£3m 'anti-terror' CCTV cameras 'set up to spy on Muslims' to be covered

The 218 cameras have sprung up in Birmingham’s Washwood Heath and Sparkbrook areas – to the outrage of residents who say they were not asked. They have been paid for with £3million from the Association of Chief Police Officers’ terror and allied matters fund.

None of them will be used until a public consultation exercise has taken place.
Rodger Godsiff, Lab­our MP for Hall Green, said: ‘Police have got themselves into a bit of a hole now because they have a difficult problem to explain to the public and try and get them on their side. ‘If the money did not come out of a counter-terrorism budget they may have got a different reaction.’

The Respect Party’s Sparkbrook councillor Salma Yaqoob said: ‘In terms of reassurance it’s going to take a lot more than plastic bags.’ The police say the cameras are there to fight all types of crime.

How to Provide Security Assurance in 9 Easy Steps!

The following is proven to work across all security disciplines including Physical Security, Personnel Security and Electronic Security. I know the thought of inviting Auditors into your areas of responsibility is a little daunting but if used correctly this can really be a very effective tool and can also be utilised to provide some free consultancy advice.

In conjunction with management you should produce and deliver an Annual Programme (1) of risk based audits aimed at ensuring security risks are identified and effectively managed. It is more than useful to obtain senior executive level approval that is communicated throughout your organisation and that clearly sets out the objectives, authority and responsibilities of the Department conducting these security audits.

Once high level approval is obtained you need to develop a structure as to how these security audits should be done and who needs to be involved. Below is an idea for a structure that could be adopted once the business area or security risk owner (also known as an auditee) has been identified.

A Planning or Opening Meeting (2) should be arranged with you and the auditee to agree areas of scope and to gain a better understanding of their business area. This meeting will include discussion of: appropriate questions to enable the level of risk maturity to be determined, confirmation of your understanding of the purpose of the area under review, the objective and scope of the audit, agreement of the key risks, any concerns risk owner may have which need to be addressed and agreement of key contacts and dates. This information then sets out the detail that is captured in an Engagement Letter (3) and once complete this letter is issued to the principal auditee(s) before fieldwork starts. I see the engagement letter as an essential document because it enables and drives the auditee and other key staff to have an input into the audit, clarifies the work that will be done, confirms the timing of the audit, ensures that the appropriate resource has been assigned to the audit, and establishes responsibilities of all parties.

Once you have identified your resource, the security auditor/advisor/manager should create a security audit programme. The purpose of the Security Audit Programme (4) is to set out in more detail the actual testing and work that will be carried out to address each of the areas in the scope. The programme is used as a basis to effectively align the Fieldwork (5) with the risks to be reviewed. The audit programme is the document that will focus on testing the effectiveness of the security controls and other risk mitigations in place to manage the most significant risks.

Fieldwork consists of a range of activities undertaken by the auditor/advisor and may include the following: Interviews with key staff involved in business processes, observation of key processes, carrying out tests of key controls, reviewing relevant documentation The purpose of fieldwork is to gather sufficient information to document the processes involved in the system under review and form an opinion on how well the key security risks or areas for review are being managed. The outcome of fieldwork will then form the content of the report with a management action plan to address any findings highlighted.

On completion of audit fieldwork and armed with a copy of the Draft Report (6) you should then meet up again with the management and auditee and hold a Closing Meeting (7) where the draft report, the findings and any suggested actions to rectify be discussed and pending this outcome it is then you notify management of the next stages in the audit process.

Most audit functions apply 4-5 Conclusion (8) titles ranging from very good, very poor to must try harder (a traffic light system is also sometimes used). It doesn’t matter what the conclusions are called just as long as it means something to the business. Based on the assessment of the fieldwork and the content of the identified issues a conclusion should be assigned to it, time scales with a defined date of when the identified issues will be addressed and owners named as this audit will have a Follow Up (9) and further tested at the agreed date. The report should then get an appropriate level of circulation to enable the business area, its managers and those that want and need assurance to understand its risk better. Dependant upon the audit conclusion the report circulation might include COE’s and other senior board members.

Personnel Security - Something we should all be paying a lot of attention to!

Personnel security is everything involving employees: recruiting them (also known as pre-employment screening), training them, monitoring their behaviour, and sometimes handling their departure. Personnel Security relies on a system of polices and procedures to reduce the potential security risk.

In these modern times not only are organisations at risk from external threats but we also have a very significant threat from the insider. An insider is classed by the CPNI (part of the security services) as 'someone who exploits or has the intention to exploit their access to an organisations assets'. So this could result in a number of different scenarios including fraud or an employee who sells your company data to a competitor or an employee who is feeding information to a terrorist organisation.

Personnel security is an area that many 'security professionals' think they understand, but in my experience actually don't. There are elements of personnel security which are managed by non security departments for instance pre employment screening by HR or it may even be outsourced to a 3rd party provider. If this is the case I recommended carrying out some of your checks to see if they are doing what you think and expect they should be doing.

I am lucky enough to receive training from some world class experts in this area, but the level of understanding is very different from organisation to organisation. The strategic objectives for personnel security are the same for everyone but in a private sector environment I believe it is a little more difficult, for example government departments have a security policy framework(SPF) which includes 70 mandatory controls (supported by various baseline standards) which must be adhered to (along with a annual declaration of adherence). The private sector has not got this level of hierarchy governance but of course there is no reason why at a local level you can’t have a similar assurance process. I would recommend any security professional obtaining a copy of the SPF which is publicly available here It is useful and a document which I refer to regularly.

The insider threat has seen a dramatic increase in the UK in recent years and one contributing factor to this are the advances in physical and electronic security. In order to gain access to organisations, it is now considered easier to infiltrate it with the co-operation of an insider. The current financial crisis has also increased the likelihood of the insider threat as staff who would normally not be tempted into exploiting their 'privileged position' may be willing to do so (e.g. for personal gain or they maybe disgruntled for not receiving their bonus etc). It is important to note that the vast majority of employees are genuine but with a robust Personnel Security process in operation the potential insider threat is reduced and you will ensure they are detected quickly and efficiently.

My top 10 recommendations are:

1. Assess Personnel Security Risks and include these on your risk registers
2. Have a helpline in place for employees to confidentially report concerns
3. Know the source of employment references
4. Confirm employee has the Right to Work in the UK (a legal requirement)
5. Carryout qualification checks and check physical certificates where possible
6. Where possible complete the 'pre-employment screening' process prior to start date
7. Promote a positive security culture
8. Advise potential employees of the level of checks you use, this may deter potential insiders

from joining the organisation
9. Transparency - have clear polices and procedures in place
10. Audit - to provide assurance that the systems are effective

In future blogs I intend providing some more details on each of the individual personnel security subjects which will hopefully help you going forward.

Cultural sites 'vulnerable to criminals' during 2012 Olympics

Former Scotland Yard expert warns that security focus on London games will leave museums, galleries and cathedrals open to theft

The Ashmolean museum in Oxford was broken into in 1999. Photograph: Graham Turner for the Guardian A former head of Scotland Yard's art and antiquities squad has warned that "virtually nothing" is being done to secure Britain's cultural and religious sites against criminal attacks which he claims could be sparked by the London 2012 Olympics.

Charles Hill said security around the games was focusing on Olympic sites, while many so-called "soft targets" – including museums, galleries, churches and cathedrals – are being overlooked.
Hill pointed to evidence of "high and holy day trophy art crime" being carried out when police resources are especially stretched.

During the 1994 winter Olympics in Norway, thieves stole Edvard Munch's painting The Scream from the Oslo National Art Museum and left a note that said: "Thanks for the poor security."

On New Year's Eve 1999 robbers broke into the Ashmolean Museum in Oxford and took its only Cézanne, while Rembrandts and a Vermeer were stolen from a museum in Boston – still the art world's biggest unsolved theft – on St Patrick's Day 1990.

Hill has investigated some of the most high-profile art thefts and headed undercover operations to recover works. Today, he said soft targets inside and outside the capital would be vulnerable during the Olympics, which could also be a target for terrorist attacks.

His comments came after the sports minister, Hugh Robertson, announced last week that the security minister, Pauline Neville-Jones, is carrying out a review of security for the 2012 games.
However, it has not been confirmed whether the review will include soft targets, with the Department for Culture, Media and Sport saying security was a matter for the Home Office.

Hill's concerns were echoed by Peter Osborne, a former national security adviser for the nation's museums, who said: "It is imperative that the security of [cultural] sites is not overlooked." But the directors of the Museum of London and the National Portrait Gallery said today that their security was being reviewed through the National Museum Directors' Conference, which represents the UK's national collections.

Jack Lohman, the Museum of London director, said: "We're hot on security …liaising with police. All national museums have plans, co-ordinated by the NMDC." However, Dr Michael Dixon, the chairman of the NMDC, said: "There is no specific project that NMDC is working on to consolidate security issues for the Olympic year.

"It's up to individual museums, and there are good relations with the security services."
A spokesman for the Association of Chief Police Officers said: "Museums, galleries and cultural sites typically put in place their own security measures where necessary."