regulation

The key to supply chain security: How to protect your data

The landscape of security and access control has changed markedly over the last decade with the introduction of technology that allows for traceability and time management of mechanical keys. This has changed the conversation and passkeys, cryptographic keys and encryption keys are all becoming more commonplace. By default, we ve become obsessed with cybersecurity and high-profile cases of data theft and loss are rife.

Research shows that 93% of large organisations and 87% of small businesses experienced a security breach in 2013, with affected companies experiencing roughly 50% more breaches than in 2012. Although keys provide access to critical assets, including servers that hold customer data, and offices where customers accounts are managed, we see many organisations that don t know how many keys they have in circulation, or where they are at any given time. The supply chain For organisations handling any kind of data, great importance must be placed on resilience within the supply chain. When considering exposure to risk, physical supply chain management presents a number of unique challenges. Add to this the complex risks that cybersecurity poses, and ensuring a safe supply chain environment can seem like an impossible task. How stable are your suppliers, do you know where they get their products from, how safe and protected are their assets, and how robust are their own relationships with their suppliers? Mitigating risk can involve identifying dependencies and vulnerabilities that can impact on supply chains. Increasing the visibility of these areas allows organisations to anticipate their impact and plan for contingencies. Data protection When it comes to the security of your data, areas that need to be considered include: What information are you sharing within your supply chain?

Where is the data located? What are your suppliers doing with that information? Are they reselling that data? Is there a data controller and processing agreement in place? Are they prepared enough to comply with the General Data Protection Regulation (GDPR)? Enforcement date: 25 May 2018. How would you deal with a data breach? The GDPR is a binding legislative act that will come into force across the EU (including the UK) next year. The regulation seeks to harmonise inconsistent data protection laws currently operating in the EU s member states and aims to facilitate the secure, free flow of data.

If an organisation fails to comply with the regulation it could be fined up to 4% of the company s global annual turnover and could severely damage its reputation. The secure option To combat these risks, Abloy UK offers a high level of both physical protection, with its high-quality locking solutions and data protection using only accredited software and infrastructure providers, compliant with European and National standards for physically secure key systems. PROTEC2 CLIQ, an electronic key system where all power is retained by the key or locks themselves, requires no wiring; users can change permissions, profiles, schedules and validity and revoke use at the CLIQ of a button; organisations can comprehensively track and audit who has access to which locations, when they had access and how often; and uses three factor authentications standard 256-bit encryption, advanced encryption and industry standard SHA-2 SSL certificates. When it comes to data security within your supply chain don t leave anything to chance, mitigate the potential risks in advance and only use suppliers you can be sure will keep your data secure. Free Download: Securing the UK s borders. Getting national security and Brexit right first time is crucial , we do not want to get this wrong. This report considers the implications of leaving the EU for the management of the UK s borders and making it as easy as possible for international business to thrive and legitimate movement to occur in a post-Brexit UK.

Click here to download now Related Topics The pioneer behind the world s first unpickable lock: Abloy celebrates 110th birthday Abloy UK launches Smartair with keypad functionality IFSEC 2017 preview: Abloy UK on Cliq Connect, sustainability, and the benefits of electric locks

Investigation into unlicensed festival stewards should prompt rethink of security licensing, says industry executive

Guarding Photo: William Starkey and licensed for reuse under this Creative Commons Licence. The licensing regime for security businesses should be beefed up, according to the managing director of a leading security services provider. Following news that a security firm is under investigation for allegedly supplying cloned badges to unlicensed stewards at UK festivals this summer, Abbey Petkar of Magenta Security has suggested that business licenses be introduced.

The Security Industry Authority (SIA) has launched an investigation into LS Armour Security Ltd of Barry, south Wales, following a compliance check. The SIA took unprecedented action due to public safety after an inspection led to two arrests and the seizure of business records. The SIA has also written to event organisers that have previously used the firm or have future bookings with them. It is obvious rogue traders, whether individuals or organisations, are still blighting the industry and more needs to be done, said Petkar, whose firm is carbon neutral and rated among the UK s top 5% of private security companies by SIA-ACS. Too many times I have witnessed customers realise they have made a costly mistake by working with these companies. Unfortunately, it is not always easy to tell the legitimate providers of professional security services from the rogue operators. And that s why I think it is essential that further regulation is required, in the form of business licences. Licensed at firm-level Tougher regulation would ensure that all legitimate security service providers are licensed at a firm-level in addition to the individual officers. Not only would it benefit professional security companies, but ultimately the safety of our clients.

With such a large amount of people operating in an industry, it is necessary to improve regulation to maintain the legitimacy, standards and the reputation of firms and individuals that provide a quality service. He argues that the Approved Contractor Scheme, which is currently voluntary, should be made mandatory especially given limited parliamentary time to consider fresh legislation with Whitehall consumed by Brexit. Legislative time to discuss business licences will not be available, continues Petkar. However, if the current ACS framework was used and became compulsory, it would allow security companies to become accredited and offer a platform on which people can be assured that they are dealing with reputable organisations, and I believe this is something which should be considered as a viable alternative until such a time business licences can be introduced. An SIA spokesman said in a statement: This type of unlawful conduct remains rare due to responsible organisers and security providers conducting appropriate due diligence. Nevertheless, the SIA understands that at this time of year, event organisers and primary contractors may not have sufficient SIA-licensed staff, which can lead to extensive sub-contracting. This provides opportunities to rogue providers that, with appropriate checks by organisers and primary contractors, can be largely mitigated. The letter to other organisers, written by the SIA s deputy director, said: If SIA-licensed staff arrive on site and are unknown to you, you must take all reasonable steps to ensure the person named on and in possession of the licence are the same person by requiring them to provide further evidence of identity. This will mitigate the risk of the cloned licence.

Responding to the allegations, LS Armour Security Ltd s director Erica Lloyd told the BBC: As a company we have only been made aware of one arrest as a result of a cloned badge, and this individual was cautioned by police and subsequently released without charge. At this point this individual was contacted by LS Armour and told he would no longer be employed for any future events. She said that the SIA s system to verify licenses the Register of Licence Holders was simplistic and inadequate . Free download: The video surveillance report 2017 Sponsored by IDIS The Video Surveillance Report 2017 covers all things video surveillance based on a poll of hundreds of security professionals. Specifically looking at topics such as open platforms, 4K, low-light cameras, video analytics, warranties and this year due to the growing threat posed, the cybersecurity landscape.

Click here to Download now

State surveillance | Liberty

State sanctioned surveillance against specific individuals takes place on a massive scale, using the broad and confusing framework created under the Regulation of Investigatory Powers Act 2000 (RIPA) which regulates the use of and access to surveillance by public bodies. This involves five types of different surveillance:

  1. Interception of communications e.g. listening to telephone calls, reading letters and emails
  2. Intrusive surveillance e.g. placing bugs and filming in private places
  3. Directed surveillance e.g. filming and covertly monitoring specific people generally in public places
  4. Use of covert human intelligence sources e.g. informants and undercover operatives
  5. Accessing communications data e.g. accessing the record (but not the content) of emails, telephone calls and websites visited.

Under RIPA hundreds of public bodies have access to the last three types of surveillance including over 470 local authorities. Surveillance can be authorised for a wide range of purposes which includes such vague purposes as preventing disorder or collecting tax.

Interception of communications and some types of intrusive surveillance are authorised by the Home Secretary and other types of surveillance are largely self-authorised. Liberty believes that RIPA must be reformed to ensure that intrusions into personal privacy are all properly authorised and comply with human rights principles of necessity and proportionality. The main changes we are calling for are:

  • Surveillance requests (including interception, acquisition of communications data, use of Covert Human Intelligence Sources etc) must be subject to prior judicial authorisation. There is growing consensus on the need for judicial not political warrantry.
  • No new Snoopers Charter powers to require communications companies to store more and more revealing types of our communications data. David Anderson warned that the case had not been made1.

    Only Russia requires service providers to routinely store the weblogs of all their customers.

  • Surveillance should be conducted only for a narrow range of tightly defined purposes i.e. investigation of serious crime and other legitimate objectives such as preventing risk to life instead of the vague and non-crime related purposes currently permitted e.g. for communications data.
  • All surveillance powers should be publicly disclosed and the safeguards and processes for authorisation set out in in primary legislation. This is not currently the case at least with regard to CNE aka hacking.
  • Improved redress mechanisms for those subject to unlawful surveillance the IPT should be overhauled and made more transparent with a right of appeal and an ability to make declarations of incompatibility and once an investigation has been completed, or once a person is no longer under any suspicion, he or she should be notified of the relevant surveillance unless there is a specific reason for maintaining secrecy.
  • The bar on the admissibility of intercept evidence, properly obtained, in criminal proceedings should be lifted. Why is this vital evidence not used to bring perpetrators to justice?
  • Legal and proportionate arrangements for the sharing of surveillance data should be agreed between the UK and foreign States, made publically available and incorporated into law.
  • Improvement of Mutual Legal Assistance Treaties (MLAT) the appropriate legal route for the UK authorities to obtain data from foreign tech firms should replace attempts to place extraterritorial obligations on overseas service providers.
  • Legislative protection against the breaking of encryption standards.
  • A targeted as opposed to blanket approach to communications data retention and interception.

Liberty s position on RIPA is set out in greater detail in this consultation response (PDF).2

In June 2013 the Snowden leaks revealed that GCHQ, the UK’s eavesdropping agency, is intercepting and processing billions of communications every day and sharing the information with the US. This includes recordings of phone calls, the content of email messages, entries on social media sites and the history of an internet user’s access to websites. All without public acknowledgement.

The project Tempora has been in existence since the beginning of 2012. The leaks also suggest that the US authorities have similarly breathtaking and direct access to global communications via the world s biggest internet companies. This secretive programme is known as PRISM and reports suggest that the UK also accesses this data. In May 2013 the Draft Communications Data Bill was notable by its absence from the Queen s Speech. It would have required internet and phone companies to retain records of our calls, emails, texts and web visits.

It now appears those who failed to make the case for the Draft Comms Bill already smuggled a more intrusive Snoopers Charter for blanket surveillance through the back door. Liberty has filed a claim against the British security services for their role in PRISM and Tempora. We will be lobbying and campaigning for urgent amendment to the outdated laws governing surveillance and an end to blanket surveillance of the population.

References

  1. ^ David Anderson warned that the case had not been made (www.liberty-human-rights.org.uk)
  2. ^ consultation response (PDF). (www.liberty-human-rights.org.uk)

UKCMA calls for views on regulation roadmap

UKCMA calls for views on regulation roadmap The UK Crowd Management Association is meeting on 8 January to discuss its formal response to the Government’s proposed changes around private sector security regulation. The UK Crowd Management Association (UKCMA) has always supported the Security Industry Authority (SIA) in its aims to improve standards and public confidence in the private security sector. According to the UKCMA, the SIA “has been an overarching independent regulator, providing a central focus and licensing scheme for the industry”.

The Government’s proposals for the future of regulation, which are out for consultation, move to transfer responsibility to a new regulatory regime wherein the industry will play a greater role. The UKCMA will now meet on 8 January to agree on a formal response. While the organisation states that there are some good points to the proposals, it also points out that “there is still significant uncertainty in several areas” which it has duly highlighted.

The financial burden to businesses is being severely underestimated, with small businesses and individuals bearing a disproportionate cost Individuals entering the business may have an unclear, restrictive route to attain a license In the absence of an independent central body, who will own and manage all of the license data and could this create a data privacy problem?

There is an underlying assumption that the industry has matured sufficiently since the Private Security Industry Act 2001 came into being to take on self-regulatory responsibility – the industry faces a real danger of becoming fractured under an unelected regime A body run by unelected private heads of business is likely to favour commercial interests and biases rather than the needs of the wider industry The public confidence built over the last decade in the private security sector could soon be diminished in a sector awarding its own licenses The likely make-up of the new overarching authority will be dominated by the static guarding sector rather than event specialists, which would be a very regressive step for the live events sector On its website, the UKCMA comments: “It’s imperative that we respond as an association, and we encourage all companies and individuals to respond and raise any concerns you may have via the following links…”: The Future Regulatory Regime for the Private Security Sector Private Security Industry Future Regulatory Regime: Impact Assessment Respond to the Consultation Further information is also available on the SIA website Indeed, the Regulator has issued another Update encouraging industry responses ahead of the closing date All companies and security professionals are urged to read the consultation documents and formally respond by 15 January 2013

Global Security Summit Question Time: Bill Butler

Global Security Summit Question Time: Bill Butler Security Industry Authority chief executive Bill Butler answers some of Info4Security’s key questions relating to October’s inaugural Global Security Summit. Info4Security (I4S): Why have you chosen to be part of the speaker programme for the inaugural edition of the Global Security Summit? Bill Butler (BB): The Global Security Summit represents an excellent opportunity to share our plans for the future regulation of the industry and our thinking on improving regulation with a wide and informed audience.

The event also affords me the opportunity to meet with key players in the industry and to hear their key issues on private security and what they need from the Security Industry Authority (SIA). I4S: What do you hope to realise by speaking at the event? BB: I hope to reinforce our messages on private security regulation, and to engage with those who buy, supply from or otherwise rely on the industry.

I also hope to continue the debate on the benefits and responsibilities of regulation, skills and competencies, in particular focusing on the additional training for door supervisors (including physical intervention) and the international view of the future of the industry. I4S: What s the main focus for your own organisation in 2013 and beyond? BB: Our main focus will remain the protection of the public that is first and foremost what the SIA is all about.

In doing that we will be working towards a new focus on business licensing, ensuring that there are standards for fit and proper businesses across the industry and improving the ways in which we deliver our services making them more accessible and straightforward for those working in the industry. The Home Office has said it expects the legislative changes that will support this to be in place in 2013. We need to make sure that we can deliver the new regime, and that the industry and individuals alike are aware of the changes being made.

I4S: What will regulation look like in the future? What needs to change, and how will we get there? BB: Regulation in the future needs to shift its focus towards business licensing.

We need common and effective standards for a level playing field across the industry. There will still be a register of individuals working in the industry, but we need businesses to take greater responsibility for those working within it. We hope that businesses will be expected to demonstrate that they’re fit and proper against published standards, and that they’re competent against British Standards across those sectors in which they operate.

The Approved Contractor Scheme (ACS) has been very successful and has members across all sectors and from all sizes of business, in turn showing what good businesses can achieve. We expect Government consultation on these proposals to start soon. There are also changes in the regulatory environment.

From October, vehicle immobilisation licences will not be valid, other than in Northern Ireland. From February, door supervisors will be required to have completed additional training, including physical intervention training. This is, in my view, important for public safety and the safety of those working in the industry.

It’s also important that the Regulator can support the development of skills for those already licensed in order to reflect changing needs and professional standards. We have also said that we favour the licensing of the private investigation sector. This is, of course a decision for the Government and will need to take account of any recommendations made by the Leveson Inquiry.

We have, I believe, made real progress in improving our services, improving licensing times, simplifying renewals and reducing our fees. We’re working on further changes that will make licensing more simple and accessible for individuals and businesses, and which will continue to allow us to hold down costs. Finally, successful regulation requires a partnership with those who are regulated.

We focus our compliance on those who do not comply.

We have good relations with those who do, and the input we receive from ACS Forums, sector events, Facebook feedback and events like the Global Security Summit – is key in helping us to provide and develop a regulatory regime that remains proportionate and relevant to the industry and those who rely upon it.

Bill Butler is chief executive of the Security Industry Authority

Wrexham Council Uses Controversial Surveillance Powers 47 …

Wrexham Council used controversial surveillance powers to act against residents 47 times during a three year period.

The authority used the Regulation of Investigatory Powers Act (RIPA) to deal with residents involved in fly tipping, animal welfare and creating a noise nuisance.

The figures were revealed in a report compiled by the civil rights group Big Brother Watch.

The group says that the law was introduced to prevent terrorism and serious crime and not to snoop on residents for minor offences. Earlier this year the UK government changed the law so that local authorities are required to seek a magistrate s approval to use the powers.

In 2008/9 Wrexham Council used RIPA 28 times to investigate 13 cases of drug offences relating to tenancy enforcement, six of illegal waste disposal/fly tipping, four of anti-social behaviour relating to tenancy enforcement, three of noise nuisance, one of benefit fraud and one of counterfeit goods.

In 2009/10 the powers were employed on 11 occasions with five noise nuisance investigations, three fly tipping/illegal waste disposal, one drug offence relating to tenancy enforcement, one of animal welfare and one of counterfeit goods.

By 2010/11 the use of the law had gone down to just eight instances, all of which related to noise nuisance complaints.

We asked Wrexham Council why the act was used to investigate what in some cases appear to be relatively minor offences, they said: Wrexham Council does not use this act for relatively minor offences. The legislation was enacted by central government and in Wrexham it has been predominately used to verify any incidents of noise pollution, and nuisance or issues concerning Trading Standards and public protection criminal actions.

Eric Pickles, Secretary of State for Communities and Local Government stressed that the powers should not be used without proper justification: It is important that the public can have faith that surveillance powers are being used only in those situations where serious crimes are taking place and when there are no less intrusive alternative routes of investigation, he said.

That s why we need robust accountability of all state bodies, not just local authorities, to ensure these state powers are not used without proper justification, and I welcome Big Brother Watch s continuing scrutiny and challenge.

Do you think fly tipping is comparable to an offence such as terrorism? Join the debate on our forums1.

References

  1. ^ forums (www.wrexham.com)

Mumbai murder commited by unverified security guard? | Firstpost

Srinagar, Aug 11 (IANS) The murder of a woman lawyer in Mumbai, allegedly by a private security guard hailing from Kashmir, is the result of mushrooming of unregistered private security companies across the country that do not verify their security guards as per industry norms, a top expert Saturday said.

Anil Puri, executive director of APS Group, country s premier private security company, told reporters in Srinagar: The incident is shocking and unfortunate. Our association (of security agencies) has laid down procedures for the appointment of security guards which include police verification, character verification, training and capacity building.

Pallavi Purkayastha, 25 was allegedly murdered Thursday by a security guard Sajad Ahmed Mughal by slitting her throat in a Mumbai apartment. Mughal belongs to Uri tehsil of Kashmir s Baramulla district.

The problem is that there are numerous unregistered security agencies in the country and it is there that such problems arise, Puri said.

Puri said steps are being taken that the government seeks mandatory registration from all the private security agencies in the country.

We are also holding programmes on self-regulation and ethics for the staff working with registered security companies in the country , Puri presently on a private visit to the Valley said here.