Contemporary Security Management

Fourth Edition David Patterson

Visit to download the full and correct content document:
https://textbookfull.com/product/contemporary-security-management-fourth-edition-da
vid-patterson/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

College accounting : a contemporary approach Fourth

Edition M David Haddock

https://textbookfull.com/product/college-accounting-a-
contemporary-approach-fourth-edition-m-david-haddock/

Urban Drainage (Fourth Edition) David Butler

https://textbookfull.com/product/urban-drainage-fourth-edition-
david-butler/

Contemporary Container Security Girish Gujar

https://textbookfull.com/product/contemporary-container-security-
girish-gujar/

Computer Organization and Design The Hardware Software

Interface RISC V Edition David A. Patterson

https://textbookfull.com/product/computer-organization-and-
design-the-hardware-software-interface-risc-v-edition-david-a-
patterson/
Computer Organization and Design RISC V Edition The
Hardware Software Interface David A. Patterson

https://textbookfull.com/product/computer-organization-and-
design-risc-v-edition-the-hardware-software-interface-david-a-
patterson/

Introduction to Electrodynamics Fourth Edition David J.

Griffiths

https://textbookfull.com/product/introduction-to-electrodynamics-
fourth-edition-david-j-griffiths/

Film history an introduction Fourth Edition David

Bordwell

https://textbookfull.com/product/film-history-an-introduction-
fourth-edition-david-bordwell/

The Standard for Program Management Fourth Edition

Project Management Institute

https://textbookfull.com/product/the-standard-for-program-
management-fourth-edition-project-management-institute/

The Standard for Program Management Fourth Edition

Project Management Institute

https://textbookfull.com/product/the-standard-for-program-
management-fourth-edition-project-management-institute-2/
Contemporary Security
Management
Contemporary Security
Management
Fourth Edition

John J. Fay
David Patterson
Butterworth-Heinemann is an imprint of Elsevier
The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom
50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States
Copyright r 2018 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording, or any information storage and retrieval system, without permission in writing
from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies
and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency,
can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than
as may be noted herein).

Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our
understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any
information, methods, compounds, or experiments described herein. In using such information or methods they
should be mindful of their own safety and the safety of others, including parties for whom they have a professional
responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for
any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any
use or operation of any methods, products, instructions, or ideas contained in the material herein.
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
Library of Congress Cataloging-in-Publication Data
A catalog record for this book is available from the Library of Congress

ISBN: 978-0-12-809278-1

For Information on all Butterworth-Heinemann publications

visit our website at https://www.elsevier.com/books-and-journals

Publisher: Candice Janco

Acquisition Editor: Laura S. Kelleher
Editorial Project Manager: Hilary Carr
Production Project Manager: Anitha Sivaraj
Cover Designer: Victoria Pearson
Typeset by MPS Limited, Chennai, India
Contents

INTRODUCTION •.•....••.•..••.•...•.••....•.....•.••..•.•.....••.•..••••....••.•...•..•..••••....•..• xxiii

CHAPTER 1 Future of the Chief Security Officer .......... 1

Introduction ......... .......... ...... . . ...... ... . . .......... .. ........................... .. ...... 1
. . . . . . . .

Origin of Corporate Security ..... . ... . . ... . . . . . .. . . . . . . . . ..

. . . . . . . . .. . . . . ... ..
. ..... . ...... . 3
.

Contemporary Drivers for Co r pora te S ecuri ty .... .................. .............. 3

History of Data S�curity . . . . . . . ......... . . . . . . . . . . .. . . .................................... 5
Evolution of In form at i on Threats.... ................... ................. ........ 5
19705 ........... .... .. ..
. ............... ... ............................. ............................. .5
19805 . . . . . . . . . ............ . . . . . . . . . . ......... . . . . . . . . . .......... . . . . . . . . . . . . . ........ . . . . . . . . . . ........ 5
19905 ..... . . ..
. .. ......... . . . . . . . . . . ......... . . . . . . . . . . . .... . . . . . . . . . . . . . . . . ............. ... . . . .... . .. 6
20005 ................................................................................................ 6
Operational vs Stra t eg i c ..... .................. .................. ................ ....... 6
Convergence of Security .... ... . . . . . .. . . . .. . . .. . . . . . . . ........ .. ..
. . .. . . . ........ 7
Benefits of Convergence . . . . . . ......... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . ... . . . . . . . . . . .. . . . . . 8
Drawbacks and Challenges .. . . . . . . ....... . .. . . . . . . . . . . ....... 9
Requirements for Success ..... . . . . .. . . .
. ... ... 9
Secu rity Governance .... . . . . .. . . . . . . . . . . . .
. . . . . .. . . . . . . . . . ..... . . . . .. . . . . ... ..
. ... . .......... 9
Security Program... .. .. .. . .
. . . .. . ................ .. 10
The Role of the Chief Security Officer ............... ............. 11
Duties of the CSO .................................................................................. 12
Qualifications of the csa .. . ... . . . . . ......... . . . . . . . . . .. .. . . . . ..
. . . . . . . . . . .. . 12
Skills ..................... .................................................... .................. ... 13
The Business Case for Security..... ............ .. ................ ............. 13
ConclUSion . . . . . . . . . . . .......... . . . . . . . . . . .... ....... . . . . . . . .. ........ . . . . . . . . . . . . . . . . 17
References ................. ............... ................... ..................... ............. '9
Further Reading . . ...... .. . . . . . . . . . . ........ . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .... 19
Web Sources .............. ..................... .................. .................. ............... 20

CHAPTER 2 Organizing . . . . . . . . . . ........ ............................. ....... 21

Introduction ............... .............. ....................................... ............. 21
Staffing . . . ........ . .. ........ ........ .. . ........ . . . . . . . . . . ... . . ... .. . . . . . . . . .. ... ..... . . . . . . . . . . .. . . . . 21
Justify the Position . ............ . ...... . . .
. . . . . .. . . . . . . . . . . . ... . ........ . ... . ..... . ........ 22
Identify Relevant Skills and Knowledge ...... ................................
. 23
v
Contents

Search for Qua l ifie d Ca nd i da te s . ... . .. .

.. . . ...... ................... 24
Compare Candidates against Job Requirements ........... 24
Interview the Candidates ............ ................. . ...... 25
Identi fy the Apparent Best Cand ida te .................................25
Conduct a Background Inquiry ... .. . ...... . ... . . . .. . .......... . ... . ..
. . . . . . . . ...... 26
Test the A ppare nt Best Candidate ............... ............... ..................26
Offer the Job .. . ... ........... . ...... .. .. ..... ........... .... .... ....... 27
Independent Cont ra ct o rs and ConsuLtants.......... ............... ............ 28
Organize Acti vities ................... ............................................................. 29
EstabLish Objeclives...... ...... . .
. ..... .29
GroupO�ectives .... . . . . . . . . . .......... . . . . . . . . . . . . . ...... . . . . . . . . . . . . . ........ . . . . . . . . . . . .... 30
Individual Objeclives .... . . . ..... .. .
. . . ................... 30
Organize Consistent with Policies... .................. .............. 30
Provide Physi ca l Resources ......... ............ .. .. .............. ................ .. 31
Provide People Resources. .. ... 32
Organize Beyond Bo u n d a ries ................ ................ .. .... 32
Assign Tasks . .. .. .. ... .. .
. ..
. ... ......... .
. ... . ... . . ..... .. ... ..... ... ..... .... . 33
.. .. .. . . . . . . .

Monitor Performance ................... ................................... ...... 34

Terminale UnacceplabLe EmpLoyees .................................................. 34
Stunned Reaction . ... ... .............. . . ......... 35
Psyc h o logical Trauma ......... ...... ... ...... .. .. .......... .. ............ 35
Sorrow. .......... .. .. .. .. .................. ................ ............... 36
Belligerence ............... .................... 36
Manage the Termination Interview .. . ........ ... . . . ... .. .
. .. ..... . . 36
.

Organi zational Structures . . . . . .. . . . . . . . . . . . . . . . . . .. . . . . ... . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . ..... 37

Vertical ModeL.. ........ .......... .. .............. .... ..... .......... ... .. .. ............ .. . 37
Nelwork Model ............................................. ............... 38
Secur ity Group Fit . . . . .. . . . . .. ... . . . . . . ...... . 39
Review Questions........ ...... . . ....... . . . ............... 40
Further Reading . . . . . . ... ............................................................ 40

CHAPTER 3 Managing PeopLe ........ . ........ ................. .................. ... 41

Introduction . . . . . . . .. . . . . . . . . . . . . . . . . . . . ........ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . .... 41
Maslow's Theory ...... .. . ....
. .
. .... ........ . "".""... ,," .. "".""."""....
. """ 42
PhysiologicaL........ ................ . ................... ........ 42
Survival ......... . .. ................. . ....................................................... . ... 43
Love . . . .................... .................. ................................. ............... 43
Self-Esteem ....................... .................. .................................... 43
SeLf- FuLfillment ................................. .................... 43
Cu riosity ................................................................... ....................... 43
Key Tenets .................. .................. ................... ................. 43
Maslow in the Security Environment . . .. 44 . . . . . . .. . . . . . . . . . . . . . . . . . . ......... . . . . . . . . ....

PeopLe DeveLopment ............ . .. .

.... . . . . . . . . . . . . . . ..... ............. .. . ..... . . . . . . . . . . . . 45
. . .

Encourage ...... ............ ............................. ..................................... 45

Expect Excellence . . . . . . . . . . . . . ........ . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . 46
 Contents

Pe rform ance AppraisaL ...... ................ .............. ..... 46

Setting Ta rg et s ........ ..... ......... .... ..... ........... ................ 47
Target Dualities .. ... .......... . .... . . ............ .
. . .... . .. . . ......
. . . . .... . . .. .........
. . ... 48
Focus on Action Steps . .............. .... . . . ... . ........ ....... 49
Base and Stretch ............................................................................. 49
Performance Review.. . . .. . . . . .. . . . .. .. . .... ........... ... . ............ . 49
SeLf-AppraisaL ...... .... . . .... . . . ..... ..... ..... .. . . . . .... . .... . . ....
. . . . ...... .. . ..... ..
. . . .... 51
Performance AppraisaL Cycle. .. .................... ................. 51
Starting P oint ................................................................................... 53
Quarterly Reviews .. .. . ...... . ..... .. ......... .. . . . .... . ... . . . .... .
. . . . . .... ... . . ......
. . .... 53
Ending Po i nt .... ..................... . . 53
Rating on MeriL.... . . . . ..... .. . .. .................. ........... 53
Objective and Quantitative . . . . .. .................................... . . . . . .......... 54
Upward Feedback . . ... .. . ...... . .. . ..... ...... .. ....... .. ... . . . .... . ... . . . . . .... ... .. .. .. . .. 54 . ....

Obtain Subordinates' Ratings .. . ...... ................... ............................. 56

Upward Feedback Report............ ....... . ....... . .................. ........ 56
Objectives for the Leader ... . . . ..
. . . ...... . ... . ... .. . . . . . . . . . . . ....... . . . . . . . . . . . ..... 58
Position Evaluation........ ................ ............... . ...... 59
Grade Level Determination ...... ..... . ... ... . ........ . 59
. . . .. .

Position Description ......... .... . ............ . . . . ............ . . . ............

. .. . . . . . . ... 59
Review Ques tion s .................................................................................. 61
References ................. .................. .................... ................... ....... 61

CHAPTER 4 Leadership and Management Skills..... ....... . ..... .. .......... 63 .. .. . .. .

Introduction . . . . . . . .......... . . . . . . . . . ........... . . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . ........ . . . . . . . . . . ..... 63

Leadership in the Management of Security. .... .......... .. . . . .... ....... . . .. . 63 . . . .

Complex and Subtle ......... .... . . ............ ..

. . ................................. 64
.
Manager Versus Leader .. .. . . . .......... ....... .............
. .
. .................. 64
BuiLd a Visi on ................................ ................................................... 64
Communicate the Message ........................................ 65
Cultivate Trust .. . ... . . .. .. . ...... . .. ... .. . . ... .. . . . .. . . . ...... ...... .. ....
. . . .. . . . .. . . . . . . . . 66
DeveLop OneseLf ............................................ .................................. 66
Empowerment . .. .. ... .... . ....................
... .. . ............... 67
Contributing .. . . ...... .. . . ... ..
. . . . ...... .... . . . .. . . . . . . .... . .. . . ......
. . . . ...... .. . . ......
. . . .... 67
Sharing Accomplishments . . ...........
. ................................. 67
Energizing and Motivating. ................................................... 67
Conflicting Values ... .......... . . . .. .. . . ................................. 67
Quantity Versus Quality............... ....... . ..... . . ....................
. ....... 68
Love of Work........................... .... .. . .. . . . . .
. . . . . . ......... 68
Followers ..... .. .. .... ...
. . . . . .. . .. .. .. ... . .. .... . ...... .....
. . . .... .. .. ... . . ..... .. . .. ... .
. . 68 . . . . . . .

Taking Directions . .. .. ........ . ...... ...... . . .. . . . . . .... . .. . . ......

. . . . ...... .. . .. ......
. . .... 69
Telling the Truth........................... ............................................. 69
.

Providing Feedback. . . . . . . . . ......... . .. ................ ....... 69

Leaders Add Value ........................................... .................................... 69
Competition Among Leaders . . .. .. .. . . ..... . . . . . . . ... . . ........ . . . .
. . .... . ...... . ... . .... 70
Contents

Ambition ............... ................................. .................... 70

Loya lty . . . . . . . . . .......... . . . . . . . . . . ....... . . . . . . . . . . . ......... . . . . . . . . ........... . . . . . . . . . ...... 70
Price of Leadership . . ................ . . ................. .................... 71
Lea ding in the 21st Century . ... . . ..... .... 71
Build and Manage.. ...................... .............. ................ .............. 71
Knew the Land scape ............................................................. 71
Expect the Best .. . . ... .............. .. ............ 72
Do Not Micromanage . . . . . . . . ....... . . . .. . . . . . . . . .... . . . . .
. . . . . . . . . . . ..... .. . . . .
. . . . . . . . ... 72
Be Accessible . . .. .
. . . . . . . . ........................
. ....................... 72
Focus on What Is Important. . . . . . .
. . .... .... .. . . . . . . . . .... ..... . . . .
. . . . . .... . 72
.

Point the Way......... .. . ... . .. . . .

. . . .. . .. ...... 72
Conclusion . . . . . .. . ...... . . . . . ..... . . .. . . . ... . . . .
. .. . . . . . . .. . . . . . .. . . . . . .. ..... ..... . .
. . . . . . . . .... 73
. .

Review Questions........ ......... . ....... .....................

. .............. 73
References . . . . . . . .. .. .... .
. . . . . . . . . . . . . . .. ... . . . . . .
. . . . . . . . __ ... . . . . . . . . . . . ......
. . . . . . .. . . . . .. . 74
. . . .

CHAPTER 5 Strategy. .................. ............................... ... 75

Introduction . . . . .. .. .... . . . . . ... .. .. . . . . . . . ....
. . . . . . . . . . . . . . . . . . . ....................... 75
Business Strategy........ . ..... . . ...... ......................
. . . . ............... 76
Core and Support Activities .................................................................. 77
Outsourcing and the Security Group. ..... . ... ....... . . ................ .......... 77
Protecting Assets Under Altered Circumstances.. 79
Due Di ligenc e ................................... ....................... 80
Ambiguous Specifications ... . . . . . . . ... . .. . . . . . ....... .
. . . . . . . . . . . . . . . . . . . ... BO
Effect of Strategy on Security M a n agemen t.. .... .................. .............. 80
Anticipate ....................... 80
Exposu res . . . . ... . .. .. .
. .. . . . . . . ......
. . . . .. ..... 80
Magnitude .. . ... .. .. .. . . . . . . .. . .. . .. . . . . .. .... .
. . . . . . . . . . . . . . . . ............... 81
Complexity .. ...... ....... 81
TechnicaL KnowLedge .. . . . . . ...... . . . . . . . . . . . . . . . ..... . .. . . . .
. . . . . . . . . . . . . ....... . .. . . . . . . ... B1
. . .

Access ................... .............. ........................ .............. . 81

Quality ................... ............... 82
Teamwork .. .
. . . . . . . . . . ....................
. .............. ............... B2
Strategy and Risk .......................... ..................... ................. ............... 82
Predict ................... .................... .............. ............... B2
Quantify . . . . . . . .....
. .. . . . . . ... . . ... . .... .. . . . . . ... . . . . . .
.. . . . . . . . . . . . . ... .... . .... .. . . ... . . ... 82
.

Imperatives ................. .................. .. ........ 83

Imp r ove on Q ualit y . ...................... .............. .............................. B3
Forge CLose Li n ks with Users......... ........................... 83
EstabLish CLose ReLationships wit h SuppLiers . . . . . . . . ......
. . . . . . . . . . . . B4
. . . . .

Make Effective Use of Technology .... . .. . . . . . ..

. . . . . ... .. .. . . .
. . . . . . . . . ... 84
Operate with Minimum Layers of Management ..... . . . . . . . . . . . . B5
. .

Continuously Imp rove the Security Staff ... .. . . . . . . . . . . . . . ..... .. . . . . . . . . . . 85

.. .

Strategic PLanning ................................................................................. B6

Policy and Planning .... . . . . . .... 88
. . . . . . .

The CSD and Strategic Planning . . . . . . . . . . ... .. ..

. . . . . . . . . . . . ... . . .
.. . . . . . . . . . . . .. 89
 Contents

Business Is Like War .................... ................................... 90

No Absolutes in Strategic Plan n i n g . .. ........ . .... 90
Strategy and Cha nge . . . . . . . . . . . . . . . . . . . . . . . ..... 91
Conclusion ................................. .................. ........................ 91
Review Questions ....... . . . . . . . . . .......... . . .................... ............. 92
Refere n ces .................................. .................. ...................... 92

CHAPTER 6 Budget Management . . . . . . . . . .. . . .... . . . . . . . . ... . . . . .. . . . . . . . . . . . ... . . . . . . 93

Introduction .... . ... .
....... . . . . . . . . . .. . ...... .
. . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . ........ . . . . . . . . . . ...... 93
Budget Preparation ... . ....... .. . ...... .. . ... .... . . . . .. . . . . . . . . . ..
. ... . . . . ....... . ..... ... . . ...... 94
Authorization ....... .
....... . . . . . . . ... . . ....... . . . . . . . ... . . ...... . . . . . . ... . . . . ..... . ....... . ... . ...... 94
Execution . . . . . . . . . . . .......... . . . . . . . . . . ......... . . . . . . . . . . .... .... . . . . . . . . . . . . ........ . . . . . . . . . . . ..... 95
Audit ...................................................... ...................... 96
The Budget Director . . ....... .. . . .. . . . . . .
..... ... . . ............ ..
. ... . . . . ........ . . . . . . . .. . ...... 96
Zero-Based Bu d geti n g ....... ................ .................. ................ ..... 97
Directions Flow Down . . . . . .......... . . . . . . . . ......... . ................ ........... 99
Limitations ..... .... . ... . . .... ..... . .. .... ...... ....... . . . ...... ...... . 99
. . . . . . . . . . . .

Cost/Benefit Ratio ....... . ........... . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . ........ . . . . . . . . . . .... 101

Controlling Cos ts ................................................................................ 1 01
Overspending ...................................................................................... 1 02
Conclusion ................. ..................... .................... ........... 1 07
Review Questions ....... . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 107
References ................. .................. .................... ................... ............. 1 08

CHAPTER 7 Managing Change ... . ...... . . . . . . . . . . .. . . . . . . . . . . . . . . . .. .

. ..... 109
Introduction . . . . . . . . ....... . . . . . . . . . ............ . . . . . . . . . . . . . ... . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . 1 09 . . . . .

Impact and ContexL.... . . ... ... ...... . .................. . ........... 1 1 0

Working through People. . . ... . .. .. .
. .. . . .. 1 1 0
Adjusting to Change . . . . . ..... . ... .. . ... . . . ..... ...
. . . . . . . . . .. . . .. . ..... .. . . . .. .... 1 1 3
. . . . . . . ..

Familiar But Not Understood ... . . . . . . . . . ... ..... . . ............. 1 1 3

Poor Approaches ........................ . ............... .................. ....... 1 1 4
Technology and Change ... ........ ... . . ..
......... 1 1 4
Politics and Change .... .................... .................. .................. ... 1 1 6
Change on a Pe rs ona l Level....................... ............................... 1 1 8
Reality Check... ...................... . . . . . . . ....... . .. . • .. 118
Blame Shifters...... . . . . . ... . .... . . . ..................
. . ......... 1 1 9
Survivors . . . . . . ........ . . . . . . . . . . . ......... . . . . . . .............. . ............. 1 1 9
Ac tion Co a chi ng ........ ... ....... .... ............... ....... . ......... ..... . ....... 1 1 9
Review Questions......... .. .......... .....................................
. .. 1 22
References ................. . ................. 1 22

CHAPTER B Making Decisions ........... . . . ..... •...........•... •..........•....•..... .... 123

Introduction .... . . .......... . . . . . . . . . .......... . . . . . . . . . . . . . ...... . . . . . . . . . . . . . ........ . . . . . . . . . . . . . . 123
A Decision-Making St rategy • . . . . . . . . . ........ . . . . . . . . . . ... 1 24
Frame the Issue ........................ .................. ............................... 1 25
Contents

Collect Information .................. 126

AnaLyze the I n fo r m ation . ........................... ..................... ............. 127
Decide...... ............. . ................ ........ .......... .................. ......... 127
Implement ........... ........................... .............. 128
Examine Feedback ................ .................................... ....... ............ 128
I mplicati on s for t he CSO ................ .................. ................ . . .............. 128 . .

Conclusion" .. .............. .. ... ........... ..... ............. .,' 130

Review Questions.... ..... ....... . . _._ ..... . . . . . . . . . _._ ... _ . . . . .. .......... 130
References .............. .................. ..... ........... . ..................... 131

CHAPTER 9 Managing Risk.. . . . . . . . . . .. . . . . . . . • . . . . . . . . . . . . . . . . . . • . ......... . 133

Introduction ................................................................... ..................... 133
Risk A n a lY S I S .............. .................. .................... ............. 134
Assets... .................. . .......... ........ ................ ............. 134
Criticality .. .......... . . .................................. ..................... 134
Threats ............. . ...................... ................................ ............. 135
Probability ............. 135
Impact ...................................... ................... . . .. .... 136
F re q uency . . ... . . . . . ........ ... .. . . . . ...... . . .... ..... .. .
. . . . . . . ............. 136
Manageability......... .................. ................... . ............. 136
Countermeasures... . . . .................. . .......... .... ............ 13B
Risk Assessment Versus Threat Assessment ............... .................. 139
S.lf-Ass.ssm.nL...... . ... . ..... . .. . . . . . ............. 142
Self-Assessment of IT Security .................. ............................... 143
Security Review ....................... ......... . . ..... . . .................................. 144
Security Audit ......... .............. ... . ..... .. ........... ..... .... ....... . . .... 144
. . . . .

Project Review .................. . ................. ............. 151

P roj ect Initiation ................................... .................................. 152
Planning Phase.... .............. ...................................... ............. 154
Execution Phase ................ .................. .................................. 154
Security Incident Causation Model.. ................................................. 155
Incident .................................... ................................. .................. 155
Loss . . . . . . . . . . . . . .......... . . . . . . . . . . ........ . . . . . . . . . ........ . . . . . . . . . . . .......... ............. 157
Hidden Causes ............................................................................... 158
SICM Standards ................ . .... . ........ . . ..... .. . . . . ..................... 158
Practices ................. . ................. 158
Conditions ..................................................... . ............. 158
Manage ment Failures ................................ ..................... ............. 159
Applying the SICM T ec hniqu•. .. . 160
Proactivity ........................... .................. ............. 160
Programs . . .. . .. . . . . ... . ... ........................ ........................... 160
The CSO's Role........... . . . . . ............ . ... . .................. ............ 160
Condusions. .. .............. . .... . ........ .. . .............. .. ............ 161
Review Questions............ .............. ..... ............ .. . ........ 161
References . ................ . ...... ............... .................. 161
Further Reading ...................... ..................... .... ..................... 161
 Contents

CHAPTER 10 Managing Guard Operations .. . . .. . .. . . . . . . ....

. . ... .. . . .. .. .... . . . 163
. . .. . . .

Introduction _ ...... . . . . . . . . . . . . ....................................... ........ ,63

Security Officer Selection and Training .................. ................... ....164
Selection....... . .......... .................. ....................
. .............. ........164
Tr a inin g ..................... .................. .................... .................. ..... 164
Needs Assessment .... .. . ..... ......
. . . . . ..... . ..... ..
.. . . . . . . ... .. . ... ... . . ..... . ...... . . .166
. .

Assets ... . . . . . . . . . . .... ...... . . . . . . . . . . . . ...... . . . . . . . . . . ........ .............. ...... . . . . . . . . 167

Life-Safety P rogra m .........................................................................169
Staffing .............. ......................................... .............. .............170
Skills . ..... .. . . ... .. . .. .................. .............. ..............171
Proprietary Versus Contract Security.................. ................ ".171
The Proprietary Opti o n ................................................................171
The Contract Option . . ................. ........ ............ .............. . . ....171
. . . . . .

Bid So licitation , . .........................................................................172

..

Scope of Work ..... . ... ..... ......

. . . . . ... . .... .....
. . . . .......... . ... ... . . ...... . ..... . . .172
. .

Officer Sta ndar ds .. ........................................ ................ ............173

Bid EvaLuation ........... .................... ...................... .................. 1�
Selection ................ .. ................. . ....... .. ...... .......
. ............... ,77
Assurance.... ...... . ... . .... . .. .................. .............. ..............177
Value of Guard Services. ................. . .................. ................. . . ...178
Mutual Respect. .... . . . . . . . . . . . . . .......... . . . . . . . . . . . . . . ..... . . . . . . . . . . . . ............ . . . . ,79
Agreement Issues ........ .....
. . . . ........ .. . . . .
. . . . . ...... .......
. . . . . . .............. . .179
.

Liability ... .............. ............................................................ ........180

Conclusions.................... .................... ..... 181
Review Questions ..............................................................................181
References.. ... .... ..... ..... ..................
. ............... ..... 182
Further R ea di n g .........................................................................182

CHAPTER 1 1 Managing Physical Security ................. .................. 183

Introduction ... . ............... ................... . ............ .............. .... '83
Types of Protected Assets. ........183
Safeguards.. . ........................................................................184
Factors in Selecting Safeguards ... . .. ... ...... . . . .. . ........ . . . . . . . . . . . . . ... .... .184 .

Environment ........................ .................... ...........................184

Forces of Nature . . . . .... . ... ......
. . . . . ... . ..... ..
.. . . . . . . ...... .. . ... ...
. . .... . ...... . .185
.

Crime. ..... . . . . . . . . ..... ................... ................... . .............185

Terrorism .................. ........................ .............. ..............185
Site Characteristics ....... . ... . ......... .. . . ..... .. . ........ . . ... . ..................... 186
Concentric Protection ....... ... . . ... . ........ . . ... ... .. . ...... .. ....
. ... . . . ................ .186
Perimeter ............... .. .186
Barriers.. .........................................................................188
Security Lighting ............ .................. .................... .....190
Sensors... ..... • . . . . ....... . . .... . ... .. ..... . ..................... ..............
. ....192
Sensor Reactions .........................................................................192
Sensor G rou ps .......... ................. ......................... ................ 192
Distinct Characteristics of Sensors ................. ..... .. ........... . ..194 . . .
Contents

Sensor Types ....................................... .................. ........ 196

Detection Reliability . . . ... . ... . .. . . .
.. . . . ... . . . . . . .. ..... ... . . .
. . .... .. . . .
.. . . .. ..... . 199
Intrusion De te c tion Systems.. ............... .. ...............
. ....... 199
Assessment ............... .................. ................ ................ ............. 199
Three Characteristics. . .... 200
Monitoring and Communication ......................................... . ..... 200 . .

Tamper Detection . . . . .. .... 201

Lock and Key Systems ... .................................................... ............. 201
Types of Locks ........... ............................... .................... ............. 201
Key Control ................. ................. ................... . .. ............. ........ 203
ProceduraL ControL . . .. ... 203
Compromise ................ ................ ...................... .................... 204
Periodic Inv en to ry of Keys.... . . . . . . . . . . . . ._ ....... .. ....... ...... ........ 205
.

Two-Person Rule ......................................................................... 205

Dual S ystems ................................. .................... ............. 206
ConcLusions .. . . . . . . . . .......... . . . . . . . . . . .......... . . . . . . . . .......... . . . . . . . . . . ........ ....... 20B
Review Questions ............................................................ ............. 20B
References ..... ................ .................... .............. .................... ... 210
Further Reading .................. .................. .............. ............. 210

CHAPTER 12 Managing Access Control . . . . . . ....... .. . . . .. ....... . .... . . . . . . . ... ... .. . . 211
.

Introduction.. .................. ................................. ............. 211

Employee Badges and Visitor P ass es . ............................... 212
Types of Identification Cards. ................ ................ ....... 212
Traffic Control ................ .................. ................. .................... ........ 215
Materials Control............ ................. . ................ .... 215
Inspection, E ntering , and Moving Internally ... . . . . . . . . . . . ......... . .. . . 216
Aceou nting for Property .................................... "....... ........" ...... 217
Inspection of Materials Leaving . .. . . . . . . . . . . ._ . ..... 217 .

Access Control Barriers .................. . .................. ................. ........ 217 .

Layered Protection.... ................ .... 219

Uniformity and D iversity .................... .................. ....... 219
Biometrics .... .................. ................................. ............. 220
Closed Circuit Television .................... .......... .................................. 222 .

Comfort Level .... ... ............ .................... ..... . ......... . ... 223
Pros and Cons ........... ............................... .............................. 223
System Features .. ....................... ............... .................. ....... 224
Managing a Purchase .............................. ................................... 224 .

Operating the System . . . . . .. .. . .. . . . ... ..... ............. .................... .... 225

System Performance . . . . . ........... .. . ..... . ............ . . 225 .

Maintenance .............. .................. .................... .................. ....... 225

Intrusion Detection . ...... . ..................
. . .................. ........ 227
IDS Components ............................ ............................................. 227 .

Sensor Selection . ...... . . . .... . ... . ... . .. . . . . . . . . . . ... ..

. ..... .......... ...
. . ..... .... 22B
Minimum Expectations ............................. .................... ............. 22B
 Contents

Threat Individuals ........... ................. ...................... . ................ ... 229

The Insider ... . . ............. ...... 229
The Opportunist ........ . .. .. .. .. .. ........ .. . .. .. .. .. ........... .. .. .. .. .. ........ . . . .. .. . 230
The Professional. ... . . . . . ..... .. .. .....................
. .... 230
The I d eolo gue .............................................................................. 231
The Av en ge r ..... ................. ... ... 231
The Terrorisl ......................................................................... 232
Conclusions. ................................... ............ 233
Review Questions ............ 233
References . ................. . ............... .... .............. .............. 234
Further Reading .............. .................... .................. ................. ........ 234

CHAPTER 13 Managing Investigations . . . ... . . . . .. . . . . .... . . ..... .. . ..... . ...... . . . 235

.. .. . ..

Introduction. ........................ ................................................ 235

Case Management . ........ . .. .. .. .. .. ........ .. . .. .. .. .. ........... .. . . ...... ........ . . . ..... 236

Infrastructure .................. .................... .. ........... 236

In ternal Operation s ..................................................................... 236
Private Investigation........ ......... ...... .. ... ... 237
Inve stiga tion Type s ........ .................. .................... .................. ........ 238
Constructive and Reconstructive I nvestig ation s ....................... 238
Pr eventive or Pr eemptive Investi gations ........... .................. ..... 239
Due Diligence Investigations .... . . ....... ..... . .... ..
. . .... ....... ....... . . . . ... 239
Surveys ........................... ........................................ ...................... 240
Administrative Inqu i r ies .............................................................. 241

InternalTh e ft Investigations.. .. ................ .. .. 241

Fraud Investigations . . . . .. ...... ........ . . ... . ..... .......... ......... .. ........ . . . ..... 243
Compliance Investigations .................................................... ..... 249
Undercover Investigations . . . . . . . . . . . . . .... .. . .................
. ... 251
Interest Group Investig ations .............. .................. ................ ... 252
Physical Evidence ... . . . ........ ........ 253
Evidence Collection .. . .. .. .. .. .. ........ ..... .. .. .. ......... . .. . . .... .. ....... ....... 254 ..

Forensics ...... .. . . .. . . . ... .................. .............. .............. 254

Probative Value.... ... . . . . . . . .. .. . ............... ....... 255
Qualitative and Quantitative An alysis.. . .. 255
Mixed Samples. ........ . . ... .. .. .. ........ . . . .. . . .. ............ . .. . ....... ........ . . . ..... 256
Markings .................. ................................. .............. 256
DNA Samples .. . ......
.. ... . . . . .. .... . . . . . . .......
. . . . . . . . . . .. . ... . ...... . . . 256
..... .. . . ...

Arson Debris Samples . . . . ........ . . . . . . . . .............. .................... ... 257

Blood Samples . . ... . .. .
. . .......... . ... .. .
. . . ...... . . ....
. .. .. .. . ...... . .. ..... ..
. . .... 2S7
Deceased Persons Samples ........................... ..................... ..... 257
Tissue Samples . ........ . . . . . .. .. .. ........ . . . .. .. .. ............ . . . .. .. .. .. ........ . . . .. . . . 258
Fingerprint Samples . ............................................................ ..... 258
Drug Samples. ....... 259
Ballistics Examinations ............... ................... ................. . ..... 259
Firearms Examinations .............. .................... ................. . ..... 259
Contents

Shotgun Examinations ................................... . .......260

Gunshot Residue Examinations .. .................... ..................... ....260
Tool Mark Examinations ....................... ...................... ..261
Questioned Documents Examinations ............................. 261
Other Typ es of Examinations ........ . . . . . . . . . . .. . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .... 264
PoLygr ap h Testing ... .................................................... .............264
Written Consent Required ........... .................. ................. .......264
P oLyg rap h Theory ...... ................. .................... ....264
PoLygraph Accuracy ... .... . ... .
. . .. ..... ... ....
. . . .............. .... . . ......... . . . 265
. . .

Polygraph E rrors .................................................................... 266

The Deposition.......... ...... .................. ....266
Discovery .... . . . . . . . . . . . . ........ . . . . . . . . . . ........ . . . . . . . . . .......... . . . . . . . . . . . ....... ........ 267
PretriaL Preparation ....... ................... .............. ................. ....26B
Trial Procedures .... . . .. ... ... . . ... . ...... . ....... . .......... ..
. ...... ...... . . . . . . . 26B
R a pport ...................... ............................... .................... ............. 269
Con clusions _. .................................................................. V1
Review Questions ................................. .................................. 272
References . .. .................. .................. .............. ............. 272
Further Read ing .................... .................. .................. .......273

CHAPTER 14 PreempLoyment Screening .. . ........... . . ... 275

Introduction.. . ................. .................... .............. .................... ...275
Neg Lig ent Hiring ... .... .. . ... .. . .. ....... . ..... . . ..
. . ........ ....
. . ... .. . ...... 276
Employment AppLication Form .................. ....276
Verifying AppLication Lnfo rmati on ..................................................... 277
Credit Headers .... .... .. ... ..... .. ... .. .. ...... .. .. . . . . . . ... .. ...... .. .. . ....... 27B
. . . . . . .

The SociaL Security Number .......... .................. ................. ....279

EmpLoyer Pref e rences ................ .................... ..................... ....279
The Background In qui ry ......................... ................... ................ 2B1
Use of Private Invest igat ors .................. . ................. 281
Adverse Action ......... . ....... . ...... .. . .............. ...
. . ...... ...... . . . . . . . 283
Employee R eLea se .......... .................. ...................... ....265
Reference Checks . ... .. . .... .. . .... ......
. . . . . ........ . . . . . . . .. . . . .
. . . . . . . . . . .. . ... . ........ 286
I nterviewi ng KnowLedgeable Persons ........................ ...... 286
I nterviewing Techniques "" . ".. .. .. .. .. . ................... " 286
Records of Interest .. ..... .. . ... ... .... ..... .. .. . .. ........... .. ... . ...287
Municip al Records .... . .....
.. . . . . ... . .... ..
. ... . .. . ... .. . .... ..
. ................ . . 287
. .

County Records . . . ................. .................. ............... ............. 2BB

State Records .... ........ . . . . . . . . ... . ....... . . . . . . . . . . . . .
. ....... . . . . . . . . . . . . . ..... . . . . . . . 2B9
Uniform CommerciaL Code..................................... ..................2B9
Database Searches. ............. ..... ................... .............. . ... .........289
Cost Avoidance ... .. . .... .. . .... ......
. . . . . ........ . ... . . . . . .. . . . .
. . . . . . . . .. ... . . ........ 290
Fair Credit Reporting Acl . .......290
Credit Lnformation ... ....................................................................291
Con sumer Repor t ......................... ..................... .................... ....291
Investigative Consumer Report . . . . . . . . . . . ...... . ...... ...
. . . . . . . .. . . . . . . .. . ... 291
 Contents

Negat ive I nfo rm a t io n ..... 291

Cred it Ap pli cat i o n . ... . . . ... ..... . . . . . .................... ........................... �2
Local Records . . . . ........ . . . . . . . . . ........ ......................... ..... 292
Freedom o f Information Act [FDlAI ..... 292
P ri va cy Act of 1 974 ........ . . . . . . . . . ......... . . . . . . . .............. . . . . . . . . . . .......... . . . . . 294
The Gramm-Lea c h - B liley Act .... . ... . . . . . . . . . . .. . . . ..
. .. . . . . . . . . . ...... . .... .. . 294
. .

H ealth Insurance Portability and Accountability Act . . . . . . . . . . . . . . . . . . . . . . 295

Ap pli cant Testing . . . . ........ . . . . . . . . . .......... . . . . . . ............... . . . . . . . . . . . .. . . . . . . . . . . . . . . 295
Drug and Alcohol Tests . . . , . . . '...... . . ................ , .... , """, .... , .... 295
Paper-and-Pencil Tests " " .,. " " " " " " " ,.,.,." " " " " " " . , , �6
Achieve m e n t Tests ... """""""" 2 9 7
Aptitude Tests ......... . . . . . . . . . ............. . ......... . ........ . . . . . . . . . . . . . . . . . . . . . .. . . . . . 297
Intel ligence Tests .. , . . . . . . . ........... . . . . . . . . . . ......... . . . . . . . . . . . . ....... . . . . . . . . 2 9 7
..

Interest I nventories . . . . . . . . . . . . . ............................ . . . . . . . . . . . .. . . . . . . . . . . . . . . 2 9 7

O bj ect ive PersonaLity Tests . . ...... . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 298
Test Va lidity" " " " """" " " " " " " ''''''' , . . . . . " . , , " " " , . , . , . , . , . , " " " " , . , . , . , . 298
, , , ,

Problems in Design and Interpretation . . ..... . . . . . . . . . . . ... . . ..

.. . ... . . . , 298
.

Review Questions . . . .. . . . . . . . . . . ..... . .............. . . .

. . ..... . ..... . . . . . . . .
. . ...... . . . . . . . . . 300
. .

Refere n ces . . " " " .. "" ....... . . . . . . . . . . "",,. " " " " " " ............ " . . . . " .......... . . . . 300

CHAPTER 1 5 E m ergency Management . . . . . . . . . ..... . .. .. . . . . . . . . .. . . . . . . . . . . . . . . ... . . . . . 301

Introduction . . . . . . " " " "...... .. ............ . . . . . 3 0 1
Emergency Management Process .. . ............... . . . . . . . . ............ . . . . . 3 0 1
O bject ives .................. . . . . . . . . . ............ . . . . . . . . ...... ............ 3 0 2
Exec u t i o n . . . . " .... ," " " " ,
" , . . ,""", ........... , ' " . . . . . , 30 2
M i ti gation . . . . . . . . . . . ... . . . . . . . , 303
Anticipation . . . . . . . . . . . . . . . . . . . . . . . . . ....... . . . . . . . .......... . . . . . . . .............. . . . . . 304
Preparation .... ,......... " " . . "............ . . ............. . . . . . . 305
Procedures . . . . . . . . ...... . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... . . . . . . . . 306
Tra i n i n g . . . ..... . . . . . . . . . . ....... . . . . . . . . . . ............. . . . . . . . . . . . . ...... . . . . . . . . 3 0 7
Response . . . . . ....... . ...... . . . . . . . . . . . .. . ...... . . . . ....... . . . . . . . . . .. . . . . . 307
External S u p po rt Ag e n c ies ............ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ......... . . . . . . 308
Dealing with the Media . . . . . . . . . . . . . ............................. . . . . . . . . . . . .. . . . . . . . . . . . . . . 309
Priorities ....... . . . . . . . . . . ......... . . . . . . . . . . ......... . . . . . . . . . . . ......... . . . . . . . . 3 1 0
Security Problems ..... . . . . . . . . . .......... . ..... . .
. ........ . . . . . . . . . .
. . . ............ . . .310
. .

Eq u ipp i ng P lan Res po n d e rs "..... . . . . " .... " ..... , ....... 3 1 1

N a t i o n a l I n cident M a nagement System . . . . . . . . ....... .. . .. . . . . . 31 1
Preparedness . . . . ........ . . . . . . . . . . .. . . . . . . . . . . . . . . . . ........... . . . . . . . . . . . . ........ . . . . . . . . 312
Incident Com ma nd System . . , , , ........ ,, ............. ,, ....... . . . . . . . . . . ................ 3 1 2
Mutual Aid a n d Assist a nc e Agree m e n ts . ..... . . . . . . . . . . . . ... . . . . . . . . . . . . 3 1 4 .

Bomb I n c idents ...... . . . . . . . . . . . ........ . . . . . . . . . . ........... . . . . . . . . . . . . . . ...... . . . . . . . . 3 1 4

Proactive Meas ures . . . . . . . . . ....... . . . . . . . . . . . ...... . .. .... . . . . . . . . 3 1 4
B o m b I n c i d e n t M a n a g ement Program " " " . . . . ......... . " . . , 3 1 6
B o m b I nc i d e nt Plann i n g . . . . . . . . . . . ......... . . . . . . . . . . . .......... . . . . . 3 1 6
Strategy . . " " " . . . . . . ... . ... . . . . . . . . . ..... . . . . . . . . . . . . . . .. . . . . . . . . . ............ . . . 3 1 7
Contents

Bomb I n c i d e n t Plan and Procedures . . 318

. .

The Telephonic Bomb Th re a t ... ... . . . . . . . . . . . ......... . . . . . . . . . . . .......... . . . . 3 1 9

Evaluation of t h e B o m b Threat .... . . . . . . . . . . . . . . . . . . ............... 320
Evacuation Options . . . . ......... ....
. . . . . . . . . . . . . . . . . . ..... . . . . . . . 321
The Search . . . . . . . . . . ........ . . . . . . . ....... .................. ...... . . . . . . . 322
Probability and Cr itica lity ............. . . . . . . . . . . . . ........ . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Dis covery of a Suspi c i ous Object . . . . . . . . . .. .. . . . . . . . . . . . . ...... ... . . . 324
Aftermath of an Explosion . . ....... ..
. ..... . .. . . . . . . . 325
F ir e E m e rg enci es , .........., . , . . . . , . , . ,....... , . , . , . , ........... " . , . , . . . . ........ ., . " , . 325
Fire Control System . . . . . . . . . . . .......... . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 326
Floor Wa rd ens . . . . . . . . . .......... . . . . . . . . ............. . . . . . . . . . . . . ...... . . . . . . . 326
Fire Conditions .... . . . . . . . . . ......... . . . . . . . . .......................... ...... . . . . . . . 327
When a Fi re Condition Is Serious . . . . . . . . . . ............ . . . . 328
Fire Control Team ..... . . . . . . . . . . . ....... . . . . . . . . . ........... . . . . . . . . . ............ . . . . 330
Security Officers . .. . . ... . . . . . . . . . . . .. . . . . . . . . . . ............ . . . . . . . . . . .. . . . . . . . . . . . . . 3 3 0
O ccupa nts . . . . . . ............. . . . . . . . . . . ....... . . . . . . . . . . .......... . . . . . . . . . . ........ . ... 331
Natural D i s asters ... . . . . . . . . . .......... . . . . . . . . . ............ . . . . . . . . . . . . ...... . . . . . . . 33 1
M e d i c a l Emergencies ... ............. . ....... . . . . . . . . . . ........... . . . . . . . . .
. .. ...... . . . . . . . 334
Fundamental Practices . . . . . . . ......... . . . . . . . . . ............ . . . . . . . . . . . . . . . . .. . . . . . . . . 335
Exposu re to AIDS and H e patitis B . . . . . . . . . . . . . ... . .. . .
. . . . . . ....... .. . .. . . . . 336
Conclusions .. . . . . . . . . ........ . . . . . . . . ...........
. . . . . . . . 339
Review Questions . . . . . . . . . . .......... . . . . . . . . . .......... . . . . . . . . . . . ....... . . . . . . . . 339
References ... .................. .................. .................. . . ..... . . . . . . . 339

CHAPTER 16 B u s i n ess Continuity . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... . . . 341

Introd uction . . . . . . ...
. .. . . . .. . .
. . . .. . . . . .
. . . . . . . . . . . . ... . . . . . . . ... . . . . . . . . . . . . . . . . . . 341
. . . . . . .. . . .

Policy .. . . . . . . ...... . ...... . .. . . . . . . . ....... . . . . .. . ......... . ..... 341

Risk Assessment . . . . . . . . . . . ......
. . . . . . ........... . . . . 343
Thinking Ahead . . . . . . . . . ......... . . . . . . ....... ....... . . . . . . . . . .... ...... . . . . . . . 345
Continuation and Resumption . .. . ... . . . . .. . . . . . . . . . . . . . ....... ....... 347
Business Impact Analysis . . . . . . . . .. . . ... . . . . , ................ .................. .. ..... 348
Recovery Program . . . . . . . . . . . . . . . . . ....
. . . . . . . . . . . . . . . . . . .
. .. . ... . . . . . . . . . . .
. .. .. ..
. . . . . . . . . 349
Respond . . . . . . . . . . ......... . .. . . . . ........... . .. . . . . ............... . . . . . ............ .. ..... 350
Recover ... . . . . . . . . .......... . . . . . . . . . . .. . . . . .. . . . . . . . . . . . .......... . . . . . . . . . . . ......... . . . . . . . 350
Restore ..... . . . . . . . ............ . . . . . . . . ....... . . .............. . . . . . . ........ . . . . . . . 351
ConcLusion ... . . . . . . . . . . . . . . . . . . . . . ..... .. . . . . . . .. . . .. . . . . . ... . . . . . 351
. . . . . . . . . . . . . . . .. _ . . . . . ._ .. . . .

Review Qu estions . . . . . . . . . ......... . . . . . . . . . ........... . . . . . . ........... . . . . . 352

Refere nces ... . . . . . . . . .......... . . . . . . . . . . . . ...... . . . . . . . . . . ... .. . .. .............. ..... . . . . . . . . 352

CHAPTER 17 Managing Information Secu ri ty ..... . . . . . . . .......... . . . . . . . ......... . . . 353

Introduction . . . ... . . .
. . . . . . . . . . . ... . . ... 353
. . . . . . . . . . . ..... . . . . . . . . . . . ._. . . ............ . . . . . . . . . . .

M a n a g e m e n t I ntention ... . . . . . . . . . . ....... . . . . . . . . ........... . . . . . . ............ . . . . . . 355

Intention . . . . . . . . . . ............ . . . . . . ............ . ............. . . . . . . . . ............ . . . 355
D ue Care .... . . . . . ........ . . . . . 357
IT Governance . . . . . . . . . . . . . . . . . .
. . . . . . . . . . ... ... .. . . . . . . . . . . .. . . . . . ..
. . . . . . _. . . . . . ._ ... . . . . . 35B
. . .
 Contents

IT G over nance ModeLs . . . . . . . . 359

N o I ntent and N o Fram ework Means No Governance..... . . . . 361
The I m porta n c e of Trans p a ren cy . . . . . . . . . ....
. . . . . . . . . . . . . . . . .......... . . . . . 362
Th reat Assessment . . ... . . .. . . . . . . . . . ........... . . . . . . . . . . . ........ ....... 364
Esti mat i n g Costs of Exposure: Quantitative
Versus Qu a li t a t ive Risk Assessment . . . . . . . . . . .. . . . . .. . . . . . . . . . . .. .... .. . . . . . . 367 . . .

Quantifying Risk................ . . . .......... . . . . . . . . . . . . ............ . . . . . . . . . . . . . . . . . . 367

Q u a l i fying Risk . . ........ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . 367
How Management C a n Re s p o n d to Risk . ..... . ... . ... ..... . . . . . . .... .. . .
.. ..... 368
Risk Mitigation . . . . . . . . ... ......
. . . ................ . . . . . . . . . . .. . . . . . . . . . . . . . . 371
Risk Assumption....... . .. . . . . . . . .. ... .. ...
. . . ........... . . . . . 3 7 1
Risk Avo i d an c e . ...... . . . . . . . . . . . .......... . . . . . . . . .............. . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Risk Limitation ......... . . . . . . . . . ......... . . . . . . . . ............ . . . . . . . . . . . ....... . . . . . . . . 372
Risk Transference . . . . . . . . . . . . . . . ............................ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Security Manag ement . .... . . . . . . . . . . .. . . . . . . . . . . .................. . . . . . . . . .. . . . . . . . . . . . . . 373
Organizational S t rategy . . . . . . . ............................. . . . . . . . . . . . .. . . . . . . . . . . . . . . 373
O p era t iona l Response to Security ..... . . . . . . . . . . . . . . . . . . . . . 374
Tactical Response to Security . . . . . . . . . . .
. . . . .. . . . .. . ... . . .
. . . . . . ........ . . . . 376
. . . .

Strategic Response to Security ..... . . . . . . . . .... . . . . . . . . ............ . . . . . 377

IntellectuaL P roperty ....... . . . . . . . . . ......... . . . . . . . . . ................ . . . . ............ . . . . . 380
Activities to Sec ure IntellectuaL Property .... . . . . . . . . . . . . . .. ..
. .......... 380
Education Activi ti es . . . . . . . . . . . . . ............................... . . . . . . . . . . ........ . . . . . . . . 380
Support Activities . . . . . . . . . . . . . . . . ........ . . . . . . . . . . . ... . . .
.. .. . .. ........ . . . . . . . . 380
Access Controls and Permission Activities...... . . ... 381
Verification and Nonrepudiation A ctiviti e s ....... . . . . , . , . , ....... ,,'" . , . 38 1
M o n itor ing Detection, Qua ra n ti ne, a n d Deletion Activities
, ..... 381
Filteri ng Activities ............................................. . . . . . . . . . . . ........... . . . . . 381
Intrusion Detection and Preve ntion Activities . . . . . . . .................... 381
Data Backup, Archive, a n d Destruction Activities ............... . . . . . 382
Redu ndancy Activities .... , .............. . . . . . . . . . . . . .............. . . . . ............ . . . 382
FauLt To le ra n c e Activities . . . ........... . . . . . . . . . . ......... . . . . . . . . . .............. . 382
Media Control Activities . . . . . . ........ . . . . . . . . . ........ . . . . . . . . . . . . ... .... . . . . . 382
.. . .. .

Cryptography Acti vit i es . . . . ............................... . . . . . . . . . . . ........... . . . . . 383

Computer Forensics and Investigatory Activities . . . . . . ................ 383
Cha ng e M a nagement Activities . . .... .. . . .
. . ... . .. ... .. . . . . . . . ... . . . . . . . . . . 383
. . . .

Documentation Activities ......... ....

. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . ........ .. ... . 384
. .

Assessment a n d Corrective Action Activities . . . . . . . . . . .................. 384

The Risk of Scale . ....... 385
Review Q ue st i o n s . . . . ........ . . . . . . . ...................................... . . . . . . . . . . . . . . . . . . . . 387
References . . . ..... . . . . . . . . . . ....... . . . . . . . . . . ............. . . . . . . . . . . . . ...... . . . . . . . . 389
Further R ead i ng . . . .......... . . . . . . ............... . . . . . . . ........... .. ... 390

CHAPTER 18 Substance Abuse 391

Introducti o n . . ..... . . . . . . . . . . ........ . . . . . . . . . . ........... . . . . . . . . . . . . ...... . . . . . . . . 3 9 1
RoLe o f t h e Chief Secur ity Olticer....... . . .......... . . . . . . . . . . ............ . . . 3 9 2
Te sti n g for Illegal D r u g s . . . . . . . . . ........ ... ... . . .
. . . . . ......... . . .
. . . . . . . .. . . . . .. . . . . . . . 393
C o n te n ts

Alcohol Tes ti n g . . . . . ........... .. . . . . . . . ... . ... . . . . . . . . . . . ... . ... . . . .. . . .

. . . . . ....... .. . . . . . . 39 5
The Drug R e cognition Process.. .. . . . . . ..... . . . . . . . ....... . . . . . . 397
Employee Awareness and Cooperation . . . . . . . .......... . . . . . . . . . . ........... . . . . 39B
Intervention . . . . . . . . . . . . ........ . . . . . . . . .......... . . . . . . . . . . ........ .. . . . . . . . . . . .. ...... . . . . . . . 400
Rea sonable Cause Testing . . . . . . . 40 0
Consent to Test . . . . . . . . . . ........ . . . . . . . . ............. . . . . . . . . .... ...... . . . . . . . 40 4
Search with Implied Consent .... . .. . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . ......... . . . . . . 404
Lo ok i ng for the In di ca tors . . . . . . ............ . . . . . . . . . . ........ ....... 404
Indicators of Abuse ... . . . . . . . . ... . .
. . . . . . . . .
.. . . . .. . ... . . . . .. . . . . . . ... .
. . . . . . .. . . . 405
Investigation .... ......... 407
Contraband . . . . . . . . . . ......... . . . . . . . . . . ........... . . . . . . . . . . .. ...... . . . . . . . 40B
C h a i n of Custody ..... . .. . ..
. . . . . ... . ... . .. . . . .
. . . . . . ....... .. . . . . . . .. . ..... . ... . . . . . 40B
. .

Coordination with Law E n fo rcem ent . . . . . .. ........ . . . . . . . . . . . ............... 40B

The H ealth Insurance Portability and Accou ntability
Act of 1996 ...... . . . . . . ............ . . . . . . . . ........ . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 40B
Review Quest i o n s ........ . . . . . . . . . . . . . . . . . . . . . . . . . . ... . ..... . . . . . . . . . . . . .. . ... . . . . . . . . . 41 0
. . .

References ....... . . . . ............ . . . . . . ............ . . . . . . . . .......... . . . . . . . . . . ............ . . . 41 1

Further Reading . . . .. ... ...... . . . . . . . . . . .......... . . . . . . ......... . . . . . . . . . ........ . . . . . . . 41 1

CHAPTER 19 Execu tive Pr otecti o n ...... . . . . . . . . . . . . . . . . . . . . . . . . . ........ . . . . . . . . ....... . . . . 4 1 3

Introduction ... . . . . . . ............ . . . . . . ............
. . . . . ............ . .. 4 1 3
T h e Protected Persons ... . . . . . . . . . . ....... . . . . . . . . . . .. ........ . . . . . . . . . . ......... . . . . . . . 4 1 4
..

Program S ize. Equipment. a n d Obj ectives . . . . ......... . . . . . . . ... . . . " .. . . . 41 5

Protection at the Office and at H o m e . . . . . . . . . . . . . . . . ........ . . . . . . 4 1 7
The Threat .... . . . . . . . ........... . . . . . . ........................... ...... . . . . . . . 4 1 7
Adversa ry Attempts a t t h e Residence or Office . . . . . . . . .. . ..... . . 41B
. . . .

Event Protection i n the United States .... . ...... 41 8

Team Leader . . . . . . . . . . . . ......... . . . . . . . . . . ........... . . . . . . ...... ..... . . . . . . . 4 1 9 .

Event Protect i on Overseas . . . . . . . . . . .......... .. .............. . . . . 420

Operational PLan . . . ... . . . . . . . .. .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . .... .... . . . . . . ... 422
. .

Antikidnap Plan ................ ................ ............... ..... 423

K i d n a p Insurance .... . . . . . . . . . . . . . ....... . . . . . . . . . . .. ...... . . . . . . . . . . . . ......... . . . . . . . 423
.

K i d n a p Su rvey ..... . . . . . . . . . . . .. .. . . . . . . . . . . . .... ... . . . . . . . . . . . ..... .. . . . . . . . . . . . 424

. .

Abduction .... .................... .................. . ...... 425

Con ta ct . . . . . . . . . . . ........ .. .. . .. . . . . . . ....... . . . . . . . .
. . . ... . ...... ..... 425
Ransom .. . . . . . . . . . . . ........ . . . . . . . ........... . . . . . . . . . . . . . . ..... . . . . . . . . 426
Proof of Life . . ..... . . . . . . . 426
Exec utive File .................. ....... 426
Training . . . .... . .. . ... . . .. .. . . . . . . . . ... ... . . . . . . . . . .. ..
. . . . . . . . . . .. . . . . . . . . ..... . . . . . . 426
. . ..

Avoid Attracti n g Attention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42B

Countermeasures . .. . . . . . . . . . .......... . . . . . . . . . . .......... . . . . . . . . . . . ......... . . . . . . . 429
After-Action Report ........ . .... .. ...... . . . . ..
. . . . . .................. .... . . 431
Conclusi o n s ..... . . . . . .. . ... . . ..... . ... . .. . .. .... . . ... ...... . .
. . ... . . . . . ... 43 1
. ..

Review Q u e st i o n s . . . . . . . . . . ........... . . . . 431

Refere nces .. . . . . . . . . . . . ....... . . . . . . . . . . ....... . . . . . . . . . . ... ... .. . . . . . . . . . . . . ...... . . . . . . . 431
. . . .
CHAPTER 20 Workp lace Violence . ..... .. . . . . . . . .. . .... . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .... . . . . 433
Introduction ........ .......... .................. ..................... . ............ 433
Policy . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . 433
Procedures . . . . . . . . .. ...... . . . . . ..
. . . . . . ..... .... . . ... .
. . . . ....... . . . . . . . . . . . . .. . . . . 436
. . . . . . . . . .

Characteristics of Workplace Vio le n ce . . . . . . .......... . ..... ....... 438

Assessment . . . . . . . . . . . ......... .. . . . . .
. . . . . ........ ..... .. . . . ... . ....... . . . . ..
. . . . ........ . . . . 442
. . . .

Read iness . . . . . . . . . ........... . . . . . . . . . . .......... ......... ......... . . . . . . . . 443

Tra i n i n g . . . . . . . . . . . . . . . ...... . . . . . . . . . . ........ . . . . . . . . ............ . . . . . . . . . .......... . . . . . . . . 444
Response ...... . . . . . . . . . . ........ . . . . . . . . . . ......... . . . . . . . . . ...... . . . . . . . . . . . . 445
Intervention .. ................... .................... .................. ........ 447
Psyc h o log ica l P ro fi lin g . . . . . . . . . . . . . ...... . . . . . . . .............. . . . . . . . . . . . ........ . . . . . . . . 448
Liabi lity ...... . . . .
. . . .... . .
. ....... . . . . . . . ......... . . . . . . . . . ..........
. . . . . . ............ . . 450
N eg li g e nt Hiring .. .. . . . . . . . . . ......... . . . . . . .
.. . . . .............. . . . . . 451
Wrongful Ter m i n at i o n .... . . . . ................................................. . . . . . . . . 451
Nond isclosure of Problematic Performance_. . . . . . 451
I na dequate Security ............._ ... . . . . . . . . . . ....... . . . .. . . . . . . . . . . ... .
. . ....... 451
Avoiding Liability........ . . . . . . . . . . ......... . . .... 451
Caution .................... . .................. .......... ......... . . ............ 452
Conclusion . .... .. .. .. .. ....... . ............. . . . . . .. . . ...... ....... . . . . .... . . . . ....... . .... .. .. 453 .

Review Questions ....... 453

Refere nces . . . . . . . . . ........... . . . . . . . . . . ............. . . . . . .......... . . ............ 454

CHAPTER 21 E m ployee Awareness Program . . . . . . . ........ . . . . . . . . . ..... . . . . 4 5 5

Introduction . . . . . . . . . . . . . . ...... . . . . . . . . ......... . . . . . . . . . . . .......... . ............. 455
Goals ...... . . . . . . . . . . . ... . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . . . . ...... .. . . . . . . . . 455
.

Awareness i s a n Ongoing Process . . . . . . . . . . . ....... . . . . .. . .

. . . . . ...... . . . . 456
..

Awareness is Loca l . . . . . . . . .. . . .. . . . . . . . . . . . . 456

Awareness Program . . . . . . . . . . . . . . . ..... . . . . . . . . . . .......... . . . . . . . . . ..... . . . . . . . . . . . 457
.. . .

Apathy. . . . . . . . . . . . . .. .. ...... . . . . . . . . ....... . ... . . .. . . . . . . .... . . . . . . . . . . . ........ . . . . . . . . 458 . ..

The Message . . . . . . . ........ ... . . . . . . . . . .. .... . . . . .. .. . . . . . .. . .. . . . . . . . . . . ........ . . . . . . . . 458

_ . . .

The Spotlight.. . . . .. . . . . . ....... . . . . .......... . ... ...... ....... 459

Workforce Culture ......... .. .. . .
. . . .......... ..... ......
. .... . ....... . . . ..
.. . . . . ......... . . . 460
. .

Conclusi o n . . . ........ ....... ............. ........ ........ ............ ............. 462

Review Questions . . . . .......... ... . ... . . ... . ..... . . . ....... . ...... . . . . .
.. . . . . .. . . .... . . . . . . . . 462
.. .

References .......... .......... . . . . . . . .. . . ........ ........ ............ . . . . . . . . . . ................. 462

CHAPTER 22 Vulnera bility Assessm enl... . . . . .. .... . ... ....... ...... . . .. .... ... . . . . . . . . 463
.. ..

Introd uction . . . ........... ................ . . . . . . . . ............ . . . . . . . . . ......... ........ 463

The Pro cess ...... . . . . . . . . . ......... . . . . . . . . ............ . . . . . . . . . . ...... . . . . . . . . . . 464
D e te rm i n e A utho rity Scope, a n d Leadership . .. . . .. . . . . ..... . . . . . . . . . 464
. .

S c o pe ..... . . . . . . . . . . . .......... . . . . . . ..... ....... . . . . . . . . ........... . . . . . . . . 464

Leadersh ip . ....... ....... . . . . . . . . . ......... . . . . . . . . . . ............ . . . . . . . . . . . . . . . . . . . . . . . . . 467
Characterize the Facility . . . . . . . . . . . ......... . . . . . . . . . . . ........ ....... 468
Identify Meaningful Assets . . . . . . . . . . . .. ... .... . . . . . . . . . . . ........ . .. . . . . . 469
Identify Critical Assets .... ... . . ........ . ... ....
. . .... . .... .. . . . . .. . . . ....... . . . . 469
.. . . .
Contents

Characterize the Pote nt i al Threat . . . . . . . . . . .......... . . . . 472

I d e ntify the Site's Current Capabilities ....... .. .. . . .. . . . . . 473
Identify the M i ssi n g Capabilities [Vulnerability ! . . . . . . . . . . . ....... . . . . . 473
I d e n tify a n d Recommend Measures that ELiminate
or Reduce VulnerabiLity ............... ... . . . . .. .... .. . . .
. . . . . . . 473
I m p l em e nt Countermeasures ...... . . . . . . . . ............. . . . . . . . . . . . .. . . . . . . . . . . . . . 473
Exit Briefing ... . . . . . ............ . . . . . . . . . 474
Final Report... . . . . .. . . .. . . . . . . . . . . . . . . ... . . . . . . . . .. .
. . . . . . . . . . .. . . . . . . . . .. . . .
. . .. . . . . 475
. . .

Management Actions .... . . . . . . . . . ........ ... . . . . . . . . ...... ...... . . . . . . . . . . . ........ . . . . . . . 475

N a t i o n a l I m plications . . . . . . . . ... . ..... . . . . . . .
.. ... . . .. . . . . . . . . .... . . . . . . 47B
. . . . .

Conclusions . .. . . . . . . . . . . . . . . ........... . . . . . . . . .......... . . . . . . .......... . . . . . 479

Review Questions ...... . . . . . . . . . . ......... . . . . . . . . . . . ............ . . . . . . . . . . . . ...... . . . . . . . 479
Ref e re nc e s . . . . . . . . . . . . ..... . . . . . . . . . . . . . ....... .
. . . .. . . . . . . . . . . . . . . . . . . . . ....... . . . . . . 479
Fu rth e r R e a d i ng . . . . . . . ..... . .. . .... . . . . ...... . . . . ........ .. . . . . . .. .
. . . ..... .. . . ., . . 479

CHAPTER 23 Security Program D e s i g n .... . . . . . . . . . . . . . . . . 481

Introduction . . . . . . . . ......... . . . . . . . . . 4Bl
Th ree P i lla rs . . . . . . . . . . ......... . . . . . . . . . . ......... . . . . . . . . . . . . . . ...... . . . . . . . 4B2
People . . . . . .. . . . . . . . . ........ . . . . . . . . . . ........ . . . . . . . . . . . . . . ...... . . . . . . . 4B2
Process . . . . . . . . . . . . . . . . ..... . . . . . . . . 4B3
Physi c a l Secu rity . . . . . . . . . . . . ......... . . . . . . . . .............. . . . . . . . . . . ........ . . . . . . . 4B4
Trai n ing ..... .. . . . . . . . . . . . . .. .. . . . . . . 4B4
Testin g the Design .. . . . . . . . . ........... . . . . . . . . . . ........... . . . . . . . . . . . . ...... . . . . . . . 4B7
PeopLe Testing ........... "" . . . . . . ..... . " " " " " . . ... . . . " " " . . . . ... . . . . . " " " , , 4B7
Process Testing . . . " .... . . . . . . . . . . ........ " . . . . . . . . .......... " . . . . . . . . ......... . . . . . . 4BB
Physical Secu rity Te sti n g , " .............. " . . . . . . . . ....... " " . , , 4BB
Full-Program Testi ng ..... "" . . . . . ........ " . . . . . . . . " ......... " . " . ......... "" .. , 4B9
Revisi n g ......... . . . . . . . . .. . . . . . . . . . . .......... . . . . . . . . .......... . . . . . . . . . . . . . . ..... . . . . . . . . 490
S ecu rity P ro g ra m Des ig n and the External Enviro n m e n t ... . ......... 49 1
Co n cLu si o n . . . . . . . . . . . . . . . . . . .
. . _. . . . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . . . . . . . . . . ... . . . . . . . 492
. . . . . _ . .

Review Questions . . . . . . . . . ........ . . . . . . . . . . .......... . . . . . . . . . . ........ . . . . . . . 492

References ... . . . . . . . . .......... . . . . . . . . .......... . . . . . . . . . ........... . . . . . . . . . . . . . ..... . . . . . . . . 493

CHAPTER 24 The I m p a rLance of Policies a n d Procedures" " .. "" . . . . . . . . , 4 9 5 "

Introduction . . . . . . . . . . .......... . . . . . . . . . ......... . . . . . . . . ........ . . . . . . . . . . . . . . ......... . . . . . . . 49 5

Statement o f the Problem " " " .......... " " " " ............. " " " . . . ........ ,,' " , , 49 6
Factors Contributing t o Emp l oyee Behavior . ."..... . . . . . . . . . . ....... .. ..... 49 B
Definitions.... " . . . . . . ........ . . . . . . . "...........
. . " " .. " " ......... . " . . 499
E m p loyment-at-Will ... . .
. ... . ... . ..... . . . . . . . . . . ..
. . .... . .... . . . . .
. . . . ............ . . 499
. .

Security Governance .. . . . ... . .. . .

. . . .. . . . . . . . . . . . .... . . . . . . . 500
Security Program . . . _. . . . . . . . . . ......... . . . . . 500
Physical Protection Systems . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 500
Sec u r ity Policy . . . . . . . . . . . .. . . . .
. . . . ... ... . . . . . . . . . . . . . .. ...
. . . . . . . . . . . . . ... . ...... . . . . . . . 500
Sec urity S t a n d a rd .... . . . . . . . . ........... . . . . . . . . . . . . ".. .. . . . . . . . . . . ...... .... . . . . 5 0 1
Security Procedure ... . . . . . . . . . . ........ . ... 501
T h e D i fference between Policies a n d Proced u res .... 501
 Contents

I m portanc e of Security Documentation . . . . . . . . ....... .. ......... ....... . . . . . . 502

.

Benefits Derived from a Strong Security Program . . . . 502

The Security S o Lution Hierarchy ............... . . . . . . .............. . . . . . 504
Approaches to Pr e pa ring Secu ri ty Program Documentation ..... . . 505
Centralized Approach ... . . . . . . .......... . . . . . . . . . . ........ . ............... . 505
De ce ntra li zed A p p roac h . . . . . . . . . . . . . . . . . . . . . . . .. ........ . . . . . . . . . . ........... . . . . . 506
Content of Documentation ................. ... ..................... .. ............... .. .. . 506 .

Standards of Conduct ... .................... . . . . . . ........ . . . . .............. . 507

Recommended Secu rity Policies. Standards. and
Proce d u res for Best Practices ... . . . . . . . . . . . . . ....... . . . . . . . . . . . ........ . . . . . . . 507
The Process of P repar i n g and Ma i nta i n i n g Sec ur ity
Doc umenta t i on ..... . ....... ........... ..... . . . . . . . . . . . . . . . . 509
Structure of Documentation ...... ............... . . . . . . . . . . . .......... . . . . . 509
FormaL. . . . . . . . . . ............ . . . . . . ............ . . . . . . . . .......... . . . . . . . . . ......... . . . . . . . . 5 1 0
Security Awareness Education .................... .. . . . . . . . . . . . 5 1 0
Monitoring Security Awa reness and Maintaining C onsistency . . . . . 5 1 1
Enforc e m e n t and Discipline . ....... . ... . .... .
. . . . ....... . . ....... . . . . ... 5 1 2
. . .. . .. . .

Review Questions ... . . ..... . . . .. ..

.. ... . ....... 5 1 4
References ..................... . . . . . . . . ........... . . . . ....... .............. ........................ 51 4
Further Reading ...... . . . . . . . . ......... . . . . . . . . . . ............. . . . . . . . . . . . . ...... . . . . . . . . 5 1 5
Appendix l - Framewor k PoLicies, Standa rd s , and Procedures . . . 5 1 5
Policies ........ . . . . . . . . . . . ........ . . . . . . . . . . ......... . . . . . . . . . . . ......... . . . . . . . . 5 1 5
Standards ...... . . . . . . . . . . . . . . . . . . . ........... . . . . . . . . . . . . . . ...... . . . . . . . . 5 1 6
Proce d u res . . . . . . . . . .... . .. . . . . . . . . . . . . . .. .
. . .... 5 1 6
Appendix 2-ALl E m p loyee Policies, Standards, and
Procedures ......................... .................................... ........... .............. 5 1 7
Policies . . . . . . . . . . . . . . ...... . . . . . . . . . ......... . . . . . . . . . . .......... . . . . . . . . . . . ....... . . . . . . . . . 5 1 7
Sta ndard s . . . . . . . . .. . . . .... ............ . . . . .. .... ........ . .
. . .... ..... ........ 5 1 8
Proce d u res . . . . . . . . ....... . . . . . . . . . ......... . . . . . . . . ............ . ............. . . . . . 5 1 8
Ap pe nd i x 3-Security S pecifi c PoLicies, S t a n d a rds, a n d
Procedures.. . ..... . . . . . . . . . . ....... . . . . . . . . . . ............. . . . . . . . . . . . . ...... . . . . . . . . 5 1 9
Policies . ...... . . . . . . . ....... . . . . . . . . . . ..... . . . . . . . . . . ......... . . . . . . . . . . . ......... . . . . . . . . 520
Standards ....... ........... . . . . . . . . . . ........... . . . . . . . . . ..... . . . . . . . . . . . . 521
Proc e d u res ...... . . . . . . . . . . . . . ........ . . . . . . . . . ............ . . . . . . . . . . . ................ 5 2 1

I N DEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Introduction

Security is a difficult concept because it can refer to the objective absence of

threats and subjective feeling of being secure. To be a successful manager,
you must have specialized knowledge of security technology as well as
knowledge of management principles. I first became familiar with Jack Fay’s
books after I had worked as a manager for several years. I had worked in
security functions for several years so I had the technical knowledge, but had
limited managerial knowledge. In 1994, I discovered Jack’s book
“Contemporary Security Management” and found it was an excellent source
for guidance in organizing my security department, establishing our mission,
preparing job descriptions for each of the analysts who worked for me, inter-
viewing them, and training them.
I have continued to use his book through the years and looked forward to
the later editions in my career and have always found them useful—
especially in understanding security terminology, technology, and various
security functions. I have also found that my peers in other organizations
have used the text and have recommended it to others. I have found this
book to be well written, easy to read, and up to date. This book explains in
exact detail an abundance of fresh new strategies you can implement to
improve security awareness in your organization.
I was honored and yet humbled when Jack asked me to participate in writing
this edition as co-author and I have sincerely tried to contribute to this book
through my experience in applying the concepts.
The information you are about to read has proven results. Each chapter pro-
vides new information that will help you stay in control of your organiza-
tion, and stay ahead of the competition. If you follow the information we
reveal in this book, it is highly possible you will enjoy a very successful secu-
rity career.

xxiii
 CHAPTER 1

Future of the Chief Security Officer

What You Will Learn

I Security concepts used in the earliest history of mankind.
I The impact of technological advances on security.
I The meaning of security convergence.
I How the consolidation of functions improves security productivity.
I Challenges facing the Chief Security Officer.

INTRODUCTION
Security was essential to civilization in its earliest stages. During the late
Stone Age (Neolithic Period) when settlements were created and people
made the transition from hunters to farmers, they created villages with forti-
fied living areas for individual families. The villages had many physical bar-
riers for protection against the risk at the time which was being attacked by
people from another village. Walls, posts, thick enclosures, heavy doors with
stout closures, animals, moats, and traps all served to protect communities
from attack from their enemies. Therefore, even at these ancient times, a vari-
ety of physical security resources were employed to mitigate their risks
(Saint-Blanquat, 1986).
The earliest alarms to signal the approach of strangers were animate, and
communications depended upon smoke and light signals. In the modern
era, Information Technology (IT) traces its origins to the patent of the tele-
graph by William Cooke and Charles Wheatstone in 1836. Remote voice
communication became possible by Alexander Graham Bell’s development
of the telephone in 1876 (Greer, 1979; Grosvenor, 1997).
The alarm industry grew in tandem with the telephone. Edwin T. Holmes
was able to have cable for alarm connections laid at the same time cables for
telephones were being installed in buildings (Holmes, 1990). Wires histori-
cally transmitted alarm signals. These signals are transmitted over a 1
Contemporary Security Management. DOI: http://dx.doi.org/10.1016/B978-0-12-809278-1.00001-3
© 2018 Elsevier Inc. All rights reserved.
2 CHAPTER 1: Future of the Chief Security Officer

proprietary connection or on a common carrier (telephone line) of various

types. In modern times, wireless communications and computer-based sys-
tems have increased the reliability and speed of such signals. An operator in
a monitoring station no longer is bound to record routine opening and clos-
ing signals. Now the operator can be alert to any exceptions to the system
and respond to them without distraction (Mahoney, 1995).
The physical security measures described earlier have been enhanced first by
electrification and later by computerization. A broad range of devices have
been developed to aid security personnel in protecting the organization’s
assets:
I Closed Circuit Television (CCTV) that allows an operator to view
various locations around the facility from their desk and assess the
reason for an alarm. The system will also record images that are viewed
at a later time for forensic analysis.
I Intrusion detection systems that offer overt and covert capabilities as
well as improved accuracy for detecting unwanted personnel.
I Access control systems using advanced biometric-based automatic
identification systems that offer a higher degree of certainty that
individuals who present themselves at a checkpoint are indeed
authorized personnel.
I Improved communications systems including networks offering
multiple means and paths.
I Computer aided dispatch systems featuring consolidated security
functions to assist the operator in interpreting various alarms, and
helping him select the most appropriate response.
The first computer device was invented in 1946; by 1958, computer technol-
ogy had developed rapidly with much promise. At about that time the first
computer crimes were discovered. Crimes that consisted mostly of theft of
output and theft of computer time to perform unauthorized tasks. Since
computing and the internet were not designed with security as a foremost
consideration, it was inevitable that serious abuses and misuses would occur,
leading eventually to what many people consider a current crisis (Schell,
2004; Parker, 1976). As physical and logical security technologies have
matured, they can now be used to support each other. The development of
the IP network and the migration of sensors and appliances to a common
network have helped drive this transformation. Cameras are now Internet
Protocol based and operate over the enterprise network instead of a separate
network; access control card readers and intrusion detection sensors also
attach to the common enterprise network instead of a proprietary network;
identification databases, access logs, policies, and procedures are stored and
generated by computers.
 Contemporary Drivers for Corporate Security 3

Since the network supports the enterprise data and workflow as well as the
security devices, the two concerns are now subjected to the same threats and
need to be considered together.

ORIGIN OF CORPORATE SECURITY

According to Dalton (2003), corporate security organizations began some-
time before 1960 when companies used a person to look after the building
during the nighttime and signal a warning if any incidents such as fire or
break-ins occurred.
Throughout the 1960s and into the later years of the 20th century, more and
more duties were added including more guarding responsibilities such as
patrolling throughout the property, building access control, parking control,
and similar duties. As time passed, the security organization grew as it con-
tinued to perform duties such as security patrols, but, also took on more
operational responsibilities such as responding to emergencies, monitoring
machinery, operating security equipment such as CCTV cameras and moni-
tors, escorting employees, and investigating incidents (Dalton, 2003).
As industries developed weapons systems in response to the cold war threats,
and other government assets became more sophisticated, the need for greater
protection of not only governmental assets but also the information and assets
of companies manufacturing weapon systems for the government. The govern-
ment required different levels of control for information and assets considered
most critical to the national defense (Kovacich and Halibozek, 2003:51).

CONTEMPORARY DRIVERS FOR CORPORATE SECURITY

One of the adverse effects of organizations growing and becoming interna-
tionally involved has been the increase in the number of risks which face
large organizations with exposure to operational threats all over the world.
This international exposure has made the job of protecting business assets
much more complicated and has led to the development of sophisticated
physical protection systems (PPS) to assist security personnel in accomplish-
ing the role of protecting the organization’s assets. Also, the skills required
by the security personnel are more numerous and more complex.
The proliferation of threats to organizations doing business in global markets
has driven the growth of security organizations due to
I Dependence on the internet for business transactions
I The appearance of worldwide terrorism and their attacks on civilian
targets and symbols of western values has made large commercial
organizations realize they are attractive targets for terrorists
4 CHAPTER 1: Future of the Chief Security Officer

I The realization that damage to the US economy causes as much fear as

damage to physical infrastructure has propelled the need for disaster
recovery and business continuity programs
I The escalation in the hostile activities of animal rights and other activist
groups toward an organization’s assets and employees
I The growth of government regulations on the conduct of businesses has
also caused more growth of security departments due to the need for
effective corporate governance and the plethora of associated
regulations
I Access to large amounts of private data that can be used for financial
gain
I Large and small professional criminal syndicates aimed at cyber crime
I Malicious political activists such as the “Anonymous Group”
I The growth of the Determined Human Adversaries
I Malware mercenaries
I Nation state cyber warfare attacks (such as the attack on Sony Pictures)
These new threats to organizations have resulted in the contemporary secu-
rity duties that include:
I Protection of intellectual property
I Auditing responsibilities
I Responsibility for ethical policies
I Supply chain security
I Export control compliance
I Oversight of the divestiture of businesses
I Due diligence
I Personal security (Executive Protection)
I Physical security
I Project management for implementing PPS
I Information security
I Corporate governance
I Compliance and ethics programs
I Crime prevention and detection
I Fraud deterrence
I Investigations
I Risk management
I Business continuity planning
I Disaster recovery
I Information security
I Crisis and emergency management
I Environment, safety, and health
 Evolution of Information Threats 5

HISTORY OF DATA SECURITY

Even in the earliest history of humanity, people realized that they needed to
protect the information they were trying to communicate to others and
provide some means of detecting altering or tampering.
As civilization progressed, governments developed classification systems to
allow them to manage their information according to the degree of sensitiv-
ity. In modern times, rapid advancements in telecommunications, computer
hardware and software, and data encryption have helped organizations deal
with the challenges of data protection. The promotion of smaller, faster, and
cheaper computers made electronic data processing within the reach of small
business and home users that quickly became interconnected through the
Internet.
The rapid growth and extensive use of electronic data processing and elec-
tronic business conducted over networks and through the Internet, along
with numerous international terrorist acts promoted the need for improved
techniques for protecting the computers and particularly the information
they store, process and transmit. The academic disciplines of computer secu-
rity and information assurance emerged along with numerous professional
organizations—all sharing the common goals of ensuring the security and
reliability of information systems.

EVOLUTION OF INFORMATION THREATS

The threats to the information assets continue to evolve in the IT world as
illustrated by the following threat descriptions contained in SCMagazine:

1970s
The 1970s was a timeframe in information security history largely untouched
by digital calamity but marked more so by the exploration of emerging tele-
communications technology. The first modern day hackers appeared as they
attempted to circumvent the system and make free phone calls, a practice
that became known as “phreaking.” Perhaps, the most publicly well-known
phreaker was John Draper, a.k.a. Captain Crunch, who helped pioneer the
practice. Draper was later arrested and convicted on charges related to his
nefarious phreaking activities multiple times.

1980s
The 1980s saw the birth of computer clubs. This decade subsequently ush-
ered in the era of malware, marking the first virus (named “Brain”) in 1986
6 CHAPTER 1: Future of the Chief Security Officer

as well as the infamous Morris Worm in 1988. The Computer Fraud and
Abuse Act was instituted in 1986 and for the first time, a computer hacker,
Kevin Poulsen, was featured on America’s Most Wanted. Poulsen was finally
arrested in 1991, after spending several years as a fugitive. Since his release
from prison, however, he has reinvented himself as a journalist and at one
point, regularly wrote for the online computer security news portal
SecurityFocus, which was purchased by Symantec in 2002.

1990s
The 1990s brought with it the dawn of the modern information security
industry. Notable threats witnessed during this decade included the
Michelangelo virus, Melissa, and Concept. Distributed denial of service
attacks and the bots that made them possible were also born, such as Trin00,
Tribal Flood Network, and Stacheldracht.
Beyond malware, America OnLine (AOL) suffered through the first real
phishing attacks as fraudsters aimed their efforts at stealing users' credentials.
Privacy watchdogs called out in concern as tracking cookies were born, allow-
ing ad networks to monitor user surfing behaviors in a rudimentary fashion.

2000s
The first decade of the 21st century saw malicious Internet activity turn into
a major criminal enterprise aimed at monetary gain. Adware and spyware
entered the scene with such programs as Conducent TimeSink, Aureate/
Radiate, and Comet Cursor.
Perhaps even more visible than adware and spyware, aggressively self-
propagating malware also appeared. Big name threats such as Code Red,
Nimda, Welchia, Slammer, and Conficker all began taking advantage of
unpatched machines. Phishing attacks also became mainstream; first heavily
targeting online banking then moving onto social networking sites. Zero-day
attacks, rootkits, rogue antispyware, SPIM, clickfraud and other attacks also
all made their mainstream debut in the current decade. (A brief history of
internet security—SCMagazine, http://www.scmagazine.com/a-brief-history-
of-internet-security//article/149611/ accessed January 29, 2016.)

OPERATIONAL VS STRATEGIC
In the past, both physical and IT security have been concerned with the oper-
ational needs of the organization such as controlling access to buildings and
computers; issuing identification credentials, and assigning and withdrawing
access rights to the facilities and computer files.
 Convergence of Security 7

However, organizations need a way to focus and stay focused. They need a
precise strategy and well-executed action plan. The strategic plan in and of
itself cannot help organizations change and move ahead to capture more
market share, improve products, increase customer satisfaction, or improve
security. Effective strategic business planning requires a living process that
keeps the organization focused on the right issues. Management must dili-
gently define and redefine the essential components of a successful security
strategy; in addition, take the tactical actions necessary. The strategic planning
is the function that has been neglected in the security organization due to
operational commitments. The establishment of the Chief Security Officer
(CSO) has been a remarkable improvement in providing both the strategic
and operational focus.
Threats to the physical assets and the information assets identified as a result
of a threat analysis should be categorized and a corresponding security goal
defined for each category of threats. The set of security goals should be
revised periodically to ensure its adequacy and conformance with the
evolving organization environment. In addition to the four basic goals of
security—confidentiality, integrity, availability, and nonrepudiation—a
currently relevant set of security goals may include:
I Maintain a quality workforce
I Integrate technology tools
I Provide value-added services
I Offer specialized services

CONVERGENCE OF SECURITY
Convergence of security is defined as the integration of the management of
logical security, information security, physical security, business continuity,
disaster recovery, and health, safety, and environmental functions.
Logical security provides software safeguards for an organization, including
user identification and password controls, access rights, and authorization
levels. These measures ensure that only authorized users can perform actions
or access information across a network or to use a workstation.
Information security is the discipline of protecting sensitive information
from unauthorized access, improper use, disclosure, disruption, modifica-
tion, examination, inspection, recording, or destruction. It is a term for pro-
tecting the data, regardless of the form of the data (e.g., electronic data or
physical documents).
Physical security defines security measures that deny unauthorized access to
facilities, equipment, and resources, and to protect personnel, property, and
Another random document with
no related content on Scribd:
 JASKA. Vest ja varjele, mitäs me koululla, me käytämme
vuorotellen Mesakin nokkalasia ja siitä saamme me viisautta yllin
kyllin. Eihän Tikkakaan tunne aata eikä oota, mutta kuitenkin on
hänestä tullut herrastuomari, ja se tahtoo sanoa paljon se tässä
matoisessa, maailmassa, missä on niin paljon matoja ja materialistia.

Epra ilmestyy kuistille.

MAAILMAN-MATTI. Hyss, siellä se naapuri jo tulee. (On

kaivavinaan kuoppaa.)

JASKA. Niin, iso koljokin katsoo, katsoo kuin hapan silakka

nelikon pohjalta. Kas vaan, Epra, sinäkin tulit katsomaan, se on
oikein se.

EPRA. Ha. Juksahti tässä mieleeni, että se halkopinokin pienenee.

JASKA. Mitäs me enään näistä maallisista. Ei nyt enään

Hölmölässä tehdä makkaratikkuja eikä tynnyrintappia, sillä kohta me
olemme upporikkaita ja silloin, Epra, ei muuta kuin anna huhkia
vaan!

EPRA. Mitä minä makkaratikuista, mutta metsää niihin on sentään

tullut hiukan haaskattua.

JASKA. Mutta nyt tulee kultainen korvaus ja se palkitsee kaikki.

Epra, me olemme eläneet kuin murjaanit ja ihmissyöjät, totisesti, niin
me olemme eläneet, mutta tästä puoleen asukoon sopu välillämme
kuin "kempi kyläisten keskell' juur paras parikunnass", kuten
veisataan.

EPRA. Niin kuolettakaamme kaikki se kuin paholaiselta, ihmisiltä

ja omalta lihaltamme meitä vastaan sotivat. Niin, riita olkoon
kaukana minusta. Me vihoitimme toisemme usein karvaasti, mutta
mielemme oli pimitetty synnin sumulta, ja sielu oli surkiassa
vaivassa.

JASKA, Sanos muuta, sanos muuta. Moni rakentaa kartanoita ja

linnoja, joissa ajattelee pitävänsä huoneenhallitusta, eikä tiedä
kenelle kimmoo, monen perinnön vieras omakseen ottaa.

EPRA. Niin, ei minun sydämmeni ole mikään pikipallo. Pois siis

perimysriidat, ne olivat isoja nauloja jo meidän taattojemme
ruumiskirstuissa! — Älköön kukaan olko tuomarina omassa asiassa,
sanoo Tikka.

JASKA. Onhan meillä nyt oikein riikin maanjakaja, ja se on oikein

maailmankoulun mestarismiehiä! Hän on se mestari Maailman-Matti.

EPRA. Kummallista, että sitä voi uneksia itselleen vaikka mitä

hyvänsä.

JASKA. Minun sydämmeni sulaa kuin hunaja päivänpaisteessa.

Tämä on liikuttavaa, Epra, minä häpeen. (Itkee.) Minä en osaa
enään puhua.

EPRA. Herahtaapa kyynel poskelleni, itkusta siis ilo meillä olkoon

tällä ajalla autualla.

Jaska ja Epra syleilevät.

MAAILMAN-MATTI (Itsekseen). Älä nyt järki, sano särki kun kiiski

ahventa söi.

JASKA. Heisaa, nyt tahtoisin pistää tanttulia! Mutta enpä tahdo

sentään tässä toimetonnakaan tallustella vaan menen hakemaan
maalipönttöäni. (Menee.)

EPRA. Kuinka sujuu työ.

MAAILMAN-MATTI. Käyhän se jusevaan! Vaikka maan keskipiste

näemmä on hiukan muuttunut.

EPRA. Ha, vai muuttunut. (Katsoo kuoppaan.) Onkos se jo

syväkin.

MAAILMAN-MATTI. Syvä on maailman syrjä, sano sammakko,

kun savea tonki!
(Istuutuu kuopan reunalle.)

EPRA. Ha, vai sano se sammakko niin. Kuulkaas, maailman

mestari, taisin tässä eilen hiukan äkämystyä, taisin repiä paitanne
rikki, no niin, tuleehan sitä joskus tehtyä kompeluksia, mutta sen
sanon, että kyllä meidänkin peräkamarissa on kukonhöyhenpolstaria
ja patjoja on, on niitä.

MAAILMAN-MATTI. Vuoroin vieraissa käydään.

EPRA. En minä ole mikään käräjäpukari enkä kitupiikki, taipuisa ja

tasainen olen, mutta se Jaska on sellainen haneli ja lörppä. Älkää
välittäkö sen puheista. Niin, näinhän minä äsken akkunasta, että se
antoi jotakin, mutta on sitä rahaa minullakin, on rahaa kuin ruohoa.

MAAILMAN-MATTI. Vaikkei niin pitkää.

EPRA. Ja voin minä antaa sen minkä Jaskakin ja ehkä hiukan

enemmänkin, onhan sitä kirstunpohjalla hiukkasen ja minun
kuoltuani perii Amalia rahat, jos hän ottaa sopivan miehen. — Niin,
mitäs se nälkäkurki antoi.
 MAAILMAN-MATTI. Viisi kaisantaalaria.

EPRA. Ha, niin paljon! No, minä annan kuusi vaikka se kirveleekin
sydäntäni. (Riisuu saappaansa ja kaivaa sukasta rahat.) Eikös se
Jaska vaan kurkistele, se on sellainen tirrisilmä. Ei mitään, ei
hiiskaustakaan tästä Jaskalle, sillä silloin se huutaa tämän kylille, ja
tänne tulee kaiken maailman käypäläisiä kerjäämään. Sillä minä olen
rutiköyhä, ei minun kannata, ei minun kannata, ja makkaratikkuihin
on mennyt paljon tarvepuita.

MAAILMAN-MATTI. Minä otan armollisesti vastaan tämän pienen

lahjan.

EPRA. Kiitoksia, armollinen maailmanmestari, pitäkää hyvänänne.

— Mutta, hehee, minä arvasin heti, ettette mikään
kostjumalankauppias ole. Ja lintuhäkki, valevaatteet ja muut kojeet,
paljasta peliä!

MAAILMAN-MATTI. Mitäs tämä maailma muuta on kuin

markkinailveilyä.

EPRA. Jos jotain tarvitsette, niin sanokaa pois. Meidän Amalia, se

velivainaani tytär, keittää parastaikaa puolukkapuuroa.

MAAILMAN-MATTI. Minä tarvitsisin sellaisen viuhkanliehtojan,

päivä pistää silmiäni ja ne saattaisivat äkisti pilaantua niin, etten
näkisikään niitä ihmeellisiä kentraalin rahoja.

EPRA. Ha!

MAAILMAN-MATTI. Ha!

EPRA. Jaa, ha!

 MAAILMAN-MATTI. Viuhkanliehtojan.

EPRA. Jaa viuhkanliehtojan?

Ansu tulee katsellen luhtia.

EPRA. Kas tuolta tulee Ansu, kyttää kai taas meidän Amaliaa,
mutta sen minä sanon, että asia on sitä laatua, että meidän tyttö on
sitä säätyä, ettei se rengin remmaksi sovi. Akianteri on toista maata,
sillä hän on lauluntaitosa ja pian hän saa ikipyöränkin valmiiksi. Minä
panenkin sen Ansun liehtomaan, niin Amalia saa olla rauhassa. —
Ja nyt minä menen hakemaan velivainaani ison viheriän
kirkkosateenvarjon. (Menee tupaan.)

JASKA (Tulee, alkaa maalata sikolätin salpaa). Mitäs se täällä

teki? Se on kiero mies se Epra, eihän se vaan tutkistellut meidän
aivoituksiamme.

MAAILMAN-MATTI. Emme me olekaan naukumaijan poikia.

JASKA. Emme olekaan, sillä sitä vartenhan Jumala on meille

järjen ja mielen antanut, että me mahtasimme katsoa eteemme.

ANSU. Onkos täällä näkynyt Amaliaa? Herrastuomari käski sanoa,

että hän saapuu Akianterin kanssa katsomaan oikein sen itsensä
ison herran ja Sipillan jälkeläisen ojankaivamista. — Mutta mitäs se
Justiinan Jaska tekee.

JASKA. Voi, ilonpäiviä, Ansu, minä maalaan nyt kullalla vaikka

koko hynttyyni, sillä kohta, sanon, kohta sanon, ovat kaikki kalleudet
ja salatut aarteet omanamme. Sentähden pitää meidän varoa,
ettemme suututa maailman mestaria, meidän täytyy vaalia häntä
kuin linnun poikasta, kuin silmäteräämme ja oman viheliäisen
ruumisparkamme rakasta rauhaa. Mikä riemu tästä nousee, Ansu,
mikä riemu tästä nousee! Planeetat tanssii ja vellikellon tolpat ja
Hölmölän vanha solaportti heittävät kuperkeikkaa. Kuulkaas herra
mestari, kuinka on terveytenne laita?

MAAILMAN-MATTI. Se vanha kirottu leini hakkaa kuin paholainen

minun sääriluitani. Minä pelkään, että minä saan auringonpistoksen.

JASKA. Ai, ai, olkaa varovainen. Mihin me sitten joutuisimme, jos

te kuolisitte, ai, siitä tulisi ikuinen vahinko.

MAAILMAN-MATTI. Kyllä työtä tekijälle, unta makaajalle, mutta ei

sitä sentään auta työllä turmella itseään.

JASKA. Minä, olen justiinsa samaa mieltä teidän kanssanne.

AMALIA (Tulee kädessä iso vihreä sateenvarjo). Hautaako siihen

kaivetaan vai perunakuoppaa?

MAAILMAN-MATTI. Niin, tähän haudataan hölmöläisten vanha

hapatus, pröystäily, kateus, ulkokullaisuus, rahanhimo ja riidanhalu.

JASKA. Niin, joka päivä me otamme kukonaskeleen lähemmäksi

hautaa.

AMALIA. Tässä on puuroa ja sateenvarjo, Ansu, pidä sitä mestarin

pään päällä, kun hän kaivaa hautaa hölmöläisille.

ANSU (Ottaa sateenvarjon ja heiluttaa sitä). Eihän nyt sada.

AMALIA. Kultarakeita kuuluu kohta satavan.

MAAILMAN-MATTI (Lekottelee maassa selällään). Tässähän minä

lepuutan armollisia raajojani kuin vanha Aatami paratiisissaan. Oi,
sinä Hölmölän luvattu maa! Suurilla on suuret housut, mutta
kuinkahan lienee tulevaisessa maailmassa.

JASKA (Huutaa). Joko näkyy sapelin tupsut!

MAAILMAN-MATTI (Hiipii ottamaan nassakan). Ei täällä ole kuin

pieniä kiviä ja tätä Hölmölän maan mustaa, rakasta multaa.
(Ansulle.) Pimitä sateenvarjolla nassakkani. (Juo.) Terveydeksenne,
lapsukaiset, palakoon rakkautenne niinkuin öljy pumpulissa.

AMALIA. Mitäs se mestari nyt?

ANSU. Mestari puhuu palturia.

MAAILMAN-MATTI. Näenhän minä, että te rakastatte toisianne

kuin rotta juustoa. Saisiko se neropattipäinen, pitkä koikale Aaretti
Akianteri hämmentää teidän paratiisi-ilonne. — Hei, minä juon minä!
Koska sydän kivusta kivistelee, aju ei ajatella taida, kaikki ihmisen
apu livistelee. Niin voisi Mesakki veisata minulle.

ANSU. Minä luulen, että Akianteri on tulossa tänne Amalian

tähden.

AMALIA. Tulkoon vaan, niin minä hakkaan hänen ikipyöränsä

kahvipuiksi.

MAAILMAN-MATTI. Sellaiset kuin Akianterit ja muut salamanterit

ne seisauttavat vielä kerran ajan pyörän. Voi kuinka tämä elämä on
hassua! En minä voi muuta kuin nauraa, sillä me kävelemme
makkaratikuilla ja meidän päämme on kuin paksu tynnyrintappi. Ja
tämä maailman hekuma on kuin vanha, vuotava, ravistunut
kaljatynnyri. - Kun se tyhjä on, niin mene rengonkeinuun!
 ANSU. Jaska seisoo höröllä korvin kuin jänis ja Epra katselee kuin
paholainen rikkiöimästä pullosta.

AMALIA. Minä menen, muuten setä suuttuu.

ANSU. Yöllä tulen minä kolkuttamaan luhtisi ovelle.

AMALIA. Mutta muista kanssa, että osaat luhtilukusi!

ANSU. Laita minulle illaksi saunavihta!

AMALIA. Selkäsaunan vihta? (Menee juosten ja tempaa tyhjän

puurokupin.)

MAAILMAN-MATTI. Arvaas Ansu, mikä minut ajoi pois minun

paratiisistani.

ANSU. Päänvaivat ja virkavaivat!

MAAILMAN-MATTI. Ehei! Pahat puskut, häijyt yskät, poskein rypyt

ja jako, kätten väristys, kasvoin kohistus, hengen myös häijy haju,
silmäin puna paha pullistus näin ylön juomisest' hajoo.

ANSU. Niinhän te laskette sanaa kuin paras pappi.

MAAILMAN-MATTI. Kyllä minä osaan laulaa yhtä hyvin kuin

Akianteri, vaikkei minua Hölmölän lautakunta ole palkinnut.

ANSU. Kyllä suupaltit aina nahkansa pärjää.

MAAILMAN-MATTI. Minun isäni oli rovastina Pahajärven

pitäjässä. Minä en olekaan mikään nahkasielu minä, minä kevennän
tavallani ihmisten taakkaa, katsos minä otan rikkailta ja annan
köyhille, mutta siitä sinä et tullut hullua hurskaammaksi. Te
hölmöläiset kuljette omatunto vasemmassa liivintaskussa.

EPRA (Tulee). Kas kun ei jo kuulu herrastuomaria ja Akianteria

sieltä porsasjalostusyhdistyksen kokouksesta. (Maailman-Matille.)
Mitäs se Jaska tuolla toimittaa?

MAAILMAN-MATTI. Se kultaa sikolättinsä salpaa, siitä sitte

heijastaa niin, että kaikki Hölmölän vilja poutii.

EPRA. Minunkin viljani? Kuinka hyvä sydän sillä Jaskalla sentään

on.
(Menee Jaskan luo.) Rakas veljeni Jaska, maalaa sinä vaan!

JASKA. Niin, minä maalaan.

EPRA. Se on oikein se.

MAAILMAN-MATTI (Lyö käsiä polviaan vasten ja nauraa).

Hahhaa! Nyt ne tarttuvat kuin täit tervaan. — Kallista sateenvarjoa
niin, että minä voin ottaa pienen tuikun murheeseen. (Panee taas
maata.)

JASKA. Niin, minä maalaan, kohta se salpa paistaa kuin aurinko.

EPRA. Niin, paistaa se aurinko niin väärille kuin vanhurskaillekin.

JASKA. Niin paistaa se väärillekin.

EPRA. Jaska, tätä minä en olisi uskonut, sinun sydämmesi on

kultaa.

JASKA. En minä tässä sydäntäni maalaa.

 EPRA. Sinä maalaat salpaa ja nyt poutii minunkin viljani.

JASKA. Poutiiko sinunkin viljasi?

EPRA. Niin, niin, Jaska, sinä olet rehti mies.

JASKA. En minä ole rehti mies, enkä minä tässä maaliani tuhraa
sinun takiasi. (Heittää siveltimen.)

MAAILMAN-MATTI. Nyt ne torailevat taas kuin kukonpojat

tunkiolla, hahhaa!

EPRA. Kyllä Hölmölän nassut taas kihnaavat sen salvan mustaksi.

Jaska, Jaska, hyvä oli tarkoitukseni, en tiedä mikä meitä näin riivaa
ja usuttaa yhteen kuin kaksi vihaista rakkia. Taitaa olla se sielun
vihollinen, hengen härnääjä.

JASKA. Niin, se pääpappa ja maailman isäntä, joka ympäri

juoksentelee.

EPRA. Tai viluojan pojat.

JASKA. Jotka yöllä purkavat sen, minkä ihmiset päivällä

rakentavat.

EPRA. Hölmölän hyvät haltijat meitä varjelkoot.

JASKA. Huh, oikein minä pelkään. Sanotaan, että saunassa

kummittelee.

EPRA. Kyllä Akianteri on ne arkkiveisuillaan karkoittanut, viime

kerralla hän paasasi ja pärmänttäsi siellä vuorokauden, luukusta vain
uskalsimme hänelle ruokaa tuoda. — Lyökäämme, Jaska, sovinnon
kämmentä. Mitäs me nyt pelloista ja muista maanvaivoista, nyt me
saamme suuren aarteen ja ihan ilmaiseksi.

JASKA. Taidat olla oikeassa, Epra, olkaamme kuin väkevät

kengät.

EPRA. Niin, sun tavaras on kuin savi silattu, lauletaan. Meidän

lihamme on heikko vaikka henkemme on altis.

JASKA. Epra, en oikein tiedä, missä se henki istuu, luun vai

nahanko välissä? Naksahtaako se niinkuin varpaatkin.

MAAILMAN-MATTI. Pane pois sateenvarjo, nyt pidetään

lepotuntia, Ansu, sinä saat mennä! Kutti, kutti, pidä puoliasi, poika.
(Ansu menee.)

JASKA. Niin, levätkää, kyllä te olettekin raataneet. Eikö näy vielä

mitään?

EPRA. Jokos näkyy arkun kansi?

MAAILMAN-MATTI. Jahka kerkii, jahka kerkii, ei ne aarteet niin

vaan aivastamalla tule.

EPRA. Mene, Ansu, katsomaan kujalle, eivätkö ne jo tule sieltä

kyläntuvalta.

Ansu menee perälle, Amalia tulee tuvasta ämpäri kädessä, he

virnistelevät toisilleen. Amalia menee. Justiina tulee kodasta ja tuo
makkaroita.

JUSTIINA. Armollinen herra maanjakaja, tässä olisi ihan tuoreita

makkaroita.
 JASKA. Niin, syökää, syökää, älkää kursailko, ei maailmassa
missään ole niin hyviä makkaroita.

EPRA. Entäs se meidän talkkuna! Ja entäs makkaratikut?

JASKA. Kyllä sinä laitat tikkuja, mutta näkisit sen tynnyrintapm,

minkä minä eilen tein.

MAAILMAN-MATTI. En minä vaan syö tikkuja enkä tappeja.

JUSTIINA. Hiiteen tikut ja tapit!

JASKA. So, so!

EPRA. Ämmillä on ämmien puheet.

JUSTIINA (Maailman-Matille kahden). Ne on sellaisia junttia,

pankaa ne johonkin työhön, sillä muuten niillä on liiaksi aikaa
ajattelemaan, eikä ne ajattele muuta kuin että…

MAAILMAN-MATTI. Makkarass' on kaksi päätä, toinen pää ja

toinen pää. —
Kyllä minä niille kohta työtä keksin.

JUSTIINA. Mitä minä näen! Jaska, oletkos sinä taas tehnyt

tyhmyyksiä.
(Osoittaa salpaa.)

JASKA. Joko sinä taas!

JUSTIINA. Taas, taas, mene heti lypsämään papuria, mutta älä

vaan rupea sitä maalaamaan!
 JASKA. So, so, Justiina, mitäs se mestari tästä ajattelee. —
Hohoo, miehellä on miehen sydän! (Menee.)

JUSTIINA (Epralle). Älä sinä naura, sinä jumalan mieliharmi,

kuoppaa sinä nyt kaivatat, mutta saatpas nähdä, että itse sinä siihen
romahdat.

MESAKKI (Tulee alushousuihin ja riihimekkoon puettuna, vihta

kainalossa, sitten Koputus-Liisa). Rauha, hyvät ristiveljet ja sisaret
Hölmölän seurakunnassa.

KOPUTUS-LIISA (Mukana pussi, jossa on sarvia ja kupparikirves).

Rauha parhaaks, illaks Justiinan Jaska ja Jaskan Justiina, johan
sauna lämpiää.

JUSTIINA (Itsekseen). Jo tuli pahan ilman lintu!

KOPUTUS-LIISA. Olettekos kuulleet vastalkuja. Äsken ovat kylän

vanhimmat päättäneet viettää tappi- ja saunajuhlaa ja silloin aina
minuakin tarvitaan. Tiedänpä muutakin, mutta perästähän kuuluu.

JUSTIINA. Tulitko taas Epraa kuppaamaan, kyllä se sen tarpeessa

onkin, sillä kovin sen on sappi sakea.

KOPUTUS-LIISA. Voi, hyvä Justiina, mitäs sinä nyt, tulin vain

katsomaan, kuinka se riikin herra täällä sitä aarnihautaa tutkiskelee.
(Niijaa.) Hyvää iltaa, armollinen riikin herra, hyvää iltaa! Tietäkääs,
se on ihan totta, minä olen monasti illalla ohi kulkeissani nähnyt
aarnivalkean palavan täällä pihan puolella, että kyllä täällä varmaan
on aarnihauta.

MESAKKI. Niin kertoo vanha kansakin.

 KOPUTUS-LIISA. Muistathan rakas, kultainen Justiina, minuakin
parilla kolmella kaisantaalarilla, kun se aarre löydetään.

JUSTIINA. Kolmella kaisantaalarilla! En, en!

KOPUTUS-LIISA. No, annathan edes yhden taalarin.

JUSTIINA. Kun minä sanon en, niin minä sanon en.

KOPUTUS-LIISA. No, annathan edes puoli että saan uudet

puolikengät.

JUSTIINA. Joilla sinä lentäisit kyliä kello kaulassa, en, en! Ja mitäs
sinä tässä minun rahojani kärkyt, norko, kyllä minä ne itsekin
tarvitsen.

KOPUTUS-LIISA. No, no, eihän ne ole vielä, sinullakaan.

JUSTIINA. Ja mene jo tästä pussinesi ja sarvinesi, ei niitä meillä

tarvita.

KOPUTUS-LIISA. Ei tarvita, sanot, kyllä niitä vielä tarvitaan,

mieluusti minä iskisin pari sarvea sinun leipälaukkuusi.

MESAKKI. Kun viisaus nousee pääkoppaamme, ja

ymmärryksemme lepattaa kuin rasvainen talituikku talvipuhteilla, niin
silloin ei haittaa vaikka antaisimmekin iskeä pari sarvea johonkin
sopivaan ruumiin osaan. (Nipistää Liisaa käsivarresta.)

KOPUTUS-LIISA. Vanha veussu! Mitäs sinä hamuilet, vanha

syntipukari.

MESAKKI (Hiukan nolona). Niin, synnissä me siinneet ja syntyneet

olemme.
 JUSTIINA. Taitaa olla se vanha rakkaus…

KOPUTUS-LIISA. Hui ja hai!

MAAILMAN-MATTI. Hyvät hölmöläiset, ei pidä olla enemmän

viisautta kuin mitä pää vetää, se on se liikaviisaus, joka päähän
tuppaa. — Hohoo! (Haukottelee.) Raukaisee niin riivatusti, mistähän
se tulee?

MESAKKI. Täällä Hölmölässä on aina uni.

MAAILMAN-MATTI. Se taitaa tarttua, hohoo! (Nukahtaa.)

EPRA. Viisaus on vaarallista!

JUSTIINA. Ja Koputus-Liisa imee nahkaansa kaikkien muiden

älyn riippeet, kumma kun sentään puhuu kuin keitetystä lampaan
päästä.

MESAKKI. Ymmärrys, ho, älä jätä!

KOPUTUS-LIISA. No tule ja puserra! Sinä kiusan kappale,

solvaisetko sinä minun hyvää, rehellistä ammattiani?

JUSTIINA. Kielikello, juorukontti! Ehei, ei minulla ole aikaa

jaarittelemaan joutavia joutavien kanssa! (Menee saunaan.)

EPRA. Akka pamahti tiehensä?

MESAKKI. Kuin vaimon keskeräiset te olette ja niin lyhytnäköiset,

niin lyhytnäköiset!

KOPUTUS-LIISA. Meni kuin pyryharakka! (Kahden Epralle.) —

Kuulkasta, isäntä, minulla olisi hiukan niinkuin asiaa. Tiedättehän…
se Aaretti Akianteri puhuu minulle aina sydänasiansa kuin
kristsisarelle ikään… ja nyt se on aina vähin niinkuin riiastellut
Amaliaa, velivainaanne tytärtä, mutta vaikka se on sellainen
älyniekka, niin ei siltä ota se puheen alku oikein luonnistuakseen
tällaisissa asioissa… ymmärrättehän… vaikka sen suu muuten aina
on niin messingillä. (Kuiskaa kovaa.) Akianteri kertoi minulle kaikki
eilen hieroessani hänen päätänsä… mies parka miettii vaan sitä
ikipyöräänsä niin, että sen pää on ihan pyörällä.

EPRA. Ha, vai pyörällä… kyllähän me siitä vielä…

KOPUTUS-LIISA (Taputtaa Epraa olalle). Hyvä, kiltti isäntäkulta,

niin pulski ja verevä! Lötys se on Jaska Epran rinnalla, lötys sanon,
mutta Epra se on miesten paraita, sen olen aina sanonut.

EPRA. Vai sanonut, sano.

KOPUTUS-LIISA. Niin monet kerrat olen minä hieronut ja

kupannut Epraa ja minä teen sen vastakin, ilolla ja mielihalulla minä
sen teen.

EPRA. Ha, passaisiko sitä taas tänään pari sarvea… ha.

KOPUTUS-LIISA. Voi tokiinsa, voi tokiinsa, vaikka kymmenen joka

päivä.

EPRA. Ha, kymmenen joka päivä? Niin, mutta mennään nyt

tupaan.

KOPUTUS-LIISA. Niin, mennään tupaan, niin saamme jutella

rauhassa.
(Liisa ja Epra menevät.)
 MESAKKI. Mestari nukkuu. Hänen unensa on kuin manna makia
kryydimaassa, mutta kuinka mahtaa olla autuuden sarven laita.
(Helistää keppiä.)

MAAILMAN-MATTI (Unissaan). Äh! Ei tämä ole sinun sohvas! Älä

vietävä sinuttele minua, en minä ole itseänikään sinutellut sitte viime
viikon. — (Herää.) Oh, luulin vallesmanniksi ja minä olin kuulevinani
kulkusten kilinää. Enhän minä makaakaan maantien ojassa.

MESAKKI. Anteeksi, minä vaan helistin hiukan huutavan äänellä.

Kuinka on autuuden sarven laita?

MAAILMAN-MATTI. Autuuden sarven? Tarkoitat kai juomasarvea.

(Laulaa.)
Gaudeamus igitur, juvenes dum sumus!

MESAKKI. Akianteri tulee, Akianteri tulee!

MAAILMAN-MATTI. Astupa temppelikartanohon, sinä suuri

Lygurgos! En tiedä, onko se rengonkieltä vai siansaksaa, minä kävin
vuoden kimnaasiakin. Terve, sinä Hölmölän helisevä kulkunen!

AKIANTERI. Tulee toimeliaana kantaen kummallista kojetta,

ikiliikkujaa, isoa pyörää, jossa on hampaat, kuorut, painot ja
lyijykuulat, jotka putoavat pyörän päältä alas loviin, kone on
kömpelösti tehty. Pyörä päästää hirmuisen pärinän, kun sitä liikuttaa.

Katsokaa ja ihmetelkää! Oh, se on erinomainen, sellaista ei ole

vielä mistään missään milloinkaan tehty. — Minä seivästin silmäni
kattoon koko viime yön ja minun aatokseni tunkeutui luomisen
alkuaikoihin saakka! Minun pääpajassani taotaan aina, siellä on eri
karsinat, pyörät pyörivät, remmit ja väkihihnat kulkevat huoneesta
huoneeseen.

MAAILMAN-MATTI. Se on sitte oikein sellainen värssyverstas se

teidän pääkoppanne.

AKIANTERI. Ja kaikki hihnat liikkuvat erääseen karsinaan eikä

kukaan vielä tiedä, mitä siellä tehdään. Se on vielä suurin salaisuus.

MESAKKI. Hän puhuu kuin rohveetta!

AKIANTERI. Sinä hetkenä, jolloin aurinko seisoo niinkuin ilmaan

heitetty kivi hetkeksi pysähtyy, sinä hetkenä syntyy aikaan juopa,
josta ijäisyys nähdään ja sen kaikki ihmeet.

MESAKKI. Missä, missä olette, hölmöläiset, taas menee teiltä

hukkaan kuolematon hetki!

AKIANTERI. Aarteet kohoovat maan pinnalle.

MAAILMAN-MATTI. Vedet muuttuvat viiniksi.

MESAKKI. Pyhä varjelkoon, nämähän ovat maailman lopun

enteitä!

AKIANTERI. Ja naudat voivat hetken puhua kielillä.

MAAILMAN-MATTI. Niin, minä huomaan, että naudatkin voivat

puhua.

MESAKKI. Niin, silloin tulee maailman loppu, kun pyy pienenee,

pyhä puukello pämpättää itsestään, ja hölmöläiset alkavat liiaksi
viisastua. Akianteri, Akianteri, varo pääparkaasi, ettei sinun kävisi
hullusti.
 AKIANTERI (Lyö rintaansa). Minä, minä itse, minä olen
voimaihminen minä.

MESAKKI. Niin, niin, sinulla on päässäsi neronpattia enemmän

kuin meillä muilla kuolevaisilla.

MAAILMAN-MATTI. Minulla on liikapattia vain jaloissani!

AKIANTERI (Näyttää pyörää). Katsokaa tätä pyörää! Kohta se

liikkuu! Katsokaas, nyt minä panen voimapyörän liikkeelle, painot
laskeutuvat ja lyijykuulat putoovat pyörän päältä kuoruun.
Katsokaas, se liikkuu!

MAAILMAN-MATTI. Se liikkuu.

MESAKKI. Ijankaikkisesta ijankaikkiseen! Varjele hyvä isä, mitäs

Jumala tästä meinaa!

MAAILMAN-MATTI. Johan se taas seisahtui, heilahti vain kerran

ympäri.

MESAKKI. Taivaalle kiitos!

AKIANTERI. Kaikki on kunnossa, puuttuu vain viimeinen pyörä.

MAAILMAN-MATTI. Minun järkeni seisoo.

AKIANTERI. Siitä puuttuu joku niksi, mutta kyllä minä sen keksin,
ja silloin loistaa Aaretti Akianterin nimi kuin kuunsarvi kirkkaalla
taivaalla.

MESAKKI. Kuin kointähti ihanast' loistaa.

 JASKA (Tulee vasemmalta kiulu kädessä). Tietäkääs, hyvät kylän
miehet, että minä olen lentänyt unissani. Ai, ai, kuinka se oli lystiä,
minä liitelin haarapussilla yli kellohatun, yli saunan, yli sikolätin kuin
ilmalaiva, mutta maahan minä en päässyt, vaikka minulla oli tavaton
tupakannälkä. (Levittää käsiään ikäänkuin lentäisi.) Hihhei, näin
minä lensin! Miekkoset, muistatteko kun Akianteri keksi sen
lentokoneen.

MESAKKI. Muistan. Sitoi päresiivet olkapäihinsä ja nousi Epran

katolle.

JASKA. Ja taittoi jalkansa sikolätin räystääseen.

MAAILMAN-MATTI. Lentäähän se kanakin ja laulaa vaikkei ole

päätä eikä kaulaa.

JASKA. Kuules Akianteri, keksippäs vielä joku lypsykone, ettei

minun tarvitsisi lypsää sitä meidän papuria. (Menee tupaan.)

MAAILMAN-MATTI. Niin, ja keksikää, hyvä nappulamestari,

sellainen syömäkone ettei enään tarvitsisi vaivata itseään
syömisellä.

AKIANTERI. Nappulamestari! Ettekö te tiedä, että minun

murhalaulujani, minun arkkiveisujani, minun karamellirunojani
lauletaan jo riikin joka kylässä. Mutta te ette ymmärrä ylempiä
asioita, vaikka olettekin maailman-mestarismiehiä.

MAAILMAN-MATTI. Te hölmöläiset töllistelette liian usein

taivaaseen, niin että unohdatte tämän pienen, syntisen ja suloisen
maan.