“It’s important to learn from accidents and near misses in your organization. It’s important to learn from accidents and near misses in your industry.” (Gilbreath) It’s important to learn from accidents and near misses in your life. When we are discussing accidents and near misses in an occupational safety context the only on the job experience I can relate is when I was wearing inappropriate footwear, slipped and fell on the ice walking into my office one day. This was in Georgia, not Alaska, for perspective. I did not report the ice or the fall, I said to myself “I’m glad no one saw me do that.” (Davies) and blamed myself, hiding it. If I had filed a report, perhaps effort would have been made to salt that ice patch, but i feared judgement. "People use the label "human error" in different ways--sometimes as judgment, sometimes as cause, sometimes as process, sometimes as effect." (Dekker) There is the “old view” and the “new view” when looking at accidents, as discussed in the paper from the International Journal of Occupational Safety and Ergonomics, I think that the “how” as discussed in The Safety and Health Practitioner fits nicely under the “new view”. To properly learn from our mistakes it is necessary to know our mistakes, even the small ones that would otherwise escape notice. I make mistakes all the time. Sometimes I learn from them, and sometimes I repeat the same mistake over and over again. For organizational purposes, it would be helpful to implement a reporting system, making it confidential or anonymous would likely increase the usefulness as many would be more inclined to report mistakes if they felt that there was not a chance of reprimand. In this day and age I cannot imagine the system not being digital. Once there is a good catalog of incidents, it would be helpful to apply the risk matrix that we studied in our first week, crossing probability of occurrence with the potential impact. For the two views of human error, there is the old and the new. The old view sounds very familar in that it faults the human element as the cause of accidents, believes that systems themselves are inherently safe, that the only threat to that system is the human element, and that progress is made by protecting the system from the human factor. "Accident investigations can conclude that human error is the cause. Human error...is an adequate explanation of failure." (Dekker) The new view purports that the human element is not the cause but a symptom of a deeper failure, and that systems are not inherently safe, through practice people create safety (Dekker). While not specific to safety in the federal reporting process for the grant I manage, there is a section specific to key issues and technical problems, and also a section for best practices and success stories. This tells me that the grantor is collecting information to learn from our experiences. “A gap can exist between people's responsibility and their authority. Society and organizations can give operators the responsibility for carrying out a task safely ...., but subsequently deny them the authority to live up to this responsibility. Authority is always limited, curtailed, because real work takes place … where multiple goals compete for operator priority." (Dekker) I am here with all of you working on my MBA, through my position at work I am responsible for managing multiple tasks and people, however aside from the organizational structure of this project, most of these people are far superior in position to myself. Many have their doctorates or are high-level managers across the institution. I frequently find myself with the responsibility to carry out a task, but without the authority to do so. To further improve our organization’s safety by learning from these mistakes and reducing them is the future, we must learn about them, not only the human element. "Finding out what technical, environmental and human factors underpin 'stupid' mistakes is crucial if we are looking at trying to prevent them from happening at all." (Davies) Studying these mistakes are vital, but too often we are looking for the cause. What exactly made something occur. Over the weekend, one of my favorite pieces of glassware was decimated. There are so many elements within the accident that it is impossible to pinpoint the exact cause. A speaker vibration made a shot glass fall from a shelf on the wall, hit my favorite glass on the bar, which shattered everywhere including on my spouse who was installing the aforementioned speaker. Now, is it the fault of the shot glass falling from the shelf, the glass for sitting on top of the bar instead of inside the cabinet where it belongs, or was it the speaker’s vibration. It could be anyone of those, it could also be human error, we live in earthquake country, if a speaker vibration can knock something off a shelf perhaps it is not secure. The glass was not in the place it would have been safest, and perhaps the surroundings should have been taken into better account during speaker installation. My response, or how I am learning from this accident, is that I will make the shot glasses on the shelves more secure, so that in the event of an earthquake, or a really loud action movie, more do not rain down from above. "Accidents are a normal, to-be-expected by-product of the pursuit of success under the constraint of limited resources; the result of "normal people, behaving normally in normal organizations [with] nothing abnormal happening."(Dekker) Accidents will happen regardless, but we can learn from them and try to decrease the occurrence and ferocity. References
0 Comments
I always enjoy it when what I am studying lines up with work. I love the quote in the video attributed to Peter Druckard “What gets measured, gets managed.” (Gilbreath) although I am unable to locate the exact quotation. I work with performance measurement, metrics, and a dashboard on a daily basis, though not for safety. A dashboard is such a versatile tool, “It offers a road map and benchmarks to measure … effectiveness because the performance measurements identified through strategic planning are key indicators of ... performance." (Butler) The graphic in the introduction to dashboards is also helpful to illustrate the idea that this is all a continuous process, you review the dashboard then you evaluate and plan, then you evaluate the dashboard again, and so on. The concept is the same and applicable across many business functions. For example, I manage an $8.1M project from US DOL. We have quarterly and annual reporting that we have to do so that DOL can see where their money is going and if it is being used effectively. These were both due today. The whole point is to provide brief training to facilitate employment in high wage jobs, especially for special populations here in Alaska. The metrics are broken down by unemployed and incumbent workers, number employed post completion, wage increases, gender, ethnicity, race, veteran status, TAA eligibility, and other quantitative measures. Qualitatively we have to answer for cross-consortium cooperation and teamwork, recruitment efforts, public perception, etc. Monthly all tasks have to answer qualitatively how things are progressing, quarterly they have to document and report. Weekly, I meet with the project PI to check the dashboard. The Fort Stewart Command in Georgia has one of the most publically stated safety performance measurement systems I have ever seen. There are digital signs near all base entrances that say how many days it has been since the last fatal accident occurred. If it reached 100 days, soldiers received the day off. Sadly, it didn’t reach 100 days very often. Still, this was an organization committed to a safety culture. There were long stretches of road responsible for most of these fatalities, and they were peppered with billboards utilizing often morbid, but attention grabbing, phrases about safety. For example, “A seatbelt may wrinkle your pants but the windshield can wrinkle your face.” The performance measurement process is complex if you drill down, but it is a process like any other. Create your framework using mission and vision, safety objectives, and performance measures. (Janicak).These are tools that many professionals are already familiar with for multiple functions, they key is to apply it to safety. The eleven discrete steps for the performance measurement process are all integral to development and implementation, but I think number eight is especially important. We can do all the other steps, but if we do not compare what we are doing with what we want to do we have no way to improve. Safety performance measurements are important, but they are not infallible. Return to the fatalities displayed, while it brought the largest issue they were combatting to the forefront it did not prevent its occurrence. The two biggest takeaways from “Improving safety in small enterprises through an integrated safety management intervention” were that even in small organizations, management must be a strong supporter. The meetings held with the management of the study participants focused on this support. The other fantastic inclusion was that of the Safety Toolbox in Appendix 1. Small businesses are often short on funds and are not likely to have a dedicated safety manager much less a whole department. Utilizing the toolbox could assist many small businesses in implementing an integrated safety improvement initiative “composed of "problem-solving process" and "culture-change process."”(Kines, et al). References
The workplace is shifting to one where wellness programs are not unusual. More and more companies are embracing the idea of integrating wellness plans. This cannot be a surprise after reviewing the numbers, what company would not want a 3 to 1 return on investment (Gilbreath) in their employees? There are many ways to implement, and many models to choose from. The underlying theme is that "Sustainable results cannot be achieved without the support of senior leadership to create the vision for a healthy culture, align workplace policies, provide tools for improvement, reinforce the culture of health through incentives, and measure outcomes that drive success." (Loeppke, et. al.). What really caught my eye is that I do not feel as though the sample used in the Loeppke article is a fair picture. The sample was predominantly white women in professional careers in the southern half of the United States. A year ago this was me, I did not have a wellness plan available to me. I also did not have an employer that cared about employee wellness, much less happiness. At my current employer there is a wellness plan, it includes the biometric testing. When I first joined the organization, I was excited to participate in an employer sponsored wellness plan. However the incentives are irrelevant for my personal situation. I do not purchase insurance through my employer, I receive it through my spouse. The fitness center is expensive in comparison to the free one already available to me through my spouse’s employer. The incentive is tied exclusively into my health insurance premiums. I don’t participate therefore the incentive is null. I still look forward to the day that I will have the opportunity to participate in an employer sponsored wellness program that utilizes all the best practices to be a healthy and successful impact in my life. I think the idea of a wellness program supported through employer leadership and offering more universal incentives is an exciting plan. I find the idea of a personalized website with a score and plan, all password protected is a great way to implement the wellness plan. I think that the six pillars described in “What’s the Hard Return On Employee Wellness Programs?” is an excellent way to really illustrate best practice implementation. The first pillar is multilevel leadership. If you have a company that leads by example from the top, it will flow down the organizational chart. The second pillar is alignment. If you align your organization with your wellness plan it will encourage and support success and consistency. Pillar three is scope, relevance, and quality. Wellness is about mind, body, spirit. There is more than simply physical health that makes up the full picture of wellness. If you are going to implement a wellness plan, do it. As the old adage goes, anything worth doing is worth doing right. Do not do a disservice to your organization and your employees by implementing a half assed wellness program. Pillar four is accessibility. Cost is a factor for most employees. Setting the financial incentive that is null for me at my current employer aside, if participation in the wellness plan meant free access to the onsite fitness center I would be a happy participant. The fifth pillar is partnerships. Partnerships within and without the organization are key to successful wellness. The sixth and final pillar is communications. If an individual is unhealthy they are likely aware of this. It can be an embarrassment for many. You have to overcome all those barriers to communicate about and for the program. (Berry, et. al.) References
So much of the industry I am currently working in revolves around safety. While I work at University of Alaska Fairbanks, I work on a special project from the US DOL to put the unemployed and other special populations to work in the mining sector. I am new to the mining industry, only being introduced in the spring of last year. Safety is the watchword. This is one industry where substance abuse has a zero tolerance policy. There is a whole separate safety administration the Mine Safety and Health Administration (MSHA). One of our programs that we have developed is an accelerated Mining Mill Operations program, it is an occupational endorsement that takes place from the end of May to the end of July. There are sixteen credits. Two classes are on safety. That is in addition to the two days spent for the non-academic credit of MSHA new miner certification. While there are still incidents that happen with a sad frequency, all are conscientious in reduction and elimination efforts. I am currently at a conference for the Alaska Miners Association, this weekend there will be MSHA classes for the attendees that require them. I have had the privilege of touring a couple of the large mines here in Alaska, prior to the tours we have a safety briefing and are issued Personal Protection Equipment (PPE). For the tours that I undertook this included hard hats, earplugs, and steel toe boots. When we went underground, there are markers and lists left above ground to indicate who is inside. My spouse is an active duty soldier. The US Army is incredibly proactive in their safety, health, and employee assistance programs. There is free healthcare, there is physical fitness training and testing, there are programs to combat substance abuse, and any other ailment imaginable. Accidents still happen. Loss of life and limb is a real concern. My spouse works in the medical field. The risk of HIV/AIDs is a real concern for anyone in the healthcare field. While we can endeavor to do all we can as employees, as managers, accidents still happen. As Professor Gilbreath mentioned in his video with examples of fatal incidents, that when we think of employee health and safety hazardous jobs come to mind, but any and every employee is at risk. Having chose the professional path most required Human Resource training conducted upon employment is skimmed and overlooked on my part. “68 percent of office workers develop work-related ergonomics injuries, such as repetitive-stress injuries.” (Cascio). I am lucky that strides have been made in the acknowledgment and diagnosis of these types of issues and that my employer is active in prevention. In the United States, compliance with OSHA is a must. In the mining industry, compliance with MSHA is a must. Many companies do and should go beyond these requirements. Employee assistance programs and safe working conditions are one of many ways employers can make an effort toward a happier, healthier workforce. As we have been discussing in previous modules, employee satisfaction can be a preventive measure in security situations. This is only one piece of the larger pie of business health, safety, and security. ReferencesChapter 15: Safety, Health and Employee Assistance Programs. In Managing Human Resources: Productivity, Quality of Work Life, Profits, by Cascio, W. F. pp. 588–631. McGraw-Hill, 2013.
Physical security is an important issue that ties into everything we have been looking at so far. As stated in the video, the criminal cat and mouse game is always ongoing and has been for thousands of years. (Gilbreath) While this is again an entire specialization and we can only hope to scratch the surface it is still worthy of familiarization. Physical Security is the protection of people, equipment, and data-in that order. Personnel, our human resources, these are our most protected asset. "Replacing experienced people beyond one or two at a time that we find with normal turnover is difficult, if not impossible, within any reasonable period of time...As people are rather fragile in comparison to equipment, they can be susceptible to nearly the entire scope of threats." (Andress). Data falls in the median on the physical security pyramid. That is not to diminish its importance, only to emphasize that of the more irreplaceable people. Protecting equipment, and the facilities that house it "falls last on the list because it represents the easiest and cheapest segment of assets to replace." (Andress). All three are important to protect, but they are all best protected when thought of as an inseparable trio. A valuable tool to see where our physical security measures are lacking is a Vulnerability Assessment. The paper by Drs. Johnston and Warner explains that a vulnerability assessment that shows no vulnerability is poorly done. Security as a whole is not foolproof. "The purpose of a VA is to improve security by finding and demonstrating security weaknesses, and perhaps suggesting possible countermeasures." (Johnston & Warner). It is important to remember to maintain the appropriate level of security with the value of the asset. It is silly to employ Norad levels of security to protect your teenage journal, it is unlikely to be a matter of national security. Physical Security controls fall into a category of three methods: Deterrent, Detective, Preventive. A deterrent is just that, it is "designed to discourage those who might seek to violate security controls." (Andress), examples are signs denoting that a security measure is in place. A detective, is again simply stated; it serves “... serve to detect and report undesirable events" (Andress), examples are burglar alarms or video monitoring. The final control, preventive, is again exactly as it states, “used to physically prevent unauthorized entity from breaching our physical security" (Andress), examples are mechanical locks, and high fences. Two examples that apply to all three controls are that of guards and guard dogs. The nice thing about these controls is that they are simply stated and not in any special code. Physical security of people is covered over a variety of methods. The number one thing to protect against are environmental factors. Here in Alaska we face all of the main categories in Chapter 7; especially in my mind extreme temperatures, movement, people, and fire. Luckily most of these factors are covered in most risk management plans. Data is also subject to the factors listed. To be noted, of most media storage solutions for data flash media is the most hardy. Other medias are much more likely to be susceptible to the elements. Data is so closely related to technology, you cannot separate the two. This is where the security maxims from Dr. Johnson are most relevant the Doctor Who Maxim, actor Tom Baker playing Doctor Who in the Pirate Planet stated “The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.” (Johnston). I had a friend who claimed that Apple products were infallible. This friend repeatedly infected her PCs with viruses due to compulsive viewed pornographic materials, but then continued behavior on her iPad (which was proclaimed invincible), and then she infected her iPad with a virus. Sites that offer pornography are not criminal masterminds and are rather technically primitive. This is also reinforced with the Too Good Maxim: “If a given security product, technology, vendor, or techniques sounds too good to be true, it is. And it probably sucks big time.” (Johnston). I personally live by this maxim, in more than physical security. I am a skeptic, and I rarely trust unbelievable promises. Physical security is the backbone of emergency management, information security and occupational fraud and abuse. All of these subjects are intermingled and while can be discussed separately. As discussed in the previous blog, internal threats, or occupational fraud and abuse, should not be dismissed. The easiest way to overcome this is to create a happy work environment. Most environmental issues should be covered in risk management plans. Be skeptical, you will protect your assets more as a skeptic. rEFERENCES
I really like the definition used in the chapter for occupational fraud and abuse: “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” (Wells). Aside from the small experience when I worked retail of managers writing items off that were damaged and allowing employees to take the merchandise home the only other experience I have with occupational fraud and abuse was when I worked at Savannah State University in Georgia. I was the individual responsible for auditing all the travel that happened for faculty and staff at the University. It was a hostile work environment with occupational fraud and abuse running rampant, that was only for travel. Sutherland’s theory of differential association was as good as proven during my tenure there “crime is learned, much as are math, English, and guitar playing.” (Wells). The environment was one that encouraged amongst employees to look the other way for each other's benefit, to misuse the system because it was owed to you, or because you were above those rules. I had one employee that rented a three bedroom townhouse in Key West and took his family on vacation there. It was allowable because the total was equivalent to the nights stayed at the conference’s recommended hotel. It is against Georgia state policy for anyone other than a state employee to ride in the rental cars while on business travel, one employee repeatedly was caught having her child in the rental car, but because she was a senior manager there were no penalties. The president of the University had a secondary residence in Atlanta, but every time she had to travel for business she stayed at a top hotel downtown Atlanta, but because senior leadership determined it necessary. Employees take out thousands of dollars in cash advances for travel purposes and do not repay them. When I attempted to initiate payroll deductions as stated in policy I was reprimanded. My boss told me that I didn’t know what that person’s life was like and I was to remove that deduction immediately. While these are not true fraud, I do deem them abuse of the system and of state funding. In the chapter, there is a bulleted list of abuses that are not fraud. One of the bullets states “collect more money than due on expense reimbursements.” (Wells), this is the primary spot where I must disagree with the author. “Of the three ways to illegally relieve a victim of money-- force, trickery, or larceny--all offenses that employ trickery are frauds.” (Wells) Let me tell you a story, John Smith is a football coach for a one of the worst team in the MEAC conference of the NCAA, he spends the off-season traveling and looking for recruits. He owes a large amount of money in cash advances, but still requests more. He finally turns in some expense reports for travel, some that occurred over a year previous, so that those expenses can be reconciled and the liability of his outstanding advances reduced. While auditing these statements, I admit I am a skeptic by nature, I notice that one of the receipts from the Marriott looks like something my eight-year-old made up in MS word. I note it and set it aside. I begin going over each of his reports and accompanying receipts, even pulling past reports that my predecessor processed. I found numerous fraudulent receipts. The Marriott had no record of his stay and confirmed the receipt was a phony. One receipt was for a hotel that was not even open yet. There were dozens of these false hotel receipts. There were fuel receipts that were not for a rental car (the only ones allowable by state policy for reimbursement), there were days indicated for Per Diem travel expenses that he was not in fact traveling. The list goes on and on. I told my supervisor. I told my supervisor’s supervisor. I called the fraud hotline. For months, and months I was dismissed. When I continued to press the issue, my supervisor asked me if I really wanted to ruin a man’s life like that. Finally, the issue was confronted. Instead of being fired, instead of having charges filed, the expenses were written off and he was allowed to resign so he would have a clean employment history. As they told me, he did formerly play in the NFL and this was not really a case of fraud, only poor judgments. Apparently, fabrication of false receipts employing trickery is not fraudulent enough for a former NFL player turned college coach. Allowing situations like the above, and the others that I alluded to in my opening paragraph only hurts the organization when we employ Sutherland’s theory of differential association. Most of the fraud and abuse created was supported with the perceived nonsharable financial need of status gaining. Savannah State University is an HBCU in a poor state with a large number of students, staff, and faculty, that are first generation college graduates. Everyone wants to keep up with the Joneses, add in the hostility of the work environment for many, and there are two strong pressures to initiate that fraud triangle. Poor resources and controls supported the opportunity, and the rationalization was commonly a perception of being owed it. I was genuinely surprised that Hollinger and Clark were “unable to document strong relationship between control and deviance.” (Wells), if the controls had been enforced, the abuses that occurred would not have occurred with such frequency. Aside from my experiences in Georgia, I feel that Richard C. Hollinger was right on the money when he stated that “employee deviance is caused primarily by job dissatisfaction.” (Wells), if organizations promote a healthy work environment and make their employees feel valuable and, to be cliche, a part of something bigger, I think fraud and abuses would decrease. When you feel pride in your job, when you take ownership, you are much less likely to commit these types of acts. Nothing can prevent or reduce fraud and abuses one hundred percent, but every bit that can be prevented is money saved by that organization. I currently volunteer as the local treasurer for a non-profit, I think I will forward this chapter to my supervisor, as well as my peers, and suggest that it is recommended reading in the handbook. I cannot express how thankful I am that where I am now in Alaska, where I work now, at UAF, I do take pride, I do take ownership, and I do not see the widespread abuses here that so upset me in Georgia. If you are curious, there is a recent interesting article regarding expenses of Georgia state employees that a friend forwarded to me. References
In the chapter What is Information Security? by Jason Andress "protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction," is the definition provided. All types of careers have information security issues and apply various means. Personal lives are also faced with information security issues. One example that is used in the chapter is under the confidentiality header, and that is withdrawing money from an ATM. My personal example that would be used is that as a military spouse during a wartime I attended multiple briefings on OpSec or Operational Security in regards to my spouse's unit movement. This is, in my opinion, simply a synonym of what the Hijunda and Kooi article dubbed Information Security as InfoSec. The premise was the same, do not discuss troop movements in unsecure mediums, this includes social media, personal emails and other non-encrypted electronic sources as well and in the physical sense of verbally at a Starbucks or other public locale. In the management of my TAACCCT grant to comply with reporting standards we have to collect PII from students, more so than in standard academic situations where only educational data is reported, the uniqueness of the application requires that employment and wage data is also reported. Previously, I worked in a university accounting office and had a government purchasing card with a very high credit limit, if that information was compromised there was a good chance that not only would I be liable for the misappropriation of funds but that I could lose my job or face criminal charges. Another highly relevant situation that I can apply InfoSec to was when I worked for a top defense firm on a special project for the Army National Guard. That contract position probably had the most situational crime prevention (SCP) precautions in place that I have experienced in my professional history. I feel as though I must reiterate what my classmate Charles Hayes indicated in his blog with respect to information security and the National Guard. In truth, the idea when it comes to the United States Military and security the concept of "defense in depth" (Andress, 2011) is most certainly an understatement. On that project, I had an employee identification card to allow me access to the gated parking lot and the building. In addition to the card, I had to use a unique code to gain entry. Once in the lobby, a separate access point was for the elevators, then once on the floor an additional access point to enter the hallway, then a key for the door to my office. Once at my workstation I had to login using a complex password that had to be changed every ninety days; plus to access the remote system server hosted at the Pentagon I had to use a DOD civilian Controlled Access Card (CAC) using a chip reader that we now are seeing common place on our credit and debit cards. The specific project dealt with health records and other PII so we also had to maintain strict compliance with HIPAA regulations as mentioned in the Andress chapter. For the TAACCCT grant through UAF there are security measures in place for PII which I oversee, these include password protection and cloud storage for digital copies as well as locked doors and filing cabinets for the hard copies. My office and the offices of the individuals at the remote locations are locking doors. Inside the offices we have locked filing cabinets. Another aspect of the project includes the design of a dynamic mill simulator that is being built from the ground up, so to speak. While the initial release of this simulator will be free to the public per grant regulations, the hope is that later releases can be sold and used as a revenue stream for the research unit. If the logical assets of the programming code is compromised that can harm long-term goals. In the video by the Professor Gilbreath, the logical assets for this simulator is termed "intellectual capital" and does merit protection. A real concern at my office for information security was covered in my previous blog 'Indentifying Threats and Preparing for Them at UAF'. There are frequent phishing attempts directed at us through university email addresses. While it is unclear what the end goal for these attacks are, no doubt the hope is the ability to access one or more of the university's secure systems. Due to my academic and professional background in accounting the use of SCP as a tool is commonplace for me. I have attended numerous lectures on fraud in the workplace, both directed at educational institutions and not, and one of the overarching themes is that of opportunity. Criminals and Non-criminals alike are all influenced by factors related to opportunity and circumstance when looking at committing a crime, personal ethics not withstanding. The compromising of any institution's informational security can be greatly mitigated through appropriate application of the sixteen application techniques by Clark and Homel outlined in the Curtailing cyber and information security vulnerabilities through situational crime prevention article by Hinduja and Kooi. There is nothing that can be done to eliminate these crimes with certainty, the cyber terrorist group Anonymous has proved this in recent years. If you remove or eliminate the opportunity, or make the reward not worth the risk you will lower the occurrence of compromise. While the Confidentiality, Integrity, and Availability (CIA) triad explained in the Andress chapter is a valuable tool in discussing security issues, personally I think that the expansion of the Parkerian Hexad to include Possession, Authenticity, and Utility is incredibly useful. As in their example of a tape shipment, if some of the tapes have encrypted information and some do not (or none at all), the encrypted tapes have no use, or utility for the interceptors. Utility may be an awkward concept for some, but when explained through the veil of economic theory or even Merriam Webster "the quality of state of being useful." Not all controls are appropriate for all situations, but through evaluation and application, we can all work toward better information security. For a physical control example, there is no need to have round the clock live and video surveillance for all employees at all businesses. That is not to say that information is valuable enough and the cost justifiable for some situations. A simple logical control covered in the Andress chapter that everyone can do to heighten their informational security professionally and personally is to have a complex password that is changed frequently and not shared. In my professional experience, most places have fairly rigid administrative controls in place, especially so for my current position as there are the administrative controls through UAF, plus the branches at UAF-CTC, UAS-CMT, UAA-PWSC, and the federal government. In closing, in the event that it was not clear in my discussion, I am a firm advocate of SCP and think that we can all benefit from its application. As Professor Gilbreath states in the video, Information Security is a specialization; I have a friend that has his Ph.D. in Criminal Justice with a specialization in Cyber Crime and Cyber Forensics. After reading the materials for this module I think I will reach out to him and discuss some of the concepts directly. References
I work at an institute of higher education, University of Alaska Fairbanks is not only a large geographical location, but also a relatively remote one compared to other employers I have experienced. I work in Duckering, also known as the Engineering Building. It never hurts to be prepared and to take your own steps to staying prepared. The managerial position I hold is only over a small number of individuals due to the nature of the project, however, the building has its own emergency manager and many of the steps advised in the literature and videos for this module are already in place. Some crisis and emergencies that we as a campus, as well as professionals in an older building need to be aware of are: earthquakes, fires, air quality, water quality, loss of power and/or heat, active shooters (could be disgruntled employee, student, or member of the public), financial security, and cyber attacks. I think Blythe's Foreseeable Risk Analysis Grid can be a very helpful tool in its simplicity. In Blythe's chapter on Analyzing Your Vulnerabilities, a key paragraph is 'How Societal Change Has Generated Risk' and in that it is discussed the cultural shift and also that "The overwhelming majority of high-fatality disasters in all history have happened in the past twenty years." (Blythe, 136). I don't know exactly when this was published or the supporting statistical details but I do know that the violence I have seen in my past twenty years is great. It seems like I am constantly hearing of another school shooting. I lived in Colorado when Columbine happened, while I know it was not the first, it certainly made an impact on myself and I frequently think of it and other school violence in conjunction with my current career path in higher education. The last campus I worked at had multiple active shootings and robberies in the last year of my employment there. A friend of mine works at UC Merced where the stabbing happened last fall. It is my opinion to place these incidents in the high probability, high severity box on Blythe's Foreseeable Risk Analysis Grid. The water conditions at my office are not very good, you will not suffer immediate death from drinking the water but we receive a quarterly email explaining to us that the water is not healthy and a warning that pregnant women should exercise caution in its consumption. While the email in itself is a protective measure from blame, more could be done to clear up the water. I would place this in the high probability, low severity box on the Foreseeable Risk Analysis Grid. One risk of major concern is that of nature. We live and work in the frozen north of the world. Earthquakes are frequent, while not severe in recent histroy there is no sure way to determine that a severe earthquake is not going to happen within the next spin around the sun. New Orleans was not adequately prepared prior to Hurricane Katrina because they do not get barraged the way Florida does. A less catastrophic example was the Atlanta snowstorm of January 2014. A few inches of snow brought the city to a complete standstill, all because they were not prepared logistically for this kind of situation. My office down in Savannah was shut down becuase our financial and computer systems were run remotely through the University System's office in Athens. The FEMA booklet Ready Business has some very sound advice to prepare for such a situation as we may encounter here in Alaska and at UAF. Every office and individual should have its own emergency preparedness kit. If there is a fire there are multiple staircases for evacuation procedures. A major issue would be our cold winter weather, if for any reason to include an earthquake knocked the heat source out, hypothermia is a very real concern. The first summer I lived in Fairbanks the forest fires around the state seriously affected the air supply, people were walking around wearing face masks. I could taste the smoke inside my office. I would place the category of nature risks somewhere in the shaded blocks of medium probability, high probability, medium severity, high severity on the Foreseeable Risk Analysis Grid. In recent months university email accounts have received multiple phishing attacks and it is a real concern. Anytime you have a company that depends highly on digital resources yet employees individuals that are not always cynical enough to realize the emails from wealthy royalty in developing nations are not actually long lost relatives you risk your security. Unfortunately, these attempts are not even that obvious most of the time, this week it was an phishing email about workplace election policies. It was forwarded out by the academic manager for the college encouraging us to click the link and follow instructions. Shortly after a retractory email came because it was indeed a phishing attempt. These are real concerns in real workplaces. I would place this actually attaining a crisis point in the low probability, medium severity box on the on the Foreseeable Risk Analysis Grid. Financial risk is one that many are familiar with, especially those who are currently working within the University of Alaska System and continue to receive email updates and attend meetings regarding the current budget crisis in Alaska. Many jobs are at risk, we have a building that construction cannot be completed on for lack of funding, and moneys that are available are diminishing. The public sees things like this and support declines. Less professors mean less classes, less classes equal less students, less students means less tuiton income. These are tangible problems being faced. The current approach is to continue tightening the belt and raising tuition costs. I would place this in the high probability (because it is happening), medium severity box on the Foreseeable Risk Analysis Grid. To my knowledge, all five items on the MSNBC video are being followed by our buildings emergency manager. Maybe I will send a copy of it to him and see what he says. Much of the advice in San Diego Gas & Electric video is also being followed but not all, I mentioned previously that not everyone has an emergency kit. While there are frequent sessions for self-defense and safe workspace training. I have not seen one for something like CPR since I came to UAF in Spring of 2015. I think overall the University does a good job of emergency preparedness and threat assessment, but I think that there is always room for improvement. Safety First! References
Hello!!
My name is Danielle, I grew up in the mountains of Colorado and on the beaches of South Florida. I've moved around a bit in the past eleven years because my husband is in the military. We now live in North Pole, AK. We have a very precocious eight-year-old boy and a black cat. I was lucky to have the best of both worlds growing up, the quiet mountain life, and the bustling city life. We like to travel, and we are usually traveling in relation to our incredibly fun, fairly unusual hobby of medieval reenactment. I am the project manager for an $8.1M grant that UAF received through MIRL (Mineral Industry Research Laboratory). The grant is through US DOL and is under the TAACCCT headline. Preparing the Unemployed for the Mining Sector has been a really interesting career choice so far. This is a consortium grant spreading over all three UA institutions. We have renovated learning spaces, enhanced some curriculum, created new programs, and are developing a unique dynamic mill simulator. We finished year two last month and have a year and a half left for program activities. You can find out more about the project if you are interested at ine.uaf.edu/mirl/taaccct. I also volunteer for a local chapter of a non-profit as a treasurer and webmaster. I graduated in 2013 with my BBA in Accounting from Savannah State University, I then worked in the Comptroller's office for over a year before we moved to Alaska. I was a non-traditional student who had already been in the professional workforce before that, so I wanted to take advantage of the tuition waiver offered to UAF employees and earn my MBA during my time here. I want to add the initials CPA after my name, and this is a necessity to get there. After my grant ends, who knows what will be next, I may stay in Higher Education, or I may move on. No matter where I go, I am certain that an MBA will be an asset. I registered for this course not knowing the subject, but I enjoy learning new and interesting things, hopefully, what I learn over the next weeks will be beneficial in my immediate application on my project and also in any future endeavors. Thank You for your time! |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |