Network security is difficult for any enterprise, but educational institutions face a unique set of challenges including:
Seasonal spikes in malware introduced by students returning from holiday break
Huge diversity of unmanaged devices connecting to the network - laptops, smart phones, etc.
Enabling free information flow while protecting students and faculty
Exposure to legal liabilities through P2P application abuse
ForeScout CounterACT Network Security for Educational Institutions
Today's students expect continuous connectivity to each other, to their teachers, and to the Internet. But security is rarely high on their priority list. ForeScout helps educational institutions address key concerns around network security:
Keep the network safe from unmanaged endpoints and rogue devices
When students arrive on campus, their laptops may be infected with malware and have risky applications like P2P already installed. They may totally lack antivirus software. Students can also bring networking gear from home - wireless access points and wiring hubs - and try to connect it to the campus network.
ForeScout CounterACT lets you enforce security requirements for student laptops, such as up-to-date security software. If the laptop has no anti-virus, CounterACT lets you install anti-virus to the student system.
After the student's laptop is connected to your network, CounterACT will continuously monitor the behavior of the laptop for signs of infection or malicious activity. If danger is detected, CounterACT gives you a wide range of controls to help deal with the situation.
CounterACT can also immediately detect and block any rogue devices such as wireless access points and unauthorized wiring hubs. CounterACT gives you detailed visibility into any equipment connecting to the network, including its physical location.
Enable free information flow while protecting student and faculty privacy
How do you protect private information such as student exam data or other personal records? Passwords will take you some of the way there, but many educational institutions are turning to ForeScout CounterACT for a simple network-based solution.
ForeScout CounterACT can separate students from faculty at the network level, while still allowing authorized communications between the two networks. A number of different technologies can be deployed to create and maintain these "Chinese walls" including VLANs, access control lists, and virtual firewalls. See more here.
Prevent illegal file sharing activities with visibility and control over P2P applications
Illegal file sharing and downloads of copyrighted material was officially criminalized under the 1998 Digital Millennium Copyright Act (DMCA) and later reinforced under the Higher Education Opportunity Act of 2008. Although liability limitations exist for network administrators, Section 512 of the DMCA indicates that if subpoenaed, they must disclose the identity of the offending subscriber. They must also terminate accounts of repeat offenders.
By preventing P2P applications on the campus network, educational institutions are able to protect themselves against legal action by digital content owners. Using industry-leading host interrogation technology, ForeScout Counter ACT can scan the end-user system for active P2P applications. CounterACT gives you a range of control options to deal with P2P such as:
Audit Mode: Monitor for P2P use across student population and identify potential problem areas
Notifications: Can be sent to users to remind them of their liability if illegally sharing copyrighted content. An auditable end-user acknowledgement enables tracking of non-compliance warnings to users.
Blocking: For repeat offenders or users suspected of engaging in illegal file sharing, these P2P applications can be blocked from running on their systems.
Sindh Educational institutions given security blueprint
Sindh govt recommends establishment of security cells under retired Army officials; deweaponisation of hostels; banning political events inside campuses
Karachi:The Sindh government has approved a security plan for educational institutes in the province in view of recent terrorist incidents in the country, especially the attack at the International Islamic University in Islamabad, according to a statement issued on Wednesday by the press secretary of Sindh Governor Dr Ishratul Ebad Khan.
The heads of the institutions concerned have been directed to take immediate necessary action in this regard.
A meeting regarding law and order and security arrangements at the educational institutions was held on October 21 under the chairmanship of the Sindh governor. A committee was constituted under the Chairmanship of the principal secretary to the Sindh governor. Members of the committee include vice-chancellors of public- and private-sector universities, as well as representatives of Pakistan Rangers Sindh and the Sindh police.
The comprehensive security plan prepared by the committee and approved by the Sindh governor has been forwarded to the heads of institutions concerned for immediate necessary action.
The plan includes the establishment of a “Campus Security Cell,” which should be headed by a well-trained security officer, preferably retired armed force officers. Security staff, preferably ex-servicemen, should be enrolled after necessary security clearance and verification from the special branch. These security staff will be equipped and trained by the police or the Rangers, and the security officer should maintain close contact with the local wing commander of the Rangers as well as the town police officer concerned.
The security in-charge and all related personnel are to have all emergency numbers such as those for police stations, the fire brigade, and ambulance services, as well as the cellphone numbers of the relevant SHO, DSP, DSP, SP, DPO, TPO, and the Rangers wing commander.
Protective measures in the plan include walling campuses, repairing broken wall, raising the heights of fences, and installing barbed wire on walls.
Gates are to be installed at all entry and exit points. Moreover, there should be multiple entry and exit points for use during an emergency; all gates should be manned by armed guards.
Tracks should be developed along perimeter walls to enable mobile patrolling by internal security staff of the respective universities.
Moreover, vegetation along the perimeter should be cleared, concrete road blockers should be placed in a zig-zag way at the gates to force vehicles to reduce their speed and discourage forced entry. Sandbag pickets or guard rooms should be installed at the gates and at various identified locations within campuses.
Close-circuit cameras and communication networks should be installed at gates, as well as other major points and the central security control office.
Emergency phones should be installed at various locations within the campus, and should be connected to the security centre. A map should be made of the whole campus, indicating the positions of various buildings and entry and exit points, and should be handed over to the security officer for use during an emergency.
Separate maps of every building should also be made, indicating each and every room; the number of students who can possibly be present in a particulars class, depending upon enrolment, should also be indicated in every room.
Active measures indicated in the plan include cleansing hostels of weapons and ammunition.
No one should be allowed to carry firearms within campus premises. Entry without ID cards should be banned, and students, faculty members and employees should be made to carry ID cards at all times.
Visitors or guests will be allowed inside campuses only after the submission of original CNICs at the gate. Students and visitors will be searched through metal detectors and walkthrough gates. Vehicle passes will be issued and no vehicle will be allowed inside campuses without a pass. All vehicles should be searched at the gates; glass reflectors must be used to check below vehicles.
Moreover, places where students gather in large numbers, such as canteens, libraries and auditoriums, should have multiple entry and exit points.
Motorcycle or bicycle patrols should be arranged inside campuses to a keep watch on suspicious people and activities. Walkie-talkie sets should be provided at all pickets and mobile guards should remain in contact with the security centre.
Apart from these, the plan encourages the administration of educational institutes to motivate students and parents to cooperate with law-enforcement agencies; sensitise students travelling in university buses to check unknown people; institute a dress code to facilitate the overall security insides campuses.
Political gatherings and events should not be allowed within universities; weddings and other functions should not be held within campuses; professors and officials should be encouraged to cooperate with law-enforcement agencies for maintaining peace and security inside the campus.
Staff vehicles should not be used by students for moving inside the premises, and a complete record of the residents of staff colonies should be maintained. The plan calls for these security arrangements to be put in place immediately.
The local TPO and Rangers wing commander will visit all educational institutions after November 10 to assess adopted measures, and to suggest further improvement in security arrangements.
Moreover, the plan states that the suggested measures may be taken as “broad guidelines,” and authorities concerned are free to adopt other measures in consultation with the local police and Rangers.
LAHORE, The licenses of Private Security companies have been revoked as they have failed to provide data base details of guards, authorized number of weapons possessed by them, annual financial statement, annual performance report, list of clients, registration of guards at local police station of the area of his deployment and training of guards from Elite Police Training School, Badian Road Lahore.
The spokesman further stated that these security agencies also failed to appear before the Licensing Authority to show any cause for not revoking their licence. The security agencies whose licence have been revoked include 7th Sense Security Guards (Pvt) Ltd, Al Asad Security & Services, Al-Anik Security Management (Pvt) Ltd, Alia Security (Pvt) Ltd, Alpha Security Services (Pvt) Ltd, Blitz Security Services (Pvt) Ltd, Business Security Technology (Pvt) Ltd, Capital Techno Security (Pvt) Ltd, Comprehensive Security Services (Pvt) Ltd, Dogma Security Consultancy, Fast Security Management Services (Pvt) Ltd, Frontier Corp NWFP Security Services (Pvt), Lahore Pride Security Systems (Pvt) Ltd, Lipa Security Services (Pvt) Ltd, Lunar Security Services (Pvt) Ltd, Muqaddam Security Services (Pvt) Ltd, Panther Security & Management Services (Pvt) Ltd, Qui Vive Enterprise (Pvt) Ltd, Sabat Qadam Security Services (Pvt) Ltd, Spider Security Services (Pvt) Ltd, Spy Tech (Pvt) Ltd and Taza Dam (Pvt) Ltd, the spokesman added.
Home dept reviews verification of private security companies
KARACHI - Sindh Home Department held a meeting and reviewed the procedure of verification of security guards employed by the private security guards, The Nation learnt on Sunday.
The meeting was attended by Rubina Asif, deputy secretary of home department, Muneer Ahmed, chairman All Pakistan Security Agencies Association (APSAA), Col (r) Tauqeer-ul-Islam member APSAA, Muffasir A. Malik member APSAA, SSP Athar Rasheed Butt, City Police.
It was asked in the meeting that as soon as the verification cell of police is established, APSAA would submit the verification requests received by them from the private security companies to the SSP office. Moreover, a specimen of the verification form was approved which every company would print with its company logo under signatures of its operating officer of APSAA.
All private companies are directed through APSAA to construct a proper strong room within a period of 30 days.
After the expiry of 30 days with effect from 20th January, a team of home department along with the area town police officer and representative of APSAA will conduct inspection of each private security company and penalize under section 10 of the Sindh Police Security Companies (Regulation and Control) Ordinance 2000 in case of violation.
It was also decided in the meeting that all private security companies would bound to get the CNICs verification of their guards through NADRA.
Security guards are everywhere; in your supermarket, favorite eating places, even at your office. But do they really keep you safe? The first and foremost duty of the state is to safeguard the honor, lives and property of its citizens. But in our country the state is not fulfilling this important aspect of its dominion. So there has been mushroom growth of private security companies all over the country during the last couple of decades.
But the in our society there security guards are introducing high risk for the property and the life. It has been observed that at the most business places, the guards have not asked customers to state their business before allowing them to enter but merely have opened the gate to allow cars to enter and exit the compound. Sometimes the guards were busy, sitting in the shade, chatting to each other while sipping drinks. Or, a guard was sound asleep with his feet on the desk, log book safely on the table. Are these the people trusted with keeping people and buildings safe? Do they understand their role?
The number of security companies is increasing day by day and are almost entirely all run by the retired army officers in addition to those run by the ex-servicemen trusts. They employee tens of thousands of retired soldiers who are underpaid with long duration of work, but the companies probably charge their clients two to three times higher than the wages paid. It has been learnt that most of the private security agencies are not good pay masters, compelling their guards to resort to illegal ways for their survival.
It is also noted that the retired officers have exploited the needs of retired soldiers to have jobs although the government has announced the minimum wage for the labour to be 5000/-. But it is not ensuring that the security guards are paid a fair wage and are adequately insured. Many people think that the private security companies have now started looting, with even higher charges during security duties in the wake of growing concerns over the law and order situation. Recently a survey report revealed that dozens of private security companies are taking advantage of the government’s failure to ensure security and have increased their rates. It is also evident that most of the guards provided by the companies to people are untrained and equipped with defective arms. Private security companies are bound to train their guards or heir ex-army men. They claim that they hire only ex-army men who are already trained to use weapons, but in reality they are not following these rules.
Reports are made regarding involvement of some private security agencies’ guards in criminal activities as a threat to the society. A few of the security guards of private security companies were involved in street crimes but police was failed to take action against them. There is an increase in street crimes and people believe that guards of these companies are involved in these crimes. It has been observed that many security guards have become a threat to the lives of those who had hired them for safety and protection.
Now the government is trying to check such activity with a regulatory body to check misuse of the authority being enjoyed by private security agencies’ guards. Most of the private security agencies have registered themselves, but most of them are stated to be dormant and their managements have no check on the activities of their guards who had been provided arms and uniform.
It Karachi statistics underline the gravity of the situation; private security guards outnumber police officers in Karachi by a ratio of nearly three-to-one. According to official estimates, there are 80,000 security guards in the metropolis as opposed to 29,000 sanctioned police officers. Observers say that in a few years, the number of private security guards will exceed that of police officers throughout the country.
Serious thought must be given to regulating Pakistan’s nearly 600 private security companies. The home department must keep an eye on the recruitment and training methods of security firms to make sure they are hiring capable people and equipping them with the requisite knowledge and tools. It is also troubling that many security companies are not verifying their guards’ particulars with Nadra. The requirement that guards be posted at a bank register through the area police station is also not being met. Given the weak enforcement of the rules by the government, banks and other institutions that employ private guards greater scrutiny must be exercised at the time of hiring.
The security officer is defined as an individual who is "licensed to provide service for the protection of personal property and prevention of theft or the unlawful taking of property", adding that security officers were to "maintain order", as well as act as ambassadors on behalf of the companies for which they work. To maintain the high level of security continued training and upgrading of their skills is necessary.
There is a greater role for private security companies provided they address issues such as accountability, professionalism and training. There also needs to be greater collaboration between security companies and the Police Force, as the latter cannot "provide all the protection and enforcement necessary to maintain safe and orderly communities".
In the war on terror private security plays a key role in our society. It is also the responsibility of the government to provide the security for its people and to form the necessary legislation and regulatory authority to check and balance the performance of the private security companies.
Audit or commonly known in Malaysia as inspection is little known to the security industry till the arrival of the US multinationals in Malaysia in the early 70s. The usual outcry after a loss or a break-in followed by a rush to over protect a facility was the order of the day. In today management term it is called the “fire fighting” approach.
Auditing was normally the job of insurers or accounting firms then. Now you hear about ISO 9000 audits, Quality audits and audits in non-accounting fields. In the security industry, the auditors are normally the corporate management of multinationals. We have evolved from external auditors to internal auditors. The trend now is towards audits by users or “owners” of a particular process or area. This is also known as the internal self-audits.
Why Audit?
An effective security programs involves a dynamic security system and procedures; skilled and motivated security force; total support from the people of the organization and finally a workable monitoring mechanism or audit. These four attributes form a consistency cycle for improvement and enhancement of the system.
The general security maxim is “where there are people there is abuse”. The criminal mind always wants to beat the system. All physical barriers or any form of prevention or detection system will always be tested by the human mind. This forms a vicious crime cycle between the enforcers and the offenders. The audit helps to break this cycle in the favor of the enforcers and the moral society.
Security Standards
No audit is viable if we do not have standards to compare or benchmark. Hence the setting of standards is the first step of audits. TAPA or Technology Assets Protection Association in the US has a comprehensive audit format to check on warehouses, transport security and even airports or areas of external threats. They set a series of security standards for the technology industry which is also the electronics industry and the cargo transporters. The scorig measures the effectiveness of the system.
As we implement a security audit program for our organization we start by setting minimum standards for all criteria of risk. Some basic security criteria or standards for an electronics industry manufacturing concern can be as follows:-
a) Physical barriers
We may have to go to fine details even to the extent of spelling out the minimum height of a fence, the number of doors, type of lightings, etc. Some industrial engineers can assist us to even set the light intensity of the parking areas, external compounds, etc.
b) Security Systems
This is the favorite subject for security practitioners, but a night mare to the Finance Department. How many cameras shall be enough and what will be an over kill? The vulnerability of the product or areas we need to protect is the measure of how we want to protect. The latest integrated CCTV & detection or early warning systems can be well deployed for effective coverage.
c) Process Standardization or Procedures
The process standardization is the key to ensuring proper enforcement. Here again we should review the core responsibilities in asset protection or emergency actions and develop minimum acceptable standards or process. Some of the procedures to be considered are:-
Access Control Procedures – the standards on access restriction of visitors and employees either to the whole or part of areas; badge color coding, etc.
Property Pass/Control Procedures – Standards and Forms for the movement of property outside and within the premises.
Shipping Procedures – Here the focus is on security checking of shipment or truck monitoring.
Finished Goods Security Procedures – Classification of high risk products, storage and handling security.
Scrap Control Procedures – Focus more on the collection storage and disposal of finished goods which are considered rejects, but fetch a street value at the grey market.
Incident Reporting & Investigation Procedures – In a people oriented organization this becomes a good form of data gathering (incidents) and the “do’s and don’ts” in evidence gathering, interviewing and corrective actions, etc.
Employee Discipline Procedures – Normally drawn up by the Human Resources Department to ensure standard enforcement of non-conformation of procedures.
High Risk Area Security Procedure – This classification is important if a particular storage or production area needs additional security protection.
Security Awareness – One of the main components of an effective security program is to ensure people support. This can only be attained if the people are aware on the need to secure company property; how they can assist by suggesting improvement or by participation in decision-making, etc. The best approach is to have a comprehensive security orientation program for new employees.
After the September 11th of 2002 we can add more to the list, e.g. anti terrorist programs, bomb threat, expatriate protection and issues related to crisis management and people protection.
Audits
Monitoring or to watch over, is a key factor for security. That was how the term watchman came about. We carry out surveillance to detect abuse in the early stage, we enforce procedures to catch abusers and investigate crimes to prevent future abuse. Audits or monitoring involves surveillance, enforcement and investigations – all in one. Hence auditing is like looking at the big picture. If done effectively, it is the guardian of the security program. It is the main tool for the security practitioner to measure his own effectiveness and that of his team.
The audit involves a SWOT (strength, weakness, opportunities and threats) evaluation of the organization in the security aspect. Hence a well-defined audit format involving all the attributes of the security program is vital. In general it should contain the following, but need not be limited to:-
a) Physical Security (or barrier) evaluation.
b) Review of the security procedures against actual practice.
c) Evaluation of the security systems in place, i.e. the CCTV system, alarm system, card access system. etc.
d) Adequacy of the manpower and their training needs.
One can draw out a format with the above as a guideline. The format should be simple and with a good score system. The score system helps to compare between two separate audits by time and by location. It is the barometer to gauge improvements.
The recommendation to rectify weakness is a crucial part of the audit. Recommendations can be a simple action to rectify or a long term plan to improve the overall security of the area. They are both cost and time related. It is important to evaluate the weaknesses against the potential threat or risk they pose. A cost effective approach should be taken. Most management would like to know what is the payback if a large investment is needed. Statistics showing reduction in loss (reflecting value or loss of business) will be a good measure to evaluate a payback.
Constraints
The management does not see the pay back from an audit. Loss prevention is something not very tangible until the loss occurs. So there may be no management support to recruit auditors, send auditors for training or acquire auditing software, benchmark audits in other organization or engage consultants to audit the facility.
Audit formats and the system used to evaluate may be too lengthy and may not pose a challenge to the auditors. Inter plant ranking or competition and evaluation will help to appreciate auditors the areas being audited and the facility itself.
The objective of audits should be more so as a monitoring or feedback mechanism rather than a “fault finding” mission. The simple rule of “don’t find fault, find solutions” should be used as rule of thumb. It should be made a last resort to punish people who may not have conformed especially if detected during an audit.
The filling up too many reports or forms, too many reviews with auditors or auditees may also cause people to lose interest. Too stringent standards set will virtually make every audit a failure. Audits should be tailored to enhance the system progressively.
The Future of Audits
Security is a relatively new field compared to other professions. Professional qualification and certification are not widespread, especially in Asia. The effort taken by Security Professionals Associations worldwide to institutionalize the security profession is very encouraging. Presently only experienced police or armed forces officers are termed as security professionals. This is now changing with fresh university graduates taking up the challenge in this field. As the profession gains recognition, the need for standards and systems will change. Once this happens we will see greater emphasis on security audits and certification in the same manner as Quality, Environment and Safety certification. More computer-aided systems will be introduced. Benchmarking and recognition of organization with Security Standards will prevail. This will be a reality in the next decade in our country.
(This paper was presented by Rahmat Ibrahim, a Security Manager in a multinational company in Johor, Malaysia, during the Security Practitioners Meet 2002 jointly organized by MALSEC DOT COM and IGB Corporation on 28-29 October 2002 at the Cititel Hotel Kuala Lumpur).
