

49 U.S.C. § 5101 et seq.

Jan. 1983 (amended last in 1999)

http://www4.law.cornell.edu/uscode/49/stIIIch51.html

Trade Act of 2002 Gave the president increased authority to make it easier to trade with other countries; also sought to protect workers displaced by jobs moving abroad

Dept. of Homeland Security (Customs)

Public Law 107-210

Aug. 2002 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ210.107

Notification and Federal Employee Anti-Discrimination and Retaliation Act (No FEAR Act)

Mandates that Federal Agencies be more accountable for violations of anti-discrimination and whistleblower protection laws


5 U.S.C. § 2302 et. seq. Pub.L. 107-174

Oct. 2003 http://www4.law.cornell.edu/uscode/5/2302.html

Statutes*1



Website

Customs Modernization Act (Mod Act) (Passed as part of NAFTA)

Sets out specific rules and requirements for importers, brokers, and others regarding recordkeeping

Dept. of Homeland Security (Customs)

H.R. 3450 Pub. L 103-182

Jan. 1993 http://thomas.loc.gov/cgi-bin/query/C?c103:./temp/~c103xXsW4u

Arming Pilots Against Terrorism Act (Sec. 1401 of Homeland Security Act)

Establishes a program to deputize pilots


Pub.L 107-296 Nov. 2002 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ296.107.pdf

Aviation and Transportation Security Act (ATSA) Established Transportation Security Association and centralized security system for the transportation industry


S. 1447 Pub. L 107-71

Nov. 2001 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ071.107.pdf

Safe Explosives Act (Sec. 1122 of Homeland Security Act)

*1Above information furnished by the Security Executive Council

Amended section 18 USC 842(i) by adding several categories to list of person who may not lawfully ship, transport, or receive explosives in/out of US


PL 107-296 Nov. 2002 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ296.107.pdf

Vicarious corporate executive liability for violation of some of the criminal and environmental laws

Civil liability in money damages for tort law violations

Criminal liability for companies and employees in foreign venues for violations of international laws and regulations

Overarching federal statutes either mandate or furnish guidelines for fines and/or punishment for violation of statutes and regulations

Corporate Security executives will be law enforcement and business qualified and also possess some technical security and management ability

Chief Security Officer will report to Executive Management and have complete unfettered access to the “C” suite

Corporate Security will have an enterprise component and deal with security matters in a manner business executives will understand

Corporate Security plans and programs will be mostly pro-active and preventative anticipating security challenges and emergencies before they occur

Corporate Security will use the team concept and interact with all the business units and service departments to ensure cost effective corporate security policy is practically implemented company wide.

Corporate Security plans and programs will have to deal with the reality of government regulation and develop innovative methods to keep current with the laws and effect compliance

Develop innovative methods to ensure security solutions are as multi-faceted as possible so that the cost and compliance components can be spread among other business units

Corporate Security will re-orient its goals from strictly law enforcement objectives to ones that includes a business component e.g. provide metrics for security services that: Increase profitability Reduce costs Enhance the brand Improve customer relationships Reduce employee attrition

Drug Testing Programs Employee Reduction Programs Investigative and Interview Training Background Inquiries Expatriate Mobilization Programs Workplace Violence Programs Crisis Management Programs Security Awareness Programs Domestic and Global Evacuation Programs

QUESTIONS?

How Corporate Security Changed After 9/11

Documents

Transcript of How Corporate Security Changed After 9/11