Question 1 (Weighting: 10)
Explain how the risk to personnel security can be reduced and how personnel can be monitored without infringing their rights. Give an example of how an organisation might ensure that employees are not at risk, and explain how one would obtain a ‘CRB’ check.
Personal Security is a prime concern for most employers. By ensuring personal security is acute, other aspects of security for the asset will be enhanced. For instance, my current employer can and does, monitor both my work emails and blackberry, this was clearly stated in my contract and is a basic security enhancement.
Other areas that the employer can instigate could be:
1. Web monitoring service with a list of websites that are not accessible from work IT equipment.
2. CCTV cameras in the workplace, however, this must be in line with the Data Protection Act and The Health and Safety at Work Act (CCTV in areas such as toilets is not allowed).
3. The handing in of smartphones/tablets in certain areas of the premises.
4. Screening of employees baggage on exiting the building.
5. Security encryption and access codes to varying levels of information.
Further to this, the employer can ask all potential staff at the recruitment phase to undergo a Disclosure and Barring Service (DBS) Check. This process is a new system and resulted in the merger of the Criminal Records Bureau (CRB) and the Independent Safeguarding Authority (ISA). All information for the employer can be accessed here:
While the individual cannot apply for this check a Basic Disclosure Check can still be conducted through Disclosure Scotland ( http://www.disclosurescotland.co.uk/apply-online/ ).
The documents that are required are the same for both systems with the DSB check being more indepth.
Question 2 (Weighting: 15)
Provide three examples of security equipment or tools that you would recommend for a corner shop, and briefly explain why you chose them, taking into account costs to the shop owner.
The first piece of equipment I would recommend would be a CCTV system capable of both day and night coverage with an integrated recording facility. The SECURIX 500GB 4 channel CCTV kit would fit this purpose. It includes 2 dome cameras for internal use and 2 external “bullet” type cameras with a 20metre night visibility range (for coverage of the rear entrance to the premises). Due to the software included, it can be set up to alert a mobile phone of intruders at any given time. The internal dome cameras have an IR capability which will provide 24 hour surveillance of the premises, inside and out. This system retails at approx. £450
I would also recommend a safe for the securing of the cash float and any valuable stock. For a small sized premises I would suggest the Burton FIRESEC 10/60 Size 1. This safe has been tested to EN15659 LFS 60P standards and gives upto 60 minutes protection against fire. It is also approved by the Association of Insurance Surveyors with a Eurograde 1 rating, meaning that for insurance purposes you can safely store upto £10,000 cash or £100,000 of assets before the insurance cost goes up. The Lock and bolts are protected against drilling and it can be securely fitted to the floor by means of a bolting system. Retail price in the UK is £635.
Finally I would suggest a wide front Secure Shop Shutter for securing the premises at night. These can range in price from £180 per metre for the High Security type to £280 per metre for the Police and Insurance approved type. The basic standard I would suggest would be one with an anti vandal tamper device so the system can still be operated regardless of the damage caused.
Question 3 (Weighting: 10)
Explain the main Act that outlines the basis for the security of information in the UK and outline the main points.
The Data Protection Act 1998 is the main Act that outlines the basis for the security of Information within the UK.
Its aim is to make provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information 1.
The Act covers:
1. Rights of data subjects and others.
2. Notification by data controllers.
5. Miscellaneous and general.
The above areas are then broken down into more detailed information covering a wider range of topics.
Essentially, there are 8 main principles to the Act, these specify that personal data must be:
1. Processed fairly and lawfully.
2. Obtained for specific and lawful purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up to date.
5. Not kept longer than necessary.
6. Processed in accordance with the “data subjects” (yourself) rights.
7. Kept securely.
8. Not transferred to any other country without adequate protection in situ.
Any organisation that keeps either a hard or soft copy of any information relating to an individual MUST control it inline with the above act. There are financial penalties in place, in some cases custodial sentences, for failure to comply with the Act.
Question 4 (Weighting: 10)
Explain the main differences between crisis management and risk management and give a hypothetical situation to illustrate your point. (min. 250 words)
Crisis Management is the process by which an organisation deals with a major event that threatens to harm its clients, premises or assets. This major event could be man made (terrorism, fire) or natural (floods, earthquakes). This process is carried out before, during and after any incident.
Risk Management is the identification, assessment and prioritization of risks that could have a detrimental effect on the organisation or asset and the best ways in which to AVOID these risks.
Crisis Management is situation based and is designed to clearly set out how the organisation or asset would respond to an incident, which department is responsible for which area and the overall management of the crisis from ground level to media release, to both limit the physical damage (property, equipment and life) and also the reputation and name of the organisation. During Risk management we look into probability of likelihood, therefore, any areas that have been initially identified with a high probability of risk are dealt with first, while those of a lower probability are dealt with last. The risks are then measured by means of control points, be it physical or procedural.
The asset has been awarded a high profile contract to safe guard sensitive information on secure systems for a governmental organisation.
The probability and likelihood of a cyber attack on the system is deemed as HIGH and it is also assessed that the likelihood of an attack on the system from within the organisation is HIGH. The asset has taken all necessary precautions to safe guard this information in line with the Data Protection Act and all personnel who have access to this information have been thoroughly screened and vetted.
However, a large attack occurred and the asset must now Crisis Manage this breach of security for a number of reasons:
1. The information is highly sensitive
2. The breach in security protocols
3. The damage to both the asset and the governmental organisation to who they are contracted.
The Crisis Management team had already been broken down into teams to cover any scenario and as such they immediately start the Crisis Management process, covering the following areas:
1. Security review to ascertain where the breach occurred, inside or outside of the organisation.
2. Informing the client as to the extent of the breach and information taken.
3. Informing the Police.
4. Dependent on the confidentiality clause of the contract, a press release be made to dampen down the effects of this breach.
The above 4 points are merely covering a much vaster area of action points and each department responsible would have broken these down further to cover all aspects of the crisis.
The 3 elements to any Crisis:The threat posed to the organisation or asset, The element of surprise and Short decision times, will mean that decisive action must be taken quickly.
These factors then impact on the reputation of the asset and the asset must be acutely aware of the Contingency Plan and the impact on Business Continuity in order to dampen down the effects of such a loss.
A time line of events leading upto, during and after would be kept to help formulate the final report which would then be released to the client and a watered down version to the Press.
Question 5 (Weighting: 10)
An independent menswear retail outlet is going to start offering an online ordering facility. Discuss what contingency planning is appropriate, and discuss the issues that you think may arise that would form part of a contingency plan. (min. 500 words)
As the operation is going to be internet based I can foresee 3 key areas that will define the production of a contingency plan. By aligning the 3 together it should be robust enough to minimize loss if anything unforeseen should occur.
Firstly, there needs to be a clearly defined objective of the plan. This needs to highlight the Courses of Action (CoA) after identifying which areas are critical to the running of the business. This could include a failure of the internet system, how does it get backed up and how regularly does it back up, locations of back up information and a hard copy of recent orders, stock and transactions.
We then need to look into a Critical Function order. This is a basic checklist of critical tasks that are crucial to restore the system and disrupt any service being provided. By following the checklist we can eliminate any failures to restore the system correctly, particularly evident if there was to be a shift change over mid incident.
Finally we should look into the Activation Plan. This plan should highlight the key players in the implementation of the restoration process, contact telephone numbers for out of hours contact and who is the single point of contact for critical decision making in relation to this process.
By ensuring this process is complete and all key players are well informed to this process, we can eliminate any inefficiency, increase a rapid response to system restoration and effectively restore the service provided. It must be stressed that although the promulgation of this would be conducted by means of documentation, it must also be simulated if possible, without disruption to the business.
The main issue I could see arising from this which would formulate the contingency plan is as follows:
The primary internet system being used has crashed and caused the business to go offline, this has resulted in no access to the secure online server and secure online payments server. In order to restore the business as quickly as possible we categorized in the planning stages that this type of incident would be HIGH.
Therefore, we must firstly put into action our contingency plan: 1. Activate the emergency call out procedure for the IT Manager to instigate a system recovery. 2. Switch to the secondary means of internet connectivity.
3. Check the online secure server for integrity (by means of a telephone call if need to). 4. Presume that the system will be down for a prolonged period and retrieve all hard copies of orders, finances and stock. 5. Be prepared to conduct a check of orders as soon as the system is restored.
As soon as the system is up and running we then need to conduct a review of the CoA taken and any issues that had fallen out from it. If needed we would then need to adjust our emergency contingency plan to take into account these identified issues. However, we need to make sure we balance the corrective actions against cost. The risk of losing money and business through this type of scenario will outweigh the requirement to have a secure server fitted to the premises, this would negate the need to store this information online and would still be able to be accessed from the company intranet.
Question 6 (Weighting: 10)
The independent outlet mentioned above has a stock level discrepancy, with no records of orders, payments or goods being dispatched. What kind of information would you need, and how might you obtain that during an investigation? (min. 250 words)
Before conducting any investigation we must firstly ascertain the date on which this discrepancy was found. Due to the nature of the business, it would also be a good idea to check who was working the order processing that day.
The Stock Count/Inventory must be checked as far back to show the discrepancy. At this stage it could be an accounting issue, therefore, a 100% stock check should take place and the findings checked against recent orders and recent stock deliveries.
The CCTV coverage of the storage area and exit should also be checked for anything looking suspicious on the date of the discrepancy being found, although it would be likely that the issue occurred earlier, so previous footage should also be checked.
The system server would hold all online orders for audit purposes, it should also hold any emails sent and received to/from purchasers. By filtering this down to a period before the discrepancy was found we could identify a problem of logistic control by one of the staff (such as a replacement was sent and the original had not been received back into the business).
If we couldn’t find any issues with either stock control, logistical areas or payment, we should then consider interviewing members of staff. By looking into the above points first, we should have a clear idea of who was working on the day in question, these would be the primary people to interview first. When conducting these interviews we need to be acutely aware of how they are conducted, by being too suggestive we could open up ourselves to
prosecution as we could be deemed as aggressive in nature.
We must also be aware that unless the interview has been conducted by a Police Officer it is not a legal document. Any evidence gleened from the interviews must be collaborated by other means, such as witness statements IF there was a clear case of theft identified. CCTV footage must clearly show any illegal acts.
Once armed with this information it will become apparent if it was an internal issue (false accounting, incorrect handling of stock etc) or an external issue (theft from an outside source). If it is warranted, then I would suggest that the evidence sought be passed to the local police for further investigation.