Академический Документы
Профессиональный Документы
Культура Документы
com
SECURE
Perfect
Practice
In order to provide significant value and return on
investment (ROI) for the pre-employment screening
program, proper policies and diligent management
must be in place.
SecureROi n December 2005 3
inside…
features
15 Perfect Practice
In order to provide significant value and return on
investment (ROI) for the pre-employment screening
program, proper policies and diligent management must be
in place.
DECEMBER 2005 By David Saddler
V o l u me I , N u mber I I
Dave Saddler
publisheR
19 Channeling ROi
EDITORIAL As the Security Director for Comcast Cable
Communications, Midwest Division, Ron Hnilica
DAVE SADDLER
has learned the importance of demonstrating ROI.
EDITOR
By Ron Hnilica
JOE RICCI
22
Managing Editor
ADVERTISInG
Dave Saddler
publisheR
newsflash 6
301.613.0740 No Consensus on FEMA Focus
dave@secureroi.com Animal ID Fights Agroterrorism
DHS Awards More Than $15M
Efforts to Tighten Borders Continue
Published six times a year. Executive
offices at 12154 Damestown Road,
10 techrules
#615, North Potomac, MD 20878.
SUBSCRIPTION: $295 one year.
newmarket 25
© 2005 Cloud Concepts, LLC
newsfl
g o v e r n m e n t ag e n c i e s
Animal ID Fights
Agroterrorism
Animals bred for consumption in the United States
are often moved with relative ease and with little paper trail.
That lack of documentation creates vulnerability, because if an
after Hurricane Andrew that were used as the basis for the animal becomes infected, the ability to quickly ascertain its origins
reorganization of the agency during the Clinton Administration. could mean the difference between an isolated case and a deadly
Fosler worries that the plans to remove the preparedness pandemic.
function from FEMA will result in less communication. One important step toward implementation of a tracking
Moreover, FEMA should never have been incorporated within system would be an animal identification program. The National
DHS, Fosler says. Restructuring it within that department simply Cattlemen’s Beef Association (NCBA), one of the largest cattle
reinforces a wrongheaded path. associations in the world, is currently working with industry
Carafano, however, says that because the head of FEMA partners to develop a national database that is privately controlled.
Page 6: Illustration: Peter Neu, Dreamstime.com | Page 7: Illustratoin: Scott Weichert, Dreamstime.com
and the undersecretary for preparedness will both report to The NCBA-initiated system will only contain information related to
the secretary, the organizational problems Fosler fears will be animal health, says Kim Essex, vice president of NCBA.
mitigated. National Animal Identification System (NAIS) should be able to
In addition, the preparedness directorate will support FEMA identify and trace all animals and premises that have had contact
with training resources and will continue to rely on FEMA’s with a foreign or domestic animal disease within 48 hours after
subject-matter expertise to advise the preparedness function. discovery.
For first responders, however, the success of the The NAIS program will be instituted in three phases. The first
reorganization will be measured in the amount of funding phase involves the registration of any premises on which animals
available. “Our focus has remained on the need to have both are handled. This is now voluntary, but once NAIS is mandatory in
preparedness and response portions of emergency management 2009, proprietors will have to register all premises with state or
funded properly,” and first responders should have the authority tribal officials. The data will then be reported to NAIS.
they need to get the job done, says Jeff Zack, spokesman for the After their premises have been registered, producers will be
International Association of Firefighters. able to obtain an identification tag, which will be tied to a unique
But maintaining funding and staffing levels becomes much animal identification number (AIN). The AIN, which will be in the
more difficult as bureaucracy becomes more complicated, says datbase, will remain with the animal until slaughter and will be
Pietro Nivola, senior fellow at The Brookings Institution. FEMA used to determine its origin or where it was first tagged.
has had significant staffing and funding problems in the past, says The type of tags will most likely vary from species to species,
Nivola, and its reorganization may not help. but the data on the tag will be consistent, focusing on dates of
While adequate funding is critical, it is hoped that the sale and locations to which the animal has been taken. Cost of the
reorganization will begin to fix the problems that led to the devices will be shared between federal and state governments and
bungled response to Hurricane Katrina. the producers.
b o r d e r pat r o l
techru
s tay i n g c o n n e c t e d
Pros:
networks,” so any decisions on what networks will be connected to will be
made explicitly and solely by the user.
Turning off Wireless Zero Configuration is a fairly easy process. Open
the Start menu and choose Run; in the box that opens, type services.msc
It’s extremely easy to use, and
and then click OK. This will bring up a box showing all the services available
doesn’t require updating each time a
on the computer. Scroll down to Wireless Zero Configuration, select it, and
new threat appears.
choose Stop. In the same box, select Startup Type and change its setting
Cons:
to Disabled, so that the service will not automatically resume when the
computer is rebooted.
Other countries are also beginning to prosecute those who piggyback
onto unsecured networks. For example, this summer, British police
Right now it only works with
arrested war driver Gregory Straszkiewicz for illegally accessing a wireless
Internet Explorer and the Outlook
connection. According to reports by the BBC, he received a £500 fine and
mail program, a problem for the
was given a year’s conditional discharge, in addition to having his laptop and
many Web surfers (myself included)
his wireless card confiscated.
who try to avoid these programs
Companies can learn two important lessons from the Smith and
in favor of alternative browsers
Straszkiewicz cases, Smedinghoff says. “One is that obviously they need
Page 10: © Photographer: Joachim Angeltun, Dreamstime.com
DOT’s Security
Off Track
When the Z otob wor m appe ared only days
after Microsoft released a patch that would have prevented
infection, 700 Department of Transportation (DOT) computers
were infected after a contractor connected a laptop to the DOT’s
w o rt h i t network against the department’s policy. This incident, which
Fencing Out
is recounted in a report on the department’s IT security by
the DOT’s Inspector General (IG), is just one indication that
some federal IT professionals are having trouble in meeting the
RFID planning.
The Department of Defense (DoD) is using radio frequency
ID (RFID) tags throughout its supply-chain operations; by
January 2007, all DoD commodities will have these tags. The
Government Accountability Office (GAO) reports that the
Pentagon has identified many of the challenges it needs to
resolve before this can happen but notes that “it has not
yet developed a comprehensive strategic management
approach” to guide, monitor, and assess implementation.
Zero-day approaches.
The time between the disclosure of a computer vulnerability
that can allow infection by a worm or virus and the release
of an exploit that can attack that vulnerability has dropped
from 6.4 days to 6.0 days. Meanwhile, the average time
between the appearance of a vulnerability and the release of
a patch is 54 days. Those statistics, which come from antivirus
vendor Symantec’s most recent Internet Security Threat
Report, are even more frightening when you consider that
1,862 new vulnerabilities were found in the first half of 2005.
A Site to See
Web-page bookmarks are a great way to keep track of your
own frequently traveled Web sites. But how can you find out
what sites are most popular with other people?
Page 12: Illustrator: Pt Lee, Dreamstime.com | Illustrator: Cristescu Valentin, Dreamstime.com
Perfect
Practice
F ormer major league baseball player Dwight Evans, when responding
to a question about preparation and practice, once said, “Practice does
not make perfect, perfect practice makes perfect.” The message was and
is clear to those aspiring to new heights: going through the motions simply will
not suffice.
This approach applies perfectly to how Scott Hewitt, CPP approaches the
overall security program at Ferguson Enterprises, Inc., particularly to the
importance placed company’s pre-employment screening program. In order
to provide significant value and return on investment (ROI) for the pre-
employment screening program, proper policies and diligent management must
be in place. >>
i l l us t r at io n b y: C a ro l i n e C l a rke
Annual cost of the program. Costs associated with Costs associated with drug Costs associated with
This includes the vendor contract employee theft. abuse. workplace violence.
and in house personnel time: According to the Association of Hewitt uses statistics published in Hewitt refers to data published in
$260,000 (conducting screening on Certified Fraud Examiners, fraud the Bottom Line, which indicated 1992 that indicated that 100,000
700 to 800 people per month). and abuse costs $9 a day per that each drug abuser costs close to incidents of workplace violence
employee. Based on one year of $7,500 per year. cost employers $4.2 billion. He uses
working days only, a conservative the figure of $25,000 per rejected
estimate for one employee is $2,250 violent person as a conservative
per year. estimate.
ROI model.
Using data from two years ago,
screening issue # rejected associated cost/year total $ saved Hewitt estimated that Ferguson
avoided hiring 158 people (36 from
Theft issues 36 $2,250 $81,000
theft issues, 48 from drug issues
Drug issues 48 7,500 360,000 and 58 from violence, saving the
company $1,888,246 (versus costs
Violence 58 25,000 1,450,000 then of $245,000)) in one year.
Total 158 260,000 (inhouse) $1,631,000
Channeling
ROI W ri t t e n b y ro n h n i l i c a
I . T h e f t o f S er v i c e
In the telecommunications industry, theft of service by unauthorized
users is a continuing and expensive problem. Not only do cable
(satellite and telephone) companies lose millions of dollars annually
for actual revenues lost as the result of stealing cable signal, but there
is also the additional millions of dollars lost to damaged or vandalized
equipment and the man hours to repair this damage.
This is an area of Security’s responsibility in which a return-on-
investment (ROI) can be quantitatively demonstrated to executive
leadership. At Comcast, we have a proactive theft of service program
that not only seeks criminal and civil remedies for this theft, but
also includes an active audit program to identify unauthorized cable
users and attempt to convert these persons into paying subscribers.
Our Loss Prevention personnel, working through the Security
Department, are trained in proper audit procedures for end-user
(residential and commercial) theft of service. This training >>
includes proper documentation which, if necessary, can be used the issuance and recovery of these cable boxes and modems.
in civil and criminal court proceedings. In addition, our Loss Comcast works with contract cable companies that must follow
Prevention employees are trained by our Sales department on our procedures for reconciliation of cable box (and cable modem)
proper sales techniques so that these unauthorized users can be inventory.
offered, through a low key sales approach, the opportunity to In 2004, Comcast Security and Loss Prevention recovered
become paying cable subscribers. It is not uncommon to convert in excess of 20,000 cable converters and cable modems with an
up to 30% of these identified unauthorized users of cable to paying approximate value of $6 million. In addition, LP investigators are
subscribers. trained through our Sales department to attempt to retain existing
Another area of theft of service that has bee a huge problem for customers (that have fallen behind in payments or who may be
years is the purchase of illegal (“black”) cable boxes, either through thinking of switching to another company for video services). These
magazine advertisements or via the internet. These boxes, often sales by LP investigators result in an approximate 20-30 % retention
manufactured overseas and sold to large American distributors at rate of customers that may have been lost as subscribers.
very low prices, can be connected to an analog cable system and
allow unauthorized viewing of pay-per-view (PPV) and premium I I I . W orkp l a c e Vio l e n c e P re v e n t io n
movie channels without compensation to the cable company. Tr a i n i n g
Security departments for many cable companies often cooperate in In a value-added program, Comcast Security (Midwest Division)
investigations to identify and prosecute these major distributors. has developed a Workplace Violence Prevention (WVP) program
In addition to criminal prosecution, civil suits are filed by the cable for managers and directors of the various disciplines within the
companies against these distributors, often involving settlements company. This program, called the Comcast Crisis Response Team
of $1 million or more. As part of the civil judgment, the courts (CCRT), was developed as a two day intensive training to develop
are ordering the release of the customer list for these black boxes. crisis management skills for Comcast management personnel. The
The cable companies will then pursue individual civil settlements training incorporates Comcast’s existing WVP and harassment
against the purchasers of the boxes. policies, but includes training on dealing with potential WV
Through the Comcast Security departments, it is not unusual situations, warning signs, WV incident management, angry/
to receive $1 to $2 million annually as the result of theft of service distraught employee “talk down” procedures, etc. Over 200 Comcast
programs listed above. managers and directors in the 7-state Midwest Division have
received this training in the past year. Security has implemented
I I . R e c o v er y o f Co m c a s t P roper t y yearly 2 hour refresher training sessions so that these skills learned
Security and Loss Prevention work with the Comcast warehouse in the original CCRT training can be reinforced. An additional
personnel in the recovery of cable converter boxes and cable benefit of this training is that it demonstrates a proactive approach
modems. These are huge capital expense items and can cost a cable to the prevention of workplace violence which can be an issue
company millions of dollars in lost equipment fees. The newest in premise liability, negligence and the “General Duty” clause as
converter boxes, which are a high definition and digital video pertaining to OSHA regulations.
recorder (DVR) combination, will cost the company approximately
$350 per box. Needless to say, if several thousand of these boxes I V. Ho m e l a n d S e c uri t y / Terroris m
are lost, stolen, or simply not returned by customers, the monetary Awa re n ess Tr a i n i n g
losses can mount rapidly. In 2005, in another value-added program, Security implemented
Security works with the warehouse in conducting performance a terrorism awareness training program for Comcast technicians,
audits to verify that proper procedures are being followed in sales personnel and any other employees that spend a good deal
Blueprints
of Success W ri t t e n b y d av e s a d d l er
• There was a 25% reduction in hospital mortality The true value for the According the study, ICUs
rate for the ICU patients. implementation of such a are particularly challenging
program would be to study financially for health care
• There was a 17% decrease in length of stay (LOS). and measure the return on providers. Care in these units
investment (ROI) and the account for 25 to 35% percent
• ICU capacity was increased by 20% and thus business value. One great of operating budgets. This is
the ability to provide better care because of the example of this type of business amplified by the budgetary
shortened LOS. study is found in an application pressures from managed care
of real-time data and real-time reimbursements and fixed
monitoring that has little to do Medicare payments. In addition,
among the financial findings: with security or law enforcement, 50–67% of expenditures are
a hospital critical care facility. concentrated in 10 to 15% of the
• A 26% reduction in costs for ICU patients, resulting The Sentara study provides ICU patients, according to the
from a 17% decrease in LOS an excellent example of how a case study. With the ability of
company used technology, well doctors and other health care
• 15% decrease in daily costs of ICU care, known to security professionals, professionals to deal with these
attributable to a 4% decrease in nursing worked to deliver better health care cases with this remote “expert
hours per patient day services to patients and also monitoring”, costs are reduced
to reduce costs and provide and care increased.
• 18% decrease in ancillary cost significant value. After using the digital video
The numbers demonstrate and patient data platform,
• $2,150 per patient financial benefit attributable to that the use of this application where doctors can actually view
lower cost, after adjuring for revenue loss in “fee provides tremendous ROI and vital patient information while
for service” and “per-diem” patients helps the health care provider personally communicating with
meet its many missions, among the patients remotely through
• A $460,000 increase in gross monthly revenue them excellent care provided the video platform, the clinical
due to additional ICU cases. This generated in a timely fashion. The length benefits and cost savings were
$274,000 margin contribution, monthly of stay (LOS) for a patient is dramatic (see sidebar).
critical in the health care arena, This is a prime example
• A $3,000,000 annualized net financial benefit for as insurance often dictates these of the type of technology
the 2 ICUs after subtracting all program costs. parameters. solutions, available to security
According to the study professionals, that can enhance
publicized by VISICU of the businesses mission of a
Baltimore, Maryland for an company. The technology tools
application at Sentara Health are the same, it is the application
Care of Norfolk, Virginia, the that is unique in this instance.
ROI is tremendous. VISICU is While this application is
the application provider, using not for security purposes per
The vast majority of law Since security professionals a program called eVantage. se, the technology, information
enforcement’s capacity to be understand the intricacies of Enrst and Young provided the gathering and management
in more places than one is this type of technology, it would analysis. The technology was is certainly within the realm
real-time, remote video and behoove the security function to utilized in two intensive care of possibilities for a forward
data monitoring. This allows study how to utilize technology units (ICUs) at the Sentara thinking security manager. The
greater coverage for public safety, such as this for business Norfolk General Hospital, where skill comes not in figuring what
without the extra officers or the purposes and to help achieve care is obviously much more something will cost, but in
overtime that a municipality multiple business objectives. In sensitive and demanding. The figuring out, as Sentara did, what
might not be able to afford. The law enforcement, one objective study covered 600 patients who business objectives can be more
technology does not replace the might be to use a number of were discharged in the first readily met. Is there a way that
value of the officer, but enhances officers that could not physically half of 2001 and the data was your security operation can help
that value. cover a certain area to provide compared to the 12 months prior provide core business functions
This concept makes for an a zero tolerance objective for a to the implementation of the and significant return?
excellent blueprint for business. particular event. technology solution.