Protecting the Education Infrastructure

As reported in the Emergency Management and Response Information Sharing and Analysis Center (EMR-ISAC) INFOGRAM 37-08, September 25, 2008: "Much effort has been expended to protect the nation’s critical infrastructures, including those of the Emergency Services Sector (ESS). However, Department of Education officials concede that educational institutions are not specifically identified as among America’s critical infrastructure sectors or key resources, which potentially makes soft targets of schools, colleges, and universities. Experts say learning facilities are vulnerable to terrorism, because of the high consequence of an attack against children. The Emergency Management and Response—Information Sharing and Analysis Center (EMR-ISAC) gleaned from various case studies that the threat to schools may not be detected or prevented by physical security measures alone. Therefore, the EMR-ISAC suggests that ESS leaders can offer encouragement and assistance to educational centers as they conduct emergency planning and develop crisis action plans. For example, it is important that a school’s emergency plans are effectively integrated with the emergency response plans of the community in which the teaching establishment resides. Case studies further indicate that municipal authorities and their ESS leaders consider the following activities to improve the overall security of the local education infrastructure:

• Deliver “all-hazards” awareness training for school administrators, staff, and students.
• Train school administrators and staff regarding emergency actions.
• Review and validate all school emergency response, crisis management, and communications plans.
• Conduct drills and exercises to test and refine emergency response and crisis management plans.
• Provide primary and secondary interoperable communications systems for each school.
• Implement and test plans to maintain reliable contact with schools and school buses.
• Arrange for a “closed-campus” environment with a single point of access for all personnel.
• Increase police presence on school grounds by ensuring frequent visits as part of patrol routes.

There are national standards, including NFPA 1600, that address the essential elements of emergency management program. In addition, a new school preparedness standard is being developed in conjunction with the U.S. Department of Education. I am principal author of that new standard, and I will provide updated information on the standard when it can be released to the public.

If you are interesting in learning more about school emergency preparedness, check out the resource links at http://www.preparednessllc.com/resources/resources.html.

October is National Cyber Security Awareness Month

For the fifth year, the U.S. Department of Homeland Security’s National Cyber Security Division (NCSD) is spearheading National Cyber Security Awareness Month, a comprehensive outreach campaign to empower all Americans and businesses to take steps to secure their part of cyberspace. During the month of October, events will take place across the country to raise awareness of the growing need to protect the Nation’s critical infrastructures and key resources from cyber threats and vulnerabilities.The NCSD is partnering with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, along with other government agencies and the private sector. The month's activities include press and media events, educational workshops, state cyber exercises, and lectures hosted by public and private partners, proclamations by state governors, and other stakeholder outreach activities. Here are 10 actions you can take to improve cyber security in your organization:

1. Use strong passwords at work and at home. Update your password frequently and encourage others to do the same.
2. Make sure that your anti-virus software and firewalls are up-to-date. New threats are discovered everyday and keeping your software and firewalls updated is one of the easiest ways to protect yourself from an attack. Set your computer to automatically update for you.
3. Hold an event at your facility designed to increase cyber security education and awareness. Download EDUCAUSE’s cyber resource kit online at http://www.educause.edu/7479.
4. Reach out to people that you know – your children, co-workers, friends – about good online safety and security habits, including protecting their personal information and their reputation. For more information and tips go to http://www.staysafeonline.org/ and http://www.us-cert.gov/.
5. Print cyber security posters from http://www.onguardonline.gov%20/ and post them in workrooms, hallways, bathrooms and other employee gathering places. Print and post cyber security tips near your computer at home and at work. Review them with your colleagues, employees and family members.
6. Create a separate section for cyber security tips on your organization’s web site. Download online buttons and banners about phishing, identity theft, file-sharing, and other cyber security topics at http://www.msisac.org/ or http://www.onguardonline.gov/ and place on your organization’s home page.
7. Use regular communications – newsletters, email alerts, websites, etc. – as an opportunity to promote your commitment to cyber security. Some newsletter topics to consider include: updating software processes; protecting personal identifiable information; and securing your wireless network.
8. Subscribe to the National Cyber Alert System from the US Computer Emergency Readiness Team at http://www.blogger.com/www.us-cert.gov. Through the Alert System, you can receive timely information about current cyber security problems to protect home and office computers. This information includes weekly bulletins with summaries of new vulnerabilities, patch information when available, and tips on common security topics, such as privacy, email spam, and wireless protection.
9. Back up important files. If you have important files stored on your computer, back them up to removal media, to a server, and best yet to an online backup service. Secure your backup media to prevent unauthorized access and store the media in a location where it will not be damaged from a hazard that affects your computer (what if your place of business was destroyed by fire?)
10. Ask IT security specialists at your workplace to report any potential cyber incident, threat, or attack to the United States Computer Emergency Readiness Team (USCERT) at 1-888-282-0870 or US-CERT.gov.

These links along with dozens of others that related to risk assessment, hazard prevention, risk mitigation, emergency response, and business contininuity have been added to the growing "Resources" page of the Preparedness, LLC website.

Parents May Not Heed Evacuation Orders

An interesting survey was published by the National Center for Disaster Preparedness at Columbia University's Mailman School of Public Health. The 2008 American Preparedness Project: Why Parents May Not Heed Evacuation Orders & What Emergency Planners, Families and Schools Need to Know

"2008 survey data illustrate that in the event of an order to evacuate parents say they are overwhelmingly likely to disregard existing community emergency plans and instead attempt to pick up their children directly from school or day care instead of evacuating separately. Were this to occur in the immediate aftermath of a sudden disaster, chaos would ensue and public safety would be jeopardized."

The studies authors made several important recommendations for schools:

• All schools should have "well thought out" emergency plans coordinated with local emergency officials.
• Parents need to be aware of school emergency plans and what they should do.

I have worked with numerous school systems over the past 10 years, and here are some specific recommendations:

• Schools should conduct a detailed risk assessment to identify hazards that could injure students, teachers, staff, and others as well as damage property or interrupt school activities. The risk assessment should lead to the develop of strategies to prevent hazards or mitigate hazards that can't be prevented. The strategy should be endorsed by the superintendent, school committee, and others who need to provide funding.
• Schools should have plans at the Superintendent or district level to manage the overall incident including communications with the community.
• Schools should have organized emergency response teams and procedures to respond effectively to the different types of emergencies that may occur. Types of emergencies include the ones we all think of (e.g., fire, medical, act of violence, etc.) Plans should also address regional or community-wide emergencies (e.g., earthquake, act of terrorism, etc.) that are not as probable, but would put the school in the position of having to fend for itself for the initial minutes or hours.
• Plans must include detailed procedures for evacuation, shelter-in-place, lockdown, and student/family reunification. These plans must be coordinated with public agencies including fire, law enforcement, and emergency medical services.
• All members of school emergency response teams must be trained so they understand and can fulfill their responsibilities as defined in the plan.
• Drills (evacuation, shelter-in-place, and lockdown) and exercises (tabletop, functional, and full-scale) should be conducted to familiarize everyone with emergency procedures and identify any gaps in plans, procedures, resources, or the capability of those who have to carry out the plans.
• Every teacher should be trained in basic emergency procedures and every classroom should be equipped with a concise list of emergency procedures.
• Parents need to be informed through outreach by administrators, PTO, websites, flyers sent home, and by their own sons and daughters who actively get them involved.

A national standard on school emergency preparedness is being written under the auspices of ASTM International, one of the national standards developers. I am one of the members of the committee writing the standard and we expect to present our preliminary draft to the U.S. Department of Education in November.

If you would like more information on Preparedness, LLC's services to public schools, click here.

If you would like to see an example of a school emergency preparedness website, click here.

References & Resources: Links to Helpful Information

I recently updated the "Resources" within the Preparedness, LLC website. It includes more than five printable pages of references and resources for risk assessment, prevention and mitigation, emergency planning, business continuity, training, and more. There are links for laws and regulations, codes and standards, government agencies, nonprofit/professional organizations, and more. There are also many links to excellent, peer reviewed technical documents that open in HTML or PDF format from their hosted websites. It will always be a work in progress, but I will do my best to keep it updated. If you have suggestions for additons to the page, please let me know.

Copycat White Powder Mailings

From the Emergency Management and Response Information Sharing and Analysis Center, INFOGRAM 35-08 September 11, 2008:

“Various State Fusion Centers and news sources recently reported about the rash of copy cat mailings throughout the nation containing white powder. The letters and packages have been sent to well known political figures and local government offices as well as to the homes and work sites of individuals not involved in public life. Upon reviewing these reports, the Emergency EMR-ISAC learned that to date none of the mailings were determined to be dangerous by responding hazardous materials teams."

Do you remember what happened in October 2001 when Senator Daschle, Tom Brokaw, an innocent grandmother in Fairfield County Connecticut, and others received anthrax laden mail? Thankfully these cases have been hoaxes, but are you prepared if someone reports receiving a suspicious envelope or package. CDC and GSA have some good information to help with planning. The guidance needs to be integrated into an emergency management program that includes people organized and trained to respond.

7th Anniversary of September 11, Remembering Lars, Harry, Sal, and so many others

Today is September 11, 2008. It’s been seven years since that fateful day.

On September 11, 2001 I lost many good friends and colleagues. We all lost many fine citizens who just went to work that day. We also lost many of New York’s Bravest (FDNY), New York’s Finest (NYPD and PAPD), soldiers in the Pentagon, and those on the doomed aircraft. It’s a day none of us will ever forget.

On September 10, 2001 I was in Midtown Manhattan speaking at a seminar on emergency response and business continuity. The seminar was to be held in the World Trade Center on September 11, but it had to be moved to the Harvard Club and rescheduled because of the number of people who registered. Thank you to all who registered.

On the morning of September 11, 2001, I was speaking on the same subject, but this time it was in Boston’s Back Bay—at the Bull & Finch Pub of Cheers fame. Around 8:46 AM, I was asking the audience to picture themselves on the upper floor of a high rise building when the fire alarm sounds and they see smoke in the corridor. That was the situation faced by one of my clients when a multiple alarm fire in the Prudential Center ignited below them. That was back in January 1986. My client and everyone else in the Prudential Center evacuated safely—due to the heroic efforts of the Boston Fire Department—there were no automatic fire sprinklers at that time [there are now.]

On September 11, 2001 my friends, colleagues, and many fine Americans were not able evacuate safely. Their evacuation paths were cutoff…

I still see their faces when I pass people on the street. I can picture their faces in my mind and hear their voices in my head. I miss you guys—Lars, Harry, Sal, and too many others.

In the aftermath of 9/11, I had the opportunity to meet with staff of the 9/11 Commission—on the eve of the second anniversary of the attacks. I got to look at Ground Zero and remember everyone who was lost. In our discussion with the 9/11 Commission staff, we talked about preparedness. Emily Walker, the lead staffer from the Commission, relayed her painful discussions with family members of those who were lost that fateful day. She knew something more needed to be done. To condense months into a sentence, the 9/11 Commission embraced a recommendation for enhancing private sector preparedness. That recommendation has been echoed in multiple Federal laws and most recently in Title IX of Public Law 110-53. Let’s be better prepared. We owe it to Lars, Harry, Sal, and so many others.

Work Begins on European Disaster Preparedness Standard

The list of disaster preparedness standards is growing longer:

"The Brussels Management Centre of CEN, the European Committee for Standardization, is the site of two meetings today that will lead to creation of a new standard for protecting the populace against natural disasters and terrorist acts. CEN, which develops voluntary standards, was asked by the European Community to address this issue, and it formed CEN BT/WG 161, "Protection and Security of the Citizen," to accomplish the task."

In the United States we have NFPA 1600, and in Canada Z1600 (the Canadian standard based on NFPA 1600). ISO published ISO PAS (Publicly Available Specification) 22399 "Societal Security" late last year, and now this new project originates in Europe.

September is National Preparedness Month

September is National Preparedness Month, and I provide some information from the Ready Business Fact Sheet. A national survey of businesses with 2-999 employees conducted by The Ad Council in December 2007 found:

• 38 percent said their company has an emergency plan in place in the event of a disaster
• 59 percent assessed their own business as “very” or “somewhat” prepared in the event of a disaster
• 55 percent of businesses surveyed said that they had taken either significant or small steps to improve emergency preparedness in the past year
• The surveyed businesses said that the most important threats for them to address are fires followed by cyber attacks and then hurricanes, winter storms, tornadoes and terrorist attacks.

It's good to see that work is being done even in these days of a challenging economy, but every workplace needs to have a basic emergency plan in place. The Occupational Safety and Health Administration (OSHA) requires emergency action plans for companies with 10 or more employees. Fire and life safety codes also require emergency plans.

It's good to see that businesses are focusing on natural hazards. With tropical storm Fay, Hurricane Gustav, and possibly Hurricane Ike, the dangers of tropical cyclones are clearly evident. With the 7th anniversary of 9/11 approaching, it's good to see that people haven't forgotten that terrorism is still a threat. The reality is, however, that there are dozens and dozens of hazards that can impact businesses today. We'll take a look at hazards—natural, human-caused, and technological—and risk assessment in the coming days and week.