Re: Unique next generation software combines IT Security, Physical Access Controls and Industrial Controls to unveil blended threats.
Anaheim, Calif., September 21st, 2009 – AlertEnterprise™, Inc., a red hot software startup in the rapidly emerging space of security convergence for physical and logical security, has earned the ASIS Accolades 2009 Security’s Best Winner Award. AlertEnterprise is exhibiting its solutions in booth #2242 at the ASIS 55th Annual Seminar and Exhibits Conference.
Most industry security experts concur that physical access security, IT security, and critical infrastructure security, all reside in silos. This is a huge challenge for timely detection of terrorist events, malicious behavior and fraudulent activity. Jasvir Gill, founder and CEO of AlertEnterprise takes this mission to heart. His previous startup Virsa Systems was one of the most successful acquisitions by SAP to date and went on to become the heart of the SAP GRC business unit delivering application level security. “The most insidious risks are simple acts that slip between physical and logical security systems. They may not individually trigger an alert in any one system. But, in combination they create a risk that may defy detection unless your physical and logical security systems talk to each other.” says Jasvir.
The AlertEnterprise product lineup includes AlertAction, the award winning risk management, monitoring, incident and fraud detection solution that can help detect risks and offer a way to remediate these risks in real time combined with powerful alerting, automated remediation and actionable geo-spatial capabilities. Jasvir goes on to add, “Today’s win validates our belief that customers are ready to evolve to the next stage of security – the convergence of physical and logical security.” Furthermore, “AlertEnterprise delivers unique and innovative solutions that discover blended threat patterns already present in existing systems. It stitches together a fabric that completes the picture on risks that were previously undetectable and automates the process of remediating those risks. This puts us way ahead of solutions just looking at conventional security.”
About AlertEnterprise
AlertEnterprise provides the only complete solution for role-based, rules-driven access enforcement. AlertEnterprise addresses blended risk assessment and security across all logical systems, IT applications, databases, and physical systems from a single analytic dashboard, complete with auto-remediation capabilities. Additionally, AlertEnterprise delivers visual risk and event monitoring, alerting, mitigation, and analytics displayed on a geospatial map. AlertEnterprise is headquartered in Fremont, CA and on the web at http://www.alertenterprise.com/
ASIS International
ASIS International is the preeminent organization for security professionals, with more than 37,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s No. 1 magazine—Security Management—ASIS leads the way for advanced and improved security performance.
###
Contact:
AlertEnterprise, Inc.:
Pan Kamal
Director of Marketing
Tel: 510-897-6712
Email: pan.kamal@alertenterprise.com
ASIS International
Vicki Moeser
Tel: 703.518.1466
Email: vmoeser@asisonline.org
Online: http://www.asisonline.org/newsroom/index.xml
Sunday, September 20, 2009
Monday, September 14, 2009
Where would you rather be during an emergency? I pick California…
I visited the California Emergency Management Agency (CAL-EMA), the combination of the former Office of Emergency Services and State Department of Homeland Security. I was attending the Sacramento Area Infragard Conference.
What is Infragard? you might ask. It is a private-public partnership with the FBI as the key promoter and sponsor of the alliance to help protect critical infrastructure from attack from malicious threat actors and pandemics etc.
AlertEnterprise attended as a vendor sponsor of the event. Representatives from various state agencies, law enforcement, services and security were present at the event to learn about and discuss cyber security, bio-terrorism, and protection of the food supply. Of great interest to all was the discussion of the H1N1 Flu Pandemic and the recommendations from a CDC (Center for Disease Control) expert. I had the opportunity to present the Security Impact Zones that AlertEnterprise adds value to. These are:
1. Securing critical business applications in regulated industries
2. Securing cyber assets for critical infrastructure of national importance
3. Information Assurance and Certification & Authorization for critical assets for Federal,
Military and Intelligence applications.
At the end of the session we got to tour the emergency management facility that sported a huge situation management room. This looked more like the state house chamber with a bank of wall size monitors in the front to display maps, TV feeds and other information. Each seat, in concentric semi circle rows had its own flat panel monitor, mouse, keyboard and a digital phone. Seating was assigned for key representative from various public agencies like CalTrans (California Department of Transportation), CDF (California Department of Forestry), FEMA, California State Police and many more. In the event of a public emergency there is even a place for the Governor of California (that’s right, the Arnold himself) to arrive with his staff and be situated in a private suite located off the main floor. There’s even a special media room for the press separated from main floor so that they can be updated on a minute by minute basis. No shortage of phone lines, data communication cables, satellite feeds, internet connections and anything else that supports staying connected while incidents are unfolding.
My hats off to all the dedicated public employees that are helping us at all times, during work and off-duty to make our homeland a safer place.
Now that’s security!
What is Infragard? you might ask. It is a private-public partnership with the FBI as the key promoter and sponsor of the alliance to help protect critical infrastructure from attack from malicious threat actors and pandemics etc.
AlertEnterprise attended as a vendor sponsor of the event. Representatives from various state agencies, law enforcement, services and security were present at the event to learn about and discuss cyber security, bio-terrorism, and protection of the food supply. Of great interest to all was the discussion of the H1N1 Flu Pandemic and the recommendations from a CDC (Center for Disease Control) expert. I had the opportunity to present the Security Impact Zones that AlertEnterprise adds value to. These are:
1. Securing critical business applications in regulated industries
2. Securing cyber assets for critical infrastructure of national importance
3. Information Assurance and Certification & Authorization for critical assets for Federal,
Military and Intelligence applications.
At the end of the session we got to tour the emergency management facility that sported a huge situation management room. This looked more like the state house chamber with a bank of wall size monitors in the front to display maps, TV feeds and other information. Each seat, in concentric semi circle rows had its own flat panel monitor, mouse, keyboard and a digital phone. Seating was assigned for key representative from various public agencies like CalTrans (California Department of Transportation), CDF (California Department of Forestry), FEMA, California State Police and many more. In the event of a public emergency there is even a place for the Governor of California (that’s right, the Arnold himself) to arrive with his staff and be situated in a private suite located off the main floor. There’s even a special media room for the press separated from main floor so that they can be updated on a minute by minute basis. No shortage of phone lines, data communication cables, satellite feeds, internet connections and anything else that supports staying connected while incidents are unfolding.
My hats off to all the dedicated public employees that are helping us at all times, during work and off-duty to make our homeland a safer place.
Now that’s security!
Thursday, September 10, 2009
NERC CIP Compliance is Coming to a Nuke Near You…
I attended the Nuclear IT Strategic Leadership (NITSL) Symposium in Chicago last week. This was a virtual who’s who of IT experts in the nuclear space. This year’s conference was oriented towards Cyber Security. Nuclear Power generation is one of the most heavily regulated industries and has been extremely stringent in implementing physical security procedures. It was good to see physical and logical security convergence getting so much air time. One of the keynote speakers Susan Landahl, The Sr. VP of Operations for Exelon (they operate the largest fleet of nuclear plants in the country) in the keynote address said “Cyber Security is going to rival physical security in importance. Physical and Cyber better learn to get along; in fact we need to collocate them now in the same organization”. So how does NERC CIP figure into this? Well as you may know (if you have been following the regulations governing utilities), nuclear plants have been exempt from NERC CIP requirements. Under FERC Order 706-B, NERC CIP extends to cyber critical assets that may not be covered by NRC regulations, particularly 10 CFR 73.54 defining Cyber Digital Assets (CDAs). The tough part is that nuclear plant cyber and IT staff have to submit a security plan with a timeline to demonstrate how they will comply with NERC CIP. Some of the key stakeholders present in the ongoing dialog on how best to deliver security convergence for the Nuclear industry were the Nuclear Regulatory Commission (NRC), Nuclear Energy Institute (NEI), Institute of Nuclear Power Operations (INPO) and of course the Department of Homeland Security (DHS). AlertEnterprise was a sponsor of the event and exhibited solutions for nuclear industry that included compliance automation across multiple regulations including NERC CIP and the nuclear requirements as well as an ongoing risk management methodology. For more information please contact me at pan.kamal@alertenterprise.com.
Tuesday, July 7, 2009
Converging on an Un-Common Cure for the Chemical Terrorist
On June 26, 2009 in a congressional roll call joint statement issued by four powerful congressional leaders (Thompson, Waxman, Jackson Lee and Markey) called for support for the bill HR 2868 that would grant Department of Homeland Security the authority to make the CFATS program permanent going forward. Some of the important provisions of this bill include reducing the threshold amounts of dangerous chemicals or switching to safer chemicals. Additionally water treatment and distribution systems, waste water treatment and port facilities would no longer be exempt from complying with these safety provisions.
The risk-based approach to securing facilities and access to chemicals is a sound concept. In addition to securing the physical access and the cyber assets, it is equally important to monitor physical access to determine and track who has physical access and what they are doing with this access. The convergence of IT security, physical access security and control systems security deliver the ability to detect and identify blended threats that reside in between these traditional islands of automation.
AlertEnterprise provides security convergence software that delivers a complete CFATS solution including a risk-based approach to combining vulnerability assessments with background checks and certifications, plus the ability to monitor insider access to information, systems, assets, materials and facilities. AlertEnterprise delivers a continuous risk management environment including the ability to aggregate results from checks on production control systems such as DCS and SCADA systems to ensure that they are not operating outside of their prescribed thresholds. AlertEnterprise is the only solution that can not only measure and report on risk, but can then automate the remediation process delivering access policy enforcement – such as cutting off physical access to remote facilities at the same time as de-provisioning from the IT systems. http://www.alertenterprise.com/
Speaking of convergence, there is another kind of convergence going on that is really interesting. It is the convergence of safety systems and security systems relating to industrial controls.
The thinking goes something like this – for years engineers have designed safety processes into control systems (like interlocks designed into the electrical grid) that will trigger if things go wrong in chemical processes including temperature thresholds or explosive conditions if the wrong amount of materials are combined. The concept of Functional Safety was developed in response to the growing need for improved confidence in safety systems. Major accidents around the world, as well as the increasing use of electrical, electronic or programmable electronic systems to carry out safety functions, have raised awareness and the desire to design safety systems in such a way as to prevent dangerous failures or to control them when they arise. Industry experts began to address functional safety and formalize an approach for reducing risk in the process plant environment through the development of standards IEC 61508, IEC 61511, and ANSI/ISA 84.
Threat actors with bad intentions can target the safety systems and disable them rendering the operations unsafe creating the potential for catastrophic spectacular events. ISA (the International Society for Automation) as part of the ISA 99 standards for control systems security is adopting a framework similar to the Safety Integrity Levels (SIL), outlined in ISA 84 to classify the criticality of the system being protected. ISA 99 has created a working group in conjunction with ISA 84 (WG7) to promote the use of Security Assurance Levels (SAL) to assist in the classification of process industry installations including chemical facilities and categorize them based on the criticality. Bryan Singer (Kenexis), Eric Cosman (Dow Chemical), Mike Boudreaux (Emerson Process Management) and numerous other industry participants are driving the extension of this important ISA standard to consider security as part of safety when designing, deploying and operating processes and systems.
Reading this don’t you think combining CFATS and ISA 99 for chemical process systems in a security solution makes a lot of sense?
For further information please email me pan.kamal@alertenterprise.com; as a participant in the WG7 working group for ISA 99 I hope I can play a very small part in contributing to the security of our chemical process infrastructure.
The risk-based approach to securing facilities and access to chemicals is a sound concept. In addition to securing the physical access and the cyber assets, it is equally important to monitor physical access to determine and track who has physical access and what they are doing with this access. The convergence of IT security, physical access security and control systems security deliver the ability to detect and identify blended threats that reside in between these traditional islands of automation.
AlertEnterprise provides security convergence software that delivers a complete CFATS solution including a risk-based approach to combining vulnerability assessments with background checks and certifications, plus the ability to monitor insider access to information, systems, assets, materials and facilities. AlertEnterprise delivers a continuous risk management environment including the ability to aggregate results from checks on production control systems such as DCS and SCADA systems to ensure that they are not operating outside of their prescribed thresholds. AlertEnterprise is the only solution that can not only measure and report on risk, but can then automate the remediation process delivering access policy enforcement – such as cutting off physical access to remote facilities at the same time as de-provisioning from the IT systems. http://www.alertenterprise.com/
Speaking of convergence, there is another kind of convergence going on that is really interesting. It is the convergence of safety systems and security systems relating to industrial controls.
The thinking goes something like this – for years engineers have designed safety processes into control systems (like interlocks designed into the electrical grid) that will trigger if things go wrong in chemical processes including temperature thresholds or explosive conditions if the wrong amount of materials are combined. The concept of Functional Safety was developed in response to the growing need for improved confidence in safety systems. Major accidents around the world, as well as the increasing use of electrical, electronic or programmable electronic systems to carry out safety functions, have raised awareness and the desire to design safety systems in such a way as to prevent dangerous failures or to control them when they arise. Industry experts began to address functional safety and formalize an approach for reducing risk in the process plant environment through the development of standards IEC 61508, IEC 61511, and ANSI/ISA 84.
Threat actors with bad intentions can target the safety systems and disable them rendering the operations unsafe creating the potential for catastrophic spectacular events. ISA (the International Society for Automation) as part of the ISA 99 standards for control systems security is adopting a framework similar to the Safety Integrity Levels (SIL), outlined in ISA 84 to classify the criticality of the system being protected. ISA 99 has created a working group in conjunction with ISA 84 (WG7) to promote the use of Security Assurance Levels (SAL) to assist in the classification of process industry installations including chemical facilities and categorize them based on the criticality. Bryan Singer (Kenexis), Eric Cosman (Dow Chemical), Mike Boudreaux (Emerson Process Management) and numerous other industry participants are driving the extension of this important ISA standard to consider security as part of safety when designing, deploying and operating processes and systems.
Reading this don’t you think combining CFATS and ISA 99 for chemical process systems in a security solution makes a lot of sense?
For further information please email me pan.kamal@alertenterprise.com; as a participant in the WG7 working group for ISA 99 I hope I can play a very small part in contributing to the security of our chemical process infrastructure.
Friday, June 19, 2009
AlertEnterprise COTS Software Perfect for DHS, DoD, Military and Intel.
AlertEnterprise delivers secure prevention and real-time detection of cross-enterprise threats in multiple systems and locations. The solutions are purpose built to minimize the threat of theft, fraud, and malicious behavior – by offering simultaneous analysis and correlation of IT, physical and control system access events. AlertEnterprise reduces the potential for economic and social disruption in critical infrastructure sectors, consistent with the mandates of Homeland Security and other regulatory agencies.
AlertEnterprise is well-aligned with requirements for managing IT security risk and compliance efforts required by the US Federal Government in all bodies of the government. Through its multi-regulatory compliance framework, AlertEnterprise supports the FISMA requirements such as NIST SP800-53A for Certification & Accreditation of systems for civilian agencies as well as DIACAP (DoD Information Assurance Certification and Accreditation Process) requirements. Additional requirements based on DISA STIGS can be implemented and deployed as add-ons to the existing software products.
AlertEnterprise participates in a number of standards bodies to drive thought leadership in the area of security convergence including the ANSI/ISA99 Standards for Securing Industrial Automation and Control Systems. AlertEnterprise supports the development of dual-use technologies and was recently awarded the Most Innovative Cyber Security product of the year at the 6th Annual “The Security Summit” in San Diego. Additionally AlertEnterprise was recognized as the Most Innovative company by RSA Security Conference 2009 during its innovation Sandbox competition.
AlertEnterprise is well-aligned with requirements for managing IT security risk and compliance efforts required by the US Federal Government in all bodies of the government. Through its multi-regulatory compliance framework, AlertEnterprise supports the FISMA requirements such as NIST SP800-53A for Certification & Accreditation of systems for civilian agencies as well as DIACAP (DoD Information Assurance Certification and Accreditation Process) requirements. Additional requirements based on DISA STIGS can be implemented and deployed as add-ons to the existing software products.
AlertEnterprise participates in a number of standards bodies to drive thought leadership in the area of security convergence including the ANSI/ISA99 Standards for Securing Industrial Automation and Control Systems. AlertEnterprise supports the development of dual-use technologies and was recently awarded the Most Innovative Cyber Security product of the year at the 6th Annual “The Security Summit” in San Diego. Additionally AlertEnterprise was recognized as the Most Innovative company by RSA Security Conference 2009 during its innovation Sandbox competition.
Thursday, June 18, 2009
AlertEnterprise wins Most Innovative Cyber Security Product Award
AlertEnterprise™, Inc., won the coveted Most Innovative Product award in the Information Assurance, Cyber Security and Security Software category at the 6th Annual Security Summit held May 20-21, 2009 in San Diego, California. In addition to landing the top slot in its category, AlertEnterprise delighted attendees and judges in all categories and was also named runner up for the Best in Show award.
The Security Network serves as the organizer and lead sponsor of the annual Security Summit and on-going events, including working groups and other regularly scheduled meetings. The Security Network is a non-profit public-private partnership consisting of industry, government, and academic institutions combining together to promote the development of dual usage security technologies needed by both public and private sectors. Across the board, this year’s group of dual-use technologies were extremely impressive,” said Michael B. Jones, President of The Security Network. “Being selected as the winning product among such a high level of competition is testament to AlertEnterprise’s focus on innovation and effectiveness that will impact the security market for many years.”
AlertEnterprise bridges the single most overlooked gap in enterprise security - the true prevention and detection of cross-enterprise threats by linking physical access and IT security to ensure compliance with regulations and standards like NIST SP800-xx, NERC CIP, CFATS, HSPD, C-TPATS, MTSA, FISMA and most DoD regulations. Additionally there is support for Sox, HIPAA, CobiT and other commercial regulations. AlertEnterprise delivers unprecedented capabilities to visualize previously undetectable threats and assists managers in remediating security risk across the enterprise. Real Time risk monitoring, geo-spatial visualization and actionable risk remediation can stop any potential theft, sabotage or act of terrorism right in their tracks.
The Security Network serves as the organizer and lead sponsor of the annual Security Summit and on-going events, including working groups and other regularly scheduled meetings. The Security Network is a non-profit public-private partnership consisting of industry, government, and academic institutions combining together to promote the development of dual usage security technologies needed by both public and private sectors. Across the board, this year’s group of dual-use technologies were extremely impressive,” said Michael B. Jones, President of The Security Network. “Being selected as the winning product among such a high level of competition is testament to AlertEnterprise’s focus on innovation and effectiveness that will impact the security market for many years.”AlertEnterprise bridges the single most overlooked gap in enterprise security - the true prevention and detection of cross-enterprise threats by linking physical access and IT security to ensure compliance with regulations and standards like NIST SP800-xx, NERC CIP, CFATS, HSPD, C-TPATS, MTSA, FISMA and most DoD regulations. Additionally there is support for Sox, HIPAA, CobiT and other commercial regulations. AlertEnterprise delivers unprecedented capabilities to visualize previously undetectable threats and assists managers in remediating security risk across the enterprise. Real Time risk monitoring, geo-spatial visualization and actionable risk remediation can stop any potential theft, sabotage or act of terrorism right in their tracks.
For further information please contact me at pan.kamal@alertenterprise.com
The Hidden Cost of Downsizing
There is a hidden cost to downsizing that companies are starting to come to grips with. According to a recent story in CSO Magazine, an auditor formerly employed at a major water distribution company used his electronic key card which was still active following his separation from the company, to get into secured facilities and wire himself $9 Million dollars before being discovered. The fraud really only got detected because he tried to deposit a stolen check as well. While the transaction was reversed in time, the perpetrator remains at large.
Based on a February 2009 study conducted by the Ponemon Institute on data loss following downsizing, 32% respondents polled had authentication credentials that still worked following their termination. Of this number 15% had access continue for a few hours after their termination, whereas a whopping 35% had access that continued for a week or longer! These risks are too large to ignore, the manual processes reconciling IT access and physical access cannot scale and something has to be done now.
What about critical corporate assets - laptops, Blackberries (is that the plural?), USB thumb drives, SD cards etc. All these things carry critical information. According to the Ponemon Institute study on data loss following downsizing, the corporate assets and information that was taken by departing employees:
· 92% of employees took CDs/DVDs;
· 73% took USB memory sticks;
· 17% took PDAs;
· 9% kept their Blackberry; and
· 3% kept their laptops.
“AlertEnterprise delivers a complete risk management approach by detecting blended threats based on access to IT Systems, Physical Access Control and applications automating specialized processes. No other security solution, not even much touted Identity and Access Management can match this”. -Jasvir Gill, Founder & CEO AlertEnterprise, former CEO Virsa Systems.
For more information on this or other security convergence issues please email me at pan.kamal@alertenterprise.com
Based on a February 2009 study conducted by the Ponemon Institute on data loss following downsizing, 32% respondents polled had authentication credentials that still worked following their termination. Of this number 15% had access continue for a few hours after their termination, whereas a whopping 35% had access that continued for a week or longer! These risks are too large to ignore, the manual processes reconciling IT access and physical access cannot scale and something has to be done now.
What about critical corporate assets - laptops, Blackberries (is that the plural?), USB thumb drives, SD cards etc. All these things carry critical information. According to the Ponemon Institute study on data loss following downsizing, the corporate assets and information that was taken by departing employees:
· 92% of employees took CDs/DVDs;
· 73% took USB memory sticks;
· 17% took PDAs;
· 9% kept their Blackberry; and
· 3% kept their laptops.
“AlertEnterprise delivers a complete risk management approach by detecting blended threats based on access to IT Systems, Physical Access Control and applications automating specialized processes. No other security solution, not even much touted Identity and Access Management can match this”. -Jasvir Gill, Founder & CEO AlertEnterprise, former CEO Virsa Systems.
For more information on this or other security convergence issues please email me at pan.kamal@alertenterprise.com
Tuesday, May 12, 2009
CFATS prescribes a risk management approach to security
CFATS - Chemical Facility Anti-Terrorism Standards has been enacted by Department of Homeland Security to protect infrastructure that includes production, storage and transportations of chemicals that are hazardous in nature.
Various government regulatory agencies have created classification systems for different kinds of materials. According toe the American Chemistry Council, the US chemical industry produces $755 Billion dollars in product every year. These products are categorized as
Various government regulatory agencies have created classification systems for different kinds of materials. According toe the American Chemistry Council, the US chemical industry produces $755 Billion dollars in product every year. These products are categorized as
- Basic Chemicals
- Specialty Chemicals
- Agricultural Chemicals
- Pharmaceuticals
- Consumer Products (e.g. cleaning agents, hair dyes etc.,)
Many of these products may not be hazardous by themselves, but when combined with others may have the potential of causing great harm. Some of the chemicals of concern are classified as:
- Toxic Inhalation Hazards (TIH)
- Flammable Gasses and Liquids
- Security Sensitive Products - Weapons Grade Material
- Security Sensitive End Use Markets
CFATS prescribes risk-based performance standards that include:
- Access Control
- Credentialing
- Cyber Security - including control system and SCADA security
- Record keeping, training and emergency response
- Testing of security equipment
- Incident Reporting
- Deterring, detecting and delaying attacks
AlertEnterprise delivers a complete CFATS security solution:
- Identify Covered Facility and Chemicals of Interest (COI)
- Interface to all cyber assets - both IT and Physical Access Control Systems
- Monitor credentialing process
- Manage privilleged access to secure information
- Complete security vulnerability assessments and correlate to other threats
- Accept results from existing Top-Screen or CSAT assessments
- Deliver visual remediation management and incident management capability
Building a true cyber security program requires awareness of what people are doing with their access not only to IT system and cyber systems, but also with their physical access to critical assets. What was the time of day? who else was there? what assets did they have access to
Threat scenarios that AlertEnterprise protects against:
- Theft, Diversion, Misuse
- Catostrophic release
- Tampering
- Cargo theft
- Chemical Diversion
- Asset theft during social and political unrest
For more information on this and other security convergence solutions from AlertEnterpris, contact me at pan.kamal@alertenterprise.com
Thursday, April 30, 2009
Will You Send Your Best Employees Home - During a Pandemic?
Sometimes the risks of Pandemic means protecting the integrity of operations for the rest of your staff. You may want employees who have high exposure risk to continue to remain live on Active Directory, on ERP systems and of course able to login from home or other secure locations.
During these trying times physical access control policies may have to be restricted in light of unfolding events. Having a risk management process to review occupational risk and correlating it to access to critical systems will allow better decisions to be made to mitigate the risks and create remediation tasks.
Occupational Risk Pyramid for Pandemic Influenza (source: OSHA 3327-02N 2007)
Very High Exposure Risk:
Healthcare employees (for example, doctors, nurses, dentists) performing aerosol-generating procedures on known or suspected pandemic patients (for example, cough induction procedures, bronchoscopies, some dental procedures, or invasive specimen collection). Healthcare or laboratory personnel collecting or handling specimens from known or suspected pandemic patients (for example, manipulating cultures from known or suspected pandemic influenza patients).
High Exposure Risk:
Healthcare delivery and support staff exposed to known or suspected pandemic patients (for example, doctors, nurses, and other hospital staff that must enter patients' rooms).
Medical transport of known or suspected pandemic patients in enclosed vehicles (for example, emergency medical technicians). Performing autopsies on known or suspected pandemic patients (for example, morgue and mortuary employees).
Medium Exposure Risk:
Employees with high-frequency contact with the general population (such as schools, high population density work environments, and some high volume retail).
Lower Exposure Risk (Caution):
Employees who have minimal occupational contact with the general public and other coworkers (for example, office employees).
Correlating key employee exposure risk to IT system risk and to physical access risk can deliver a much better way to secure the enterprise against the threats posed by pandemics. Think about this when considering staffing for critical infrastructure, datacenters and a lot of critical services that we rely on functioning even in the face of widespread disruption.
Want to discuss this more? email me at pan.kamal@alertenterprise.com
During these trying times physical access control policies may have to be restricted in light of unfolding events. Having a risk management process to review occupational risk and correlating it to access to critical systems will allow better decisions to be made to mitigate the risks and create remediation tasks.
Occupational Risk Pyramid for Pandemic Influenza (source: OSHA 3327-02N 2007)
Very High Exposure Risk:
Healthcare employees (for example, doctors, nurses, dentists) performing aerosol-generating procedures on known or suspected pandemic patients (for example, cough induction procedures, bronchoscopies, some dental procedures, or invasive specimen collection). Healthcare or laboratory personnel collecting or handling specimens from known or suspected pandemic patients (for example, manipulating cultures from known or suspected pandemic influenza patients).
High Exposure Risk:
Healthcare delivery and support staff exposed to known or suspected pandemic patients (for example, doctors, nurses, and other hospital staff that must enter patients' rooms).
Medical transport of known or suspected pandemic patients in enclosed vehicles (for example, emergency medical technicians). Performing autopsies on known or suspected pandemic patients (for example, morgue and mortuary employees).
Medium Exposure Risk:
Employees with high-frequency contact with the general population (such as schools, high population density work environments, and some high volume retail).
Lower Exposure Risk (Caution):
Employees who have minimal occupational contact with the general public and other coworkers (for example, office employees).
Correlating key employee exposure risk to IT system risk and to physical access risk can deliver a much better way to secure the enterprise against the threats posed by pandemics. Think about this when considering staffing for critical infrastructure, datacenters and a lot of critical services that we rely on functioning even in the face of widespread disruption.
Want to discuss this more? email me at pan.kamal@alertenterprise.com
Thursday, April 23, 2009
Just returned from the ISA Symposium on Control System Security and Safety
Bryan Singer of Kenexis is the chairman of the ANSI / ISA Standard 99 for security of critical infrastructure and industrial control systems. Bryan and others led a symposium in held in Houston on April 22/23rd largely attended by oil and gas and chemical industry members. ISA is the International Society for Automation and the membership is largely control system engineers.
There was a lively discussion about the synnergies between safety systems and security. A discussion about four Safety Assurance Levels or SALs helped us understand the positioning that ISA 99 is taking on defining the levels of security requirements for industrial control systems based on the criticality of the systems with simple but effective level 1-4. Level 4 is the most extreme usually reserved for Nuclear plant systems and the like.
I am glad to see that so much attention is being given to cyber security. There was also discussion about physical and logical security. This of course peaked my attention since that is my area of interest. If you want to learn more send me an email at pan.kamal@alertenterprise.com.
There was a lively discussion about the synnergies between safety systems and security. A discussion about four Safety Assurance Levels or SALs helped us understand the positioning that ISA 99 is taking on defining the levels of security requirements for industrial control systems based on the criticality of the systems with simple but effective level 1-4. Level 4 is the most extreme usually reserved for Nuclear plant systems and the like.
I am glad to see that so much attention is being given to cyber security. There was also discussion about physical and logical security. This of course peaked my attention since that is my area of interest. If you want to learn more send me an email at pan.kamal@alertenterprise.com.
Wednesday, April 22, 2009
ISA Safety and Security Symposium taking place in Houston
I am attending the ISA Safety and Security Symposium. Control System Security is definitely a hot topic. Following 9/11, all eyes were on critical infrastructure security. We have to secure our power generation, power transmission and distribution and our manufacturing infrastructure.
Critical infrastructure can include:
1. Telecommunications
2. Electric Power generation and distribution
3. Water and Waste Water treatment and distribution
4. Oil and Gas
5. Chemical Process Manufacturing
6. Mass Transportation etc.,
7. Food processing and distribution
8. Pharamaceuticals
AlertEnterprise delivers software solutions to protect critical infrastructure. We need standards in place like the ANSI / ISA S99 to help protect our nation's critical infrastructure.
Critical infrastructure can include:
1. Telecommunications
2. Electric Power generation and distribution
3. Water and Waste Water treatment and distribution
4. Oil and Gas
5. Chemical Process Manufacturing
6. Mass Transportation etc.,
7. Food processing and distribution
8. Pharamaceuticals
AlertEnterprise delivers software solutions to protect critical infrastructure. We need standards in place like the ANSI / ISA S99 to help protect our nation's critical infrastructure.
Tuesday, April 21, 2009
AlertEnterprise wins RSA Conference Innovation Sandbox - Most Innovative Company
SAN FRANCISCO, Calif., April 20, 2009 – AlertEnterprise™ a pioneer in the area of security convergence for physical and logical security, won the hotly contested RSA® Conference 2009 Innovation Sandbox and secured the top spot as Most Innovative Company at the RSA Conference 2009 being held in San Francisco. Nine other startup security companies presented to a panel of judges made up of security industry experts selected by the conference.
AlertEnterprise is bridging the single most overlooked gap in enterprise security - the true prevention and detection of cross-enterprise threats by linking physical access and IT security to ensure compliance with regulations and standards. AlertEnterprise delivers unprecedented capabilities to visualize previously undetectable threats and assists managers in remediating security risk across the enterprise.
The RSA Innovation Sandbox started out with fifty contestants being evaluated by an online community. The top 10 finalists got to demonstrate their products in an open forum and then make a three minute pitch to the judges in order, describing the business value, the problem they were solving and articulating the impact they would make in the market. AlertEnterprise led on all counts.
www.alertenterprise.com
AlertEnterprise is bridging the single most overlooked gap in enterprise security - the true prevention and detection of cross-enterprise threats by linking physical access and IT security to ensure compliance with regulations and standards. AlertEnterprise delivers unprecedented capabilities to visualize previously undetectable threats and assists managers in remediating security risk across the enterprise.
The RSA Innovation Sandbox started out with fifty contestants being evaluated by an online community. The top 10 finalists got to demonstrate their products in an open forum and then make a three minute pitch to the judges in order, describing the business value, the problem they were solving and articulating the impact they would make in the market. AlertEnterprise led on all counts.
www.alertenterprise.com
Monday, April 13, 2009
AlertEnterprise named to Top 10 Most Innovative at RSA 2009 Conference
Most industry security experts are generally aware that physical access security, IT security, and critical infrastructure security, all reside in silos. This is a huge challenge for timely detection of terrorist events, malicious behavior and fraudulent activity. Jasvir Gill, founder and CEO of AlertEnterprise takes this mission to heart. His previous startup Virsa Systems was one of the most successful acquisitions by SAP to date and has became the heart of the SAP GRC offering delivering application level security. “The most insidious risks are simple acts that slip between physical and logical security systems. They may not individually trigger an alert in any one system. But, in combination they create a risk that may defy detection unless your physical and logical security systems talk to each other,” says Jasvir.
The AlertEnterprise software products work with existing enterprise systems and physical access control systems delivering incremental return on investments in applications like ERP systems, IT security automation solutions and critical infrastructure management solutions for energy management, oil and gas, chemicals processing and mass transport. Jasvir goes on to add, “We are pleased to be selected as one of the top 10 companies to participate in the Innovation Sandbox at the RSA Conference. In today’s economic climate enterprise customers are asking companies to be more creative by delivering solutions that integrate right into their infrastructure”. Furthermore, “AlertEnterprise delivers unique and innovative solutions that discover blended threat patterns already present in existing systems. It stitches together a fabric that completes the picture on risks that were previously undetectable and automates the process of remediating those risks. This puts us way ahead of solutions just looking at conventional security.”
RSA® Conference is being held in San Francisco April 20-24, 2009 at the Moscone Center
The AlertEnterprise software products work with existing enterprise systems and physical access control systems delivering incremental return on investments in applications like ERP systems, IT security automation solutions and critical infrastructure management solutions for energy management, oil and gas, chemicals processing and mass transport. Jasvir goes on to add, “We are pleased to be selected as one of the top 10 companies to participate in the Innovation Sandbox at the RSA Conference. In today’s economic climate enterprise customers are asking companies to be more creative by delivering solutions that integrate right into their infrastructure”. Furthermore, “AlertEnterprise delivers unique and innovative solutions that discover blended threat patterns already present in existing systems. It stitches together a fabric that completes the picture on risks that were previously undetectable and automates the process of remediating those risks. This puts us way ahead of solutions just looking at conventional security.”
RSA® Conference is being held in San Francisco April 20-24, 2009 at the Moscone Center
Monday, March 9, 2009
Subscribe to:
Posts (Atom)
