Osac-ia Workshop Notes

EVENT NOTES: INTRODUCTORY SECURITY MANAGEMENT WORKSHOP OCTOBER 3, 2008 TABLE OF CONTENTS: Security Policy Statement Exercise ……………. Page 2 Gallery Walk Results: Components of Security Management ……………. Page 4 Security Management Best Practices, Lessons Learned and Resources ……………. Page 8 Appendix A: Appendix B:

Workshop agenda Facilitator contact information

1

Security Policy Statement Exercise Team Alpha The Alpha organization is committed to the safety and security of our staff worldwide by mitigating risk, through our security framework policy and procedures that provide staff safety and security training that emphasizes both individual and organizational responsibility which in turn will foster the success of the organization’s mission.

Team Bravo Bravo is committed to the safety and security of our workers around the world. We all must recognize that risk is inherent in the work we undertake, and that all of us must accept individual responsibility for our own security. Individual responsibility includes abiding by company travel and security policies. Bravo will endeavor to maintain appropriate security policies and systems in place, in support of the efforts of the individual. Together we can reduce/mitigate security risks and support Bravo’s vital mission around the world.

Team Charlie Charlie’s Kids in carrying out its mission of XXXXX is committed to the safety and security of staff and volunteers as they carry out our work worldwide. Recognizing the risks in the locations where we work and travel, Charlie’s Kids will provide the resources to support our staff as we jointly mitigate the risks inherent in our work.

Team Delta Delta Inc. operates in complex and insecure environments to provide humanitarian aid. We are committed to building a partnership with our staff to enhance their safety and well-being and mitigate risk. It is the responsibility of each individual to understand and comply with Delta Inc.’s security policies and procedures for the individual’s safety and that of the organization as a whole.

2

Team Echo Echo staff face many risks working in challenging and difficult locations around the world. We recognize that safety and security is the responsibility of all staff – at both the individual and organizational levels. As individuals and as an employer we must strive at all times to mitigate and manage these risks so that none of our staff are exposed to unacceptable levels of risk, and to take all reasonable steps including training and clear policies and procedures.

Team Foxtrot Foxtrot International is committed to the safety and security of all employees. We acknowledge that there is risk inherent in our business and business locations. Security is a collaborative effort between employees and Foxtrot International. Foxtrot International is responsible for providing the resources and tools for the ongoing monitoring of security situations, crisis response and mitigation. Staff are empowered to develop relationships with the local communities as part of our risk mitigation plan. Staff are also expected to actively utilize the security resources and tools provided by Foxtrot International.

3

Gallery Walk Results: Components of Security Management 1. Information Gathering, Analysis and Dissemination Team Delta Issue #1: Crisis Management Team Statement: Identify Components of the Crisis Management Team including personnel; information; operations; logistics; internal communications; public affairs Strategy: Staff training for roles Æ establish chain of command and alternate Æ create a communications and public affairs plan Æ access to financial materials and other resources Æ access to all vendor information Æ access to security information and sources Æ drills Issue #2: Crisis Briefings Statement: Address information in the pre incident/crisis phase, the crisis phase and post-crisis phase. This is includes risk assessments; pre-travel briefings; pre travel medical information resources; access to specific country security information; emergency evacuation insurance; compile voluntary personal data (while complying with HIPAA). Strategy: Identify/orient security staff Æ develop a check list of briefing topics Æ staff compliance verification process Æ regular security protocol orientation/training for staff Æ regular updates to all related materials Æ review insurance policies provide awareness of benefits to staff. 2. Personnel & Training Team Echo (STRAP) Staff Training Responsibility Accountability Policies and Procedures Issue #1: Personnel Statement: ECHO will implement hiring policies and personnel procedures to prepare staff to cope with the security issues at their posts of assignment, support them during service, and address post assignment issues and will incorporate accountability for security into their management systems at the field and HQ levels. Strategy: identify what policies need to be writtenÆwrite and distribute these policiesÆincorporate feedback into creation of policiesÆhave staff sign on to policiesÆHR staff will be trained in implementing policiesÆpolicies will undergo review routinely to ensure they stay currentÆaudits will be conducted to ensure policies are being adhered toÆ(incorporate) implement a security accountability assessment in annual employee reviews. 4

Issue #2: Training Statement: ECHO will have policies addressing the key security issues and formal plans at the field and HQ levels and will provide training resources to meet these standards. Strategy: determine training needsÆ prioritize trainingÆ determine financial resources needed Æ coordinate training Æ track participation Æ follow up/monitor and evaluate updates and reviews as needed Æ implement training ‘refresher’ requirements.

3. Facilities Team Foxtrot Issue #1: Business Continuity Statement: Following a disruption, Foxtrot seeks to have essential operations up and running with 48 hours, if possible. Strategy: I. Mitigation stage Æ have a crisis management team (CMT) in place and identify essential staff; have up to date evacuation plans and phone trees; maintain backup data on an offsite and accessible server; have normal operating location stocked with food, water, first aid kits; have an alternate location ready and stocked. II. Crisis event stage Æ activate CMT; access public services as appropriate; access information resources. III. Recovery stage Æ CMT evaluates damage; activate phone tree; essential staff go to alternate location; inform all staff of next steps; access data/information services. Issue #2: Access Control Statement: Foxtrot will mitigate risk by controlling access to facilities, personnel and information. Strategy: I. Facility access (at minimum) Æ controlled entrances and exits; exterior lighting; above standard door locks; controlled landscaping (e.g. prevent tree growth over building) and a location with set-back. II. Personnel and visitor access (at minimum) Æ sign in with an ID check upon entry to the facility; an enforcement policy will be devised for compliance. III. Information access (at minimum) Æ login and passwords for every work station; data will be secured offsite; critical files will be protected (for those with a ‘need to know’ only). 4. Communication Systems Team Alpha Issue #1: Communications plan

5

Objective and Strategy: Utilize fully redundant communication methods and equipment. Issue # 2: Warden system Objective and Strategy: Implement a rehearsed warden system. A warden system is a pyramidal contact system that provides a reliable way to reach employees in the event of an emergency, disaster or threat. 5. Travel and Transportation Team Bravo Mission Statement: Bravo will have pre-departure and in-country policies in place to mitigate security risks associated with travel. We will follow a collaborative process to develop corporate and in-country policies, which will include reviewing current field practices, and accessing resources such as the Overseas Security Advisory Council for best practice information. Our policies will be reviewed and updated on a regular basis. Issue #1: Pre-departure o Visa o Immunization o Embassy registration o Med evac and health insurance cards o Emergency contacts o Liability waivers, if appropriate o Submission of flight itinerary (and journey plan if applicable) o Paper copy of hotel and important arrival information (including airport pick-up) o Filing of digital image of passport o Updated emergency contact and dissemination info with HR o Informed of information resources related to destination o Travel policies and procedures supplied to employee, including security training materials/session if applicable [Care Intl has a safety and security handbook available online]. Inclusive of seat belt policy o Pre-departure review and sign-off with HR Issue #2: In-country o “Journey plan” submission o Daylight travel policy o Armed guard/armor policy o Emergency supplies in boats/vehicles policy o Driver & vehicle policy ƒ Driver advanced training ƒ Acceptable travel means o In-country approved carriers (via Embassy/OSAC) 6. Other Team Charlie 6

Issue #1: Insurance Objective: To adequately protect staff and organization by transferring risk. Strategy: identify risks Æ identify available products, vendorsÆ gain consent from managementÆ assess organization’s tolerance for riskÆ get bids and proposalsÆ present proposal to key decision-makersÆ get approval. Implementation: Work with a broker to implement insurance (write policies, make necessary decisions)Æ work with staff to develop organizational proceduresÆ annual review of policies. Issue #2: Emergency evacuation plan/relocation Objective: When possible, remove staff from imminent danger. Strategy and Implementation: identify target population (i.e., expat, local nationals, TCNs)Æ identify resourcesÆ identify trigger for evacuation/relocationÆ is evacuation mandatory?Æ who decides on evacuation (crisis management team, CEO, etc)?Æ identify options for staff by population typeÆchoose vendorsÆ plan out resources (e.g. safe house)Æ roll out plan to staffÆ trainingÆ drills.

7

Security Management Best Practices, Lessons Learned & Resources What are some of the best practices for developing a security management plan? • • • • • • •

Leadership buy-in and support are keys to success. Assess risks & vulnerabilities for your organization. Communicate the sense of urgency in developing and implementing security policies and procedures. Conduct due diligence and be aware of your organization’s liability. Prioritize security management implementation—address critical events first. The security in three acts exercise is a useful brainstorming tool. Conduct analysis of your organization’s security incidents and city/country/regional security environments. Utilize outside analysis resources such as OSAC. Stay informed on current research and studies. Be cognizant of organizational envy.

What are some potential obstacles? What are potential solutions and resources? • •

•

•

• •

Obstacle: Knowing funding availability and limitations are crucial for implementation. What is your budget? Potential solutions and resources: o Organizations are encouraged to adopt the Minimum Operating Security Standards (MOSS) in USAID/OFDA grant guidelines. o What donors might have money available for security? o Some organizations use a one percent security line item in all proposals. o Outside resources include: OSAC (it is free!), most insurance providers offer professional support and some insurance providers offer discounts off of premium costs if an organization has security policies in place. Obstacle: Be aware of varying levels of interest, unenthusiastic attitudes or other concerns, especially among staff and management. How can you address those concerns and achieve buy-in? It can be challenging to enforce policies, especially if your organization operates in a decentralized system. What are some ways policies can work within the organization’s ethics, mission and cultures? Potential solutions and resources: o One option is to adopt a reward and sanction policy. o If your management has bought-in to the policies and expresses the importance of the policies to all staff, then compliance is more likely throughout the organization. o In addition to top down accountability, also utilize adult learning and behavioral change strategies. o The financial system is an excellent model for compliance (example: travel tracking). o It is helpful to frame security policies and procedures in an enabling manner, versus rules that limit programs etc. Obstacle: Implementing a security management system takes a significant amount of time. Who and what can help you? Potential solutions and resources: 8

o There is no need to re-invent the wheel, there are many templates available (and are included on the resource website for the workshop). Further, several organizations are willing to share their versions of emergency plans etc. as long as the organization is credited appropriately. o Organizations have access to many open resources. Some of them are hyperlinked below: OSAC www.osac.gov InterAction www.interaction.org Safer Access www.saferaccess.org ReliefWeb www.reliefweb.int IRIN www.irinnews.org

9

Appendix A: Agenda

October 3, 2008 Introductory Security Management Workshop for Humanitarian & Faith-based Organizations held at Save the Children in Washington D.C. Agenda: 8:30am- 9am

Arrival and Registration at Save the Children Breakfast sponsored by Clements International

9am -9:30am

Introductions and Overview of the Day • Josh Kearns, InterAction & Lauren D’Amore, OSAC

9:30am - 10:30am

Exercise: Security Management in Three Acts • Facilitator: Mike O’Neill, Save the Children

10:30-11

Exercise: Developing Security Policy Statements • Facilitator: Mike O’Neill, Save the Children

11-Noon

Exercise: Gallery Walk • Facilitator: Tina Wesbrock, IRD

Noon-1pm

Lunch sponsored by Clements International

1pm- 2:30pm

Exercise: Gallery Walk Assumptions & Implementation • Facilitator: Josh Kearns, InterAction

2:30pm- 3pm

Group Reports on Gallery Walk

3pm-3:15pm

Break

3:15pm – 4pm

Security Management Best Practices • Facilitator: Terry Wesbrock, IRD

4:15pm – 4:45pm

Overview of Resources Available to Organizations • Josh Kearns, InterAction; Lauren D’Amore, OSAC & Yan Bui, Clements International

4:45pm – 5pm

What are the Next Steps? • Facilitator: Mike O’Neill, Save the Children 10

Appendix B: Facilitator Contact Information

Yan Bui Account Executive Clements International [email protected] Lauren D’Amore Regional Coordinator OSAC D’[email protected] Josh Kearns Associate Security Coordinator InterAction [email protected] Michael O’Neill Senior Director of Security Save the Children [email protected] John Schafer Senior Security Coordinator InterAction [email protected] Terry Wesbrock Security Director IRD [email protected] Tina Wesbrock Security Director IRD [email protected]

11