EVENT NOTES: INTRODUCTORY SECURITY MANAGEMENT WORKSHOP

OCTOBER 3, 2008

TABLE OF CONTENTS:

Security Policy Statement Exercise

……………. Page 2

Gallery Walk Results: Components of Security Management

……………. Page 4

Security Management Best Practices, Lessons Learned and Resources

……………. Page 8

Appendix A: Workshop agenda

Appendix B: Facilitator contact information

1
 Security Policy Statement Exercise

Team Alpha

The Alpha organization is committed to the safety and security of our staff
worldwide by mitigating risk, through our security framework policy and
procedures that provide staff safety and security training that emphasizes both
individual and organizational responsibility which in turn will foster the success of
the organization’s mission.

Team Bravo

Bravo is committed to the safety and security of our workers around the world. We
all must recognize that risk is inherent in the work we undertake, and that all of us
must accept individual responsibility for our own security. Individual responsibility
includes abiding by company travel and security policies. Bravo will endeavor to
maintain appropriate security policies and systems in place, in support of the efforts
of the individual. Together we can reduce/mitigate security risks and support
Bravo’s vital mission around the world.

Team Charlie

Charlie’s Kids in carrying out its mission of XXXXX is committed to the safety and
security of staff and volunteers as they carry out our work worldwide. Recognizing
the risks in the locations where we work and travel, Charlie’s Kids will provide the
resources to support our staff as we jointly mitigate the risks inherent in our work.

Team Delta

Delta Inc. operates in complex and insecure environments to provide humanitarian

aid. We are committed to building a partnership with our staff to enhance their
safety and well-being and mitigate risk. It is the responsibility of each individual to
understand and comply with Delta Inc.’s security policies and procedures for the
individual’s safety and that of the organization as a whole.

2
Team Echo

Echo staff face many risks working in challenging and difficult locations around the
world. We recognize that safety and security is the responsibility of all staff – at both
the individual and organizational levels. As individuals and as an employer we must
strive at all times to mitigate and manage these risks so that none of our staff are
exposed to unacceptable levels of risk, and to take all reasonable steps including
training and clear policies and procedures.

Team Foxtrot

Foxtrot International is committed to the safety and security of all employees. We

acknowledge that there is risk inherent in our business and business locations.
Security is a collaborative effort between employees and Foxtrot International.
Foxtrot International is responsible for providing the resources and tools for the
ongoing monitoring of security situations, crisis response and mitigation. Staff are
empowered to develop relationships with the local communities as part of our risk
mitigation plan. Staff are also expected to actively utilize the security resources and
tools provided by Foxtrot International.

3
 Gallery Walk Results: Components of Security Management

1. Information Gathering, Analysis and Dissemination

Team Delta

Issue #1: Crisis Management Team

Statement: Identify Components of the Crisis Management Team including

personnel; information; operations; logistics; internal communications; public affairs

Strategy: Staff training for roles Æ establish chain of command and alternate Æ
create a communications and public affairs plan Æ access to financial materials and
other resources Æ access to all vendor information Æ access to security information
and sources Æ drills

Issue #2: Crisis Briefings

Statement: Address information in the pre incident/crisis phase, the crisis phase and
post-crisis phase. This is includes risk assessments; pre-travel briefings; pre travel
medical information resources; access to specific country security information;
emergency evacuation insurance; compile voluntary personal data (while complying
with HIPAA).

Strategy: Identify/orient security staff Æ develop a check list of briefing topics Æ

staff compliance verification process Æ regular security protocol orientation/training
for staff Æ regular updates to all related materials Æ review insurance policies
provide awareness of benefits to staff.

2. Personnel & Training

Team Echo

(STRAP) Staff Training Responsibility Accountability Policies and Procedures

Issue #1: Personnel

Statement: ECHO will implement hiring policies and personnel procedures to

prepare staff to cope with the security issues at their posts of assignment, support
them during service, and address post assignment issues and will incorporate
accountability for security into their management systems at the field and HQ levels.

Strategy: identify what policies need to be writtenÆwrite and distribute these

policiesÆincorporate feedback into creation of policiesÆhave staff sign on to
policiesÆHR staff will be trained in implementing policiesÆpolicies will undergo
review routinely to ensure they stay currentÆaudits will be conducted to ensure
policies are being adhered toÆ(incorporate) implement a security accountability
assessment in annual employee reviews.

4
Issue #2: Training

Statement: ECHO will have policies addressing the key security issues and formal
plans at the field and HQ levels and will provide training resources to meet these
standards.

Strategy: determine training needsÆ prioritize trainingÆ determine financial

resources needed Æ coordinate training Æ track participation Æ follow up/monitor
and evaluate updates and reviews as needed Æ implement training ‘refresher’
requirements.

3. Facilities

Team Foxtrot

Issue #1: Business Continuity

Statement: Following a disruption, Foxtrot seeks to have essential operations up and

running with 48 hours, if possible.

Strategy: I. Mitigation stage Æ have a crisis management team (CMT) in place and
identify essential staff; have up to date evacuation plans and phone trees; maintain
backup data on an offsite and accessible server; have normal operating location
stocked with food, water, first aid kits; have an alternate location ready and stocked.
II. Crisis event stage Æ activate CMT; access public services as appropriate; access
information resources.
III. Recovery stage Æ CMT evaluates damage; activate phone tree; essential staff go
to alternate location; inform all staff of next steps; access data/information services.

Issue #2: Access Control

Statement: Foxtrot will mitigate risk by controlling access to facilities, personnel and
information.

Strategy: I. Facility access (at minimum) Æ controlled entrances and exits; exterior
lighting; above standard door locks; controlled landscaping (e.g. prevent tree growth
over building) and a location with set-back.
II. Personnel and visitor access (at minimum) Æ sign in with an ID check upon entry
to the facility; an enforcement policy will be devised for compliance.
III. Information access (at minimum) Æ login and passwords for every work station;
data will be secured offsite; critical files will be protected (for those with a ‘need to
know’ only).

4. Communication Systems

Team Alpha

Issue #1: Communications plan

5
Objective and Strategy: Utilize fully redundant communication methods and
equipment.

Issue # 2: Warden system

Objective and Strategy: Implement a rehearsed warden system. A warden system is

a pyramidal contact system that provides a reliable way to reach employees in the
event of an emergency, disaster or threat.

5. Travel and Transportation

Team Bravo

Mission Statement: Bravo will have pre-departure and in-country policies in place to
mitigate security risks associated with travel. We will follow a collaborative process
to develop corporate and in-country policies, which will include reviewing current
field practices, and accessing resources such as the Overseas Security Advisory
Council for best practice information. Our policies will be reviewed and updated on
a regular basis.

Issue #1: Pre-departure

o Visa
o Immunization
o Embassy registration
o Med evac and health insurance cards
o Emergency contacts
o Liability waivers, if appropriate
o Submission of flight itinerary (and journey plan if applicable)
o Paper copy of hotel and important arrival information (including
airport pick-up)
o Filing of digital image of passport
o Updated emergency contact and dissemination info with HR
o Informed of information resources related to destination
o Travel policies and procedures supplied to employee, including
security training materials/session if applicable [Care Intl has a safety
and security handbook available online]. Inclusive of seat belt policy
o Pre-departure review and sign-off with HR

Issue #2: In-country

o “Journey plan” submission
o Daylight travel policy
o Armed guard/armor policy
o Emergency supplies in boats/vehicles policy
o Driver & vehicle policy
ƒ Driver advanced training
ƒ Acceptable travel means
o In-country approved carriers (via Embassy/OSAC)

6. Other

Team Charlie

6
Issue #1: Insurance

Objective: To adequately protect staff and organization by transferring risk.

Strategy: identify risks Æ identify available products, vendorsÆ gain consent from
managementÆ assess organization’s tolerance for riskÆ get bids and proposalsÆ
present proposal to key decision-makersÆ get approval.

Implementation: Work with a broker to implement insurance (write policies, make

necessary decisions)Æ work with staff to develop organizational proceduresÆ
annual review of policies.

Issue #2: Emergency evacuation plan/relocation

Objective: When possible, remove staff from imminent danger.

Strategy and Implementation: identify target population (i.e., expat, local nationals,
TCNs)Æ identify resourcesÆ identify trigger for evacuation/relocationÆ is
evacuation mandatory?Æ who decides on evacuation (crisis management team,
CEO, etc)?Æ identify options for staff by population typeÆchoose vendorsÆ plan
out resources (e.g. safe house)Æ roll out plan to staffÆ trainingÆ drills.

7
 Security Management Best Practices, Lessons Learned & Resources

What are some of the best practices for developing a security management plan?

• Leadership buy-in and support are keys to success.

• Assess risks & vulnerabilities for your organization.
• Communicate the sense of urgency in developing and implementing security
policies and procedures.
• Conduct due diligence and be aware of your organization’s liability.
• Prioritize security management implementation—address critical events first.
The security in three acts exercise is a useful brainstorming tool.
• Conduct analysis of your organization’s security incidents and
city/country/regional security environments. Utilize outside analysis
resources such as OSAC. Stay informed on current research and studies.
• Be cognizant of organizational envy.

What are some potential obstacles? What are potential solutions and resources?

• Obstacle: Knowing funding availability and limitations are crucial for

implementation. What is your budget?
• Potential solutions and resources:
o Organizations are encouraged to adopt the Minimum Operating Security
Standards (MOSS) in USAID/OFDA grant guidelines.
o What donors might have money available for security?
o Some organizations use a one percent security line item in all proposals.
o Outside resources include: OSAC (it is free!), most insurance providers
offer professional support and some insurance providers offer discounts off
of premium costs if an organization has security policies in place.

• Obstacle: Be aware of varying levels of interest, unenthusiastic attitudes or

other concerns, especially among staff and management. How can you address
those concerns and achieve buy-in? It can be challenging to enforce policies,
especially if your organization operates in a decentralized system. What are some
ways policies can work within the organization’s ethics, mission and cultures?
• Potential solutions and resources:
o One option is to adopt a reward and sanction policy.
o If your management has bought-in to the policies and expresses the
importance of the policies to all staff, then compliance is more likely
throughout the organization.
o In addition to top down accountability, also utilize adult learning and
behavioral change strategies.
o The financial system is an excellent model for compliance (example:
travel tracking).
o It is helpful to frame security policies and procedures in an enabling
manner, versus rules that limit programs etc.

• Obstacle: Implementing a security management system takes a significant

amount of time. Who and what can help you?
• Potential solutions and resources:
8
o There is no need to re-invent the wheel, there are many templates
available (and are included on the resource website for the workshop).
Further, several organizations are willing to share their versions of
emergency plans etc. as long as the organization is credited appropriately.
o Organizations have access to many open resources. Some of them are
hyperlinked below:

OSAC
www.osac.gov

InterAction
www.interaction.org

Safer Access
www.saferaccess.org

ReliefWeb
www.reliefweb.int

IRIN
www.irinnews.org

9
Appendix A: Agenda

October 3, 2008
Introductory Security Management Workshop
for Humanitarian & Faith-based Organizations
held at Save the Children in Washington D.C.

Agenda:

8:30am- 9am Arrival and Registration at Save the Children

Breakfast sponsored by Clements International

9am -9:30am Introductions and Overview of the Day

• Josh Kearns, InterAction & Lauren D’Amore, OSAC

9:30am - 10:30am Exercise: Security Management in Three Acts

• Facilitator: Mike O’Neill, Save the Children

10:30-11 Exercise: Developing Security Policy Statements

• Facilitator: Mike O’Neill, Save the Children

11-Noon Exercise: Gallery Walk

• Facilitator: Tina Wesbrock, IRD

Noon-1pm Lunch sponsored by Clements International

1pm- 2:30pm Exercise: Gallery Walk Assumptions & Implementation

• Facilitator: Josh Kearns, InterAction

2:30pm- 3pm Group Reports on Gallery Walk

3pm-3:15pm Break

3:15pm – 4pm Security Management Best Practices

• Facilitator: Terry Wesbrock, IRD

4:15pm – 4:45pm Overview of Resources Available to Organizations

• Josh Kearns, InterAction; Lauren D’Amore, OSAC
& Yan Bui, Clements International

4:45pm – 5pm What are the Next Steps?

• Facilitator: Mike O’Neill, Save the Children

10
Appendix B: Facilitator Contact Information

Yan Bui
Account Executive
Clements International
ybui@clements.com

Lauren D’Amore
Regional Coordinator
OSAC
D’AmoreLE@state.gov

Josh Kearns
Associate Security Coordinator
InterAction
JKearns@interaction.org

Michael O’Neill
Senior Director of Security
Save the Children
MOneill@savechildren.org

John Schafer
Senior Security Coordinator
InterAction
JSchafer@interaction.org

Terry Wesbrock
Security Director
IRD
tjwesbrock@ird-dc.org

Tina Wesbrock
Security Director
IRD
twesbrock@ird-dc.org

11