Category Archives: Workplace Safety

“She did everything right!” – The great benefit of security awareness, training, and common sense

On Tuesday, February 21, there was a report of an active shooter at Ben Taub Hospital in Houston.  The subsequent “Code White”, broadcast on the hospital PA system, prompted an immediate evacuation and Houston PD launched a full SWAT response.  It was great to hear how one articulate, smart employee reacted when panic spread among her co-workers.  She told a KHOU reporter:

  • I locked and barricaded my door
  • I turned off my light
  • I put my phone on silent
  • I turned off my computer
  • I pushed my chairs against the door
  • I texted other employees
  • If your phone is on silent he may not even know where you are and you can communicate safely with others
  • It is unfortunate and it is just a different time. The world is constantly changing and we just have to be ready.

She remained in this self-imposed lockdown until the Doctor for whom she worked told her it was time to, and safe, to evacuate.

Whether she learned from a formal training session, from TV, from a poster on the wall, I am not certain.  I know she responded well and I know that basic awareness and response training can save lives by giving people the confidence to react calmly, organize their thoughts, and do the right thing under pressure.

Policy Procedures and Standards Made Simple

As a public safety officer, I was once tasked with writing instructions for loading pre-connected hose lines on fire trucks.  While a straight forward task, a mistake or simple misunderstanding by a firefighter could have serious consequences, delaying rescue and/or getting water on the fire. Writing clear step by step procedures was a challenge and also great training, especially when the procedures would be tested on the fire academy training ground.

I have been engaged in policy and procedure development for security, safety, environmental, and chemical management functions since 1981.  I believe I have learned a few things:

Clarity and Enforceability – keep it simple and straight forward, not only to help employees understand the rules and guidelines, but to enable enforceability for violations of company policy, a key concern today of Human Resources.  How well will the policy stand up in court?

Consistency in Format and Template – Following a consistent template for all policy and procedures makes it easy for employees to find the information they need and enhances their understanding of requirements.

The Distinction between Policy, Procedure, Standard and Guideline.

Definitions based on NIST (National Institute of Standards and Technology) and SANS Institute standards include:

  • Policy – A policy is a system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and is implemented as a procedure or protocol.   Policy is generally drafted to foster enforceability.
  • Procedure – A set of business processes, activities and tasks that, when implemented, contribute to accomplishing a policy goal. Procedures are often step by step instructions and are drafted to be enforceable.
  • Standard – A document that provides requirements, specifications, or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. Often a minimum standard that must be followed.
  • Guideline – Recommended practice that allows some discretion or leeway in its interpretation, implementation, or use.

The Policy Catalogue – How does a company make it easy for employees to find the policy and procedures they need?  During a project last year, we conceived the idea of a “Policy Catalogue”, a well indexed online document that contained all IT policies and the subordinate procedures, standards, and guidelines for each policy.  The catalogue Table of Contents, in one quick glance, showed not only where to find what was needed, but how the whole policy system was organized.

Don Greenwood & Associates, Inc. has an extensive library of asset protection and security policies and procedures, as well as model security standards, manuals, and post orders.  We also have a well catalogued collection of IT governance and IT security policy, procedures and standards.  For procedure review and development ideas, contact us at don@greenwoodsecurity.com.

The Penetration Audit – A Powerful Training Tool

Picture a large manufacturing facility with a robust security infrastructure: access controlled gates and entry doors, security guards on post and roving, monitoring with CCTV cameras, and perimeter intrusion alarms. Here all employees have participated in security awareness briefings. Management decided to test their employee’s response to intrusion by conducting a Penetration Audit, and the results were disappointing. On the flip side however, the after action review with the employees was in itself a powerful training tool.

A consultant was hired who during the daytime climbed over the fence wearing street cloths and carrying a backpack and a clipboard. He wandered through various buildings and processing areas. As he walked he encountered more than a dozen employees. Many greeted him with a nod. Two employees stopped him and said that fire resistant attire (FRC) was required. The consultant said his FRC gear and hardhat were in the backpack and he would go change into them. One employee showed him the location of a change room for that purpose but did not stay with him.

No one asked what he was doing, who he was, and no one reported him to Security. The positive benefit came when management met with employees for an after-action review. One can bet that in the future strangers on site in this facility will be challenged and reported to security. One can also ask how different the outcome of the audit would have been if it were pre-announced.

Years ago, the security department at Apple hired a smart PI to test security. His mission was to get into the many facilities without screening by the lobby security guards, then leave out the same lobby obviously carrying a large box. On his first audit run nine of ten security officers failed to stop him. He was a glib talker wearing a suit and his demeanor intimidated most of the guards. Again, no one reported him to security management. As a Security Manager, I always preferred to pre-announce penetration audits and did so for the second run of the audit in a different set of buildings. This time, the auditor found the guard force tuned up and 90% of the guards did the job right, stopping the man, asking for ID, and escorting him out of the building.

The results of penetration audits can be surprising to management whether pass or fail. The value of these exercises as training moments that become imbedded in their long-term conduct is significant; either way – surprise audits or pre-announced penetration tests.

Article on Developing a Workplace Violence Plan

Don Greenwood was interviewed for an article for HRTools.com on Developing a Workplace Violence Plan:

Top 3 Things Your Workplace Violence Plan Should Contain
By: Jennifer Leahy | Wednesday, December 01, 2010

Perhaps everyone who works in your office gets along perfectly and there is never a cross word. Maybe all of your customers and suppliers are equally as delightful and would never harm anyone under any circumstance. Most companies aren