Security

Social Engineering from the outset may seem like a topic one might hear when talking about sociology or psychology, when in fact it is a form of identity theft. To an information technology (IT) professional, Social Engineering is a form of voluntary, unintentional identity theft.

Many victims fail to realize they are being victimized until it is too late, while many others may never know. This paper will provide a definition of social engineering as it applies to information technology while introducing some the pioneers of social engineering; those who have, essentially, written the book on social engineering. We will provide real world examples of how social engineers apply their trade and provide important points to consider with regards to social engineering attacks. In conclusion we will propose counter-measures, which individuals and organizations should take in order to guard against social engineering.

Who defined Social Engineering?

Social Engineering as defined by IT professionals is the practice of deceiving someone, either in person, over the phone or using a computer, with the express intent of breaching some level of security, either personal or professional (Ledford, 2011. ) Implementing quality risk analysis solutions while maintaining data integrity is a crucial element of successful system modeling; within the context of social engineering in the workplace, there are several factors that can make implementing those solutions rather challenging.

Social engineering is a type of intrusion, which relies heavily on human interaction and usually involves the tricking of other people to break normal, everyday security policies. Social engineers (SE) often prey on the natural helpfulness of other people. When analyzing and attempting to conduct a particular attack, a SE will commonly appeal to vanity or authority as well as simple eavesdropping to acquire the desired information. Social engineering, in a nutshell is a hacker’s clever manipulation of the natural human tendency to trust. This will provide the unauthorized access to the valued information, system or machine. Never interrupt your enemy when he is making a mistake” (Bonaparte, n. d. ) This is a mantra for all successful SE’s, as they take any and all information about and from a target for later use against said target. The SE will gather as much information as possible about their target in advance, most of which is readily available online, usually, with just a few keystrokes; anything from hobbies to their favorite lunchtime meal. This information helps build a connection and instills trust with the target. With this trust, seemingly innocuous information will come flooding out of the target.

Akin to fictional spies like James Bond and Michael Weston, SE’s assume a persona that is not their own and attempt to establish with their target a reasonable justification to fulfill a request. The aforementioned tactics allow the SE to maintain the facade and leave an out to avoid burning his or her information source. Bottom line; a good SE is a good actor. “All of the firewalls and encryption in the world will never stop a gifted social engineer from rifling a corporate database or an irate employee from crashing the system,” says pioneer Kevin Mitnick, the world’s most celebrated hacker who popularized the term.

Mitnick firmly states in his two books The Art of Deception and The Art of Intrusion that it’s much easier to trick someone into giving a password for a system than spending the time using a brute force hack or other more traditional means to compromise the integrity of sensitive data. Mitnick who was a world famous controversial computer hacker in the late 1980’s was sentenced to 46 months in prison for hacking into the Pacific Bell telephone systems while evading the Federal Bureau of Investigation (FBI).

The notorious hacker also allegedly wiretapped the California Department of Motor Vehicles (DMV), compromised the FBI and Pentagon’s systems. This led Mitnick to spend the majority of his time incarcerated in solitary confinement due to the government’s fear of him attempting to gain control of more sensitive information. Mitnick states in both of his aforementioned books that he compromised computers solely by using passwords and codes acquired as a result of social engineering. As a result, Mitnick was restricted from using any forms of technology upon his release from prison until approximately 5 years ago.

Kevin Mitnick is now the CEO of Mitnick Security Consulting, a computer security consultancy. Social engineering awareness is a being addressed at the enterprise level as a vital corporate security initiative. Security experts advise that a properly trained staff, not technology is the best asset against social engineering attacks on sensitive information. The importance placed upon security policies is imperative when attempting to combat this type of attack. Combat strategies require action on both physical and psychological levels.

This form appeals to hackers because the Internet is so widely used and it evades all intrusion detection systems. Social engineering is also a desirable method for hackers because of the low risk and low cost involved. There are no compatibility issues with social engineering; it works on every operating system. There’s no audit trail and if executed properly its effects can be completely devastating to the target. These attacks are real and staggering to any company, which is why strong corporate policies should be measured by access control and implementing specific procedures.

Advantages of having Social Engineering policie

One of the advantages of having such policies in place is that it negates the responsibility of an employee having to make a judgment call or using discretion regarding a social engineer’s request. Companies and their subsequent staffs have become much too relaxed as it pertains to corporate security initiative. These attacks can potentially be costly and unnerving to management as well as the IT department. Social engineering attacks commonly take place on two different levels: physical and psychological. Physical settings for these attacks can be anything from your office, your trash, over the telephone and even online.

A rudimentary, common form of a social engineering attack is social engineering by telephone. Clever social engineers will attempt to target the company’s help desk while fooling the help desk representative into believing they are calling from inside the company. Help desks are specifically the most vulnerable to social engineering attacks since these employees are trained to be accommodating, be friendly and give out information. Help desk employees are minimally educated and get paid a below average salary so it is common for these individuals to answer one question and move right along to the next.

This can potentially create an alarming security hole when the proper security initiative is not properly set into place. A classic example of this would be a SE calling the company operator and saying something like “Hi, I’m your AT&T rep; I’m stuck on a pole. I need you to punch a few buttons for me. ” This type of attack is directed at the company’s help desk environment and nearly always successful. Other forms attack target those in charge of making multi-million dollar decisions for corporations, namely the CEO’s and CFO’s.

A clever SE can get either one of these individuals to willingly offer information pertinent to hacking into a corporation’s network infrastructure. Though cases such as these are rarely documented, they still occur. Corporations spend millions of dollars to test for these kinds of attacks. Individuals who perform this specialized testing are referred to as Social Engineering Auditors. One of the premier SE Auditors in the industry today is Chris Hadnagy. Hadnagy states that on any given assignment, all he has to do is perform a bit of research on the key players in the company before he is ready to strike.

In most cases he will play a sympathy card, pretending to be a member of a charity the CEO or CFO may belong to and make regular donations to. In one case, he called a CEO of a corporation pretending to be a fundraiser for a charity the CEO contributed to in the past. He stated they were having a raffle drawing and named off prizes such as major league game tickets and gift cards to a few restaurants, one of which happened to be a favorite of the CEO. When he was finished explaining all the prizes available he asked if it would be alright to email a flier outlining all the prizes up for grabs in a PDF.

The CEO agreed and willingly gave Hadnagy his corporate email address. Hadnagy further asked for the version of Adobe Reader the company used under the guise he wanted to make sure he was sending a PDF the CEO could read. The CEO willingly gave this information up. With this information he was able to send a PDF with malicious code embedded that gave him unfettered access to the CEO’s machine and in essence the company’s servers (Goodchild, 2011). Not all SE attacks occur completely over the phone. Another case that Hadnagy reports on occurred at a theme park.

The back story on this case is he was hired by a major theme park concerned about software security as their guest check-in computers were linked with corporate servers, and if the check-in computers were compromised a serious data breach may occur (Goodchild, 2011). Hadnagy started this attack by first calling the park posing as a software salesman, peddling newer PDF-reading software which he was offering free on a trial basis. From this phone call he was able to obtain the version of PDF-reader the park utilized and put the rest of his plan in action.

He next headed to the park with his family, walking up to one of the employees at guest services asking if he could use one of their terminals to access his email. He was allowed to access his email to print off a coupon for admission to the park that day. What this email also allowed was to embed malicious code on to the servers and once again gained unfettered access to the parks servers. Hadnagy proposes six points to ponder in regards to social engineering attacks:

• No information, regardless of it personal or emotional nature, is off limits for a SE seeking to do harm. It is often the person who thinks he is most secure who poses the biggest vulnerability to an organization. Executives are the easiest SE marks.
• An organizations security policy is only as good as its enforcement.
• SE’s will often play to the employees good nature and desire to be helpful
• ocial Engineering should be a part of an organizations defense strategy.
• SE’s will often go for the low-hanging fruit. Everyone is a target if security is low. The first countermeasure of social engineering prevention begins with security policies.

Employee training is essential in combating even the most cunning and sly social engineers. Just like social engineering itself, training on a psychological and physical basis is required to alleviate these attacks. Training must begin at the top with management. All management must understand that social engineering attacks stem from both a psychological and physical angle therefore they must implement adequate policies that can mitigate the damage from an attacker while having a robust, enforceable penalty process for those that violate those policies.

Access control is a good place to start when applying these policies. A competent system administrator and his IT department should work cooperatively with management in hashing out policies that control and limit user’s permission to sensitive data. This will negate the responsibility on the part of an average employee from having to exercise personal judgment and discretion when a potential attack may occur. When suspicious calls for information occur within the company, the employee should keep three questions in mind:

1. Does the person asking deserve this information?
2. Why is she/he asking for it?
3. What are the possible repercussions of giving up the requested information? If there is a strong policy in place with enforceable penalties in place, these questions will help to reduce the potential for a SE attack (Scher, 2011).

Another countermeasure against a social engineering attack is to limit the amount of information easily available online. With Facebook, Twitter, Four-Square and the like, there is an overabundance of information readily available at any given moment online.

By just drastically limiting the amount of information available online it makes the SE’s task of information gathering that much more difficult. Throughout all of the tactics and strategies utilized when cultivating social engineering expertise, it’s extremely difficult to combat human error. So when implementing employee access control and information security, it is important to remember that everyone is human. This type of awareness can also be costly so it’s important to adopt a practical approach to fighting social engineering.

Balancing company morale and pleasant work environment is a common difficulty when dealing with social engineering prevention and awareness. It is vital to keep in perspective that the threat of social engineering is very real and everyone is a potential target.

References

1. Bonaparte, N. (n. d. ). BrainyQuote. com. Retrieved December 6, 2011, from BrainyQuote. com Web site: http://www. brainyquote. com/quotes/authors/n/napoleon_bonaparte_3. html
2. Goodchild, J. (2011). Social Engineering: 3 Examples of Human Hacking. Retrieved November 28, 2011 Retrieved from www. csoonline. om Web site: http://www. csoonline. com/article/663329/social-engineering-3-examples-of -human-hacking Fadia,
3. A. and Manu, Z. (2008). Networking Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection. Boston, Massachusetts. Thompson Course Technology. 2008.
4. Ledford, J. (2011). Identity Theft 101, Social Engineering. Retrieved from About. com on December 1, 2011. Retrieved from: http://www. idtheft. about. com/od/glossary/g/Social_Enginneering. htm
5. Long, J. and Mitnick, K. (2008. ) No Tech Hacking: A Guide to Social Engineering, Dumpster Diving and Shoulder Surfing.
6. Burlington, Massachusetts. Syngress Publishing Inc. 2008.
7. Mann, I. Hacking the Human. Burlington, Vermont: Gower Publishing, 2008.
8. Mitnick, K. and Simon, W. The Art of Deception. Indianapolis, Indiana: Wiley Publishing Inc. 2002.
9. Mitnick, K. and Simon, W. (2006. ) The Art of Intrusion. Indianapolis, Indiana: Wiley Publishing Inc. 2006.
10. Scher, R. (2011). Is This the Most Dangerous Man in America? Security Specialist Breaches Networks for Fun & Profit. Retrieved from ComputerPowerUser. com on November 29, 2011.
11. Retrieved from: http://www. social-engineer. org/resources/CPU-MostDangerousMan. pdf

Sample Information Security Policy

I. POLICY

• A. It is the policy of ORGANIZATION XYZ that information, as defined hereinafter, in all its forms–written, spoken, recorded electronically or printed–will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.
• B.All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. All the documentation, which may be in electronic form, must be retained for at least 6 (six) years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must be periodically reviewed for appropriateness and currency, a period of time to be determined by each entity within ORGANIZATION XYZ.
• C. At each entity and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity and/or department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible.

Existing systems are expected to be brought into compliance where possible and as soon as practical.

II. SCOPE

• A. The scope of information security includes the protection of the confidentiality, integrity and availability of information.
• B. The framework for managing information security in this policy applies to all ORGANIZATION XYZ entities and workers, and other Involved Persons and all Involved Systems throughout ORGANIZATION XYZ as defined below in INFORMATION SECURITY DEFINITIONS.
• C.This policy and all standards apply to all protected health information and other classes of protected information in any form as defined below in INFORMATION CLASSIFICATION

 III. RISK MANAGEMENT

• A. A thorough analysis of all ORGANIZATION XYZ information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic– that affect the ability to manage the information resource.

The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection. From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined.

The frequency of the risk analysis will be determined at the entity level.

• B. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.

IV. INFORMATION SECURITY DEFINITIONS

Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to designate themselves as a single covered entity for purposes of HIPAA. Availability: Data or information is accessible and usable upon demand by an authorized person.

Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes. HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards. Integrity: Data or information has not been altered or destroyed in an unauthorized manner.

Involved Persons: Every worker at ORGANIZATION XYZ — no matter what their status. This includes physicians, residents, students, employees, contractors, consultants, temporaries, volunteers, interns, etc.

Involved Systems: All computer equipment and network systems that are operated within the ORGANIZATION XYZ environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc. ), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.

Protected Health Information (PHI): PHI is health information, including demographic information, created or received by the ORGANIZATION XYZ entities which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual. Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.

V. INFORMATION SECURITY RESPONSIBILITIES

 Information Security Officer: The Information Security Officer (ISO) for each entity is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of ORGANIZATION XYZ. Specific responsibilities include:

1. Ensuring security policies, procedures, and standards are in place and adhered to by entity.
2. Providing basic security support for all systems and users.
3. Advising owners in the identification and classification of computer resources.

VI Information Classification.

1. Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.
2. Educating custodian and user management with comprehensive information about security controls affecting system users and application systems.
3. Providing on-going employee security education.
4. Performing security audits.
5. Reporting regularly to the ORGANIZATION XYZ Oversight Committee on entity’s status with regard to information security.

• B. Information Owner: The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual by completing the ORGANIZATION XYZ Information Owner Delegation Form. The owner of information has the responsibility for:

1. Knowing the information for which she/he is responsible.
2. Determining a data retention period for the information, relying on advice from the Legal Department.
3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit.
4. Authorizing access and assigning custodianship.
5. Specifying controls and communicating the control requirements to the custodian and users of the information.
6. Reporting promptly to the ISO the loss or misuse of ORGANIZATION XYZ information.
7. Initiating corrective actions when problems are identified.
8. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.
9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.

• C. Custodian: The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner.

Responsibilities may include:

1. Providing and/or recommending physical safeguards.
2. Providing and/or recommending procedural safeguards.
3. Administering access to information.
4. Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information.
5. Evaluating the cost effectiveness of controls.
6. Maintaining information security policies, procedures and standards as appropriate and in consultation with the ISO.
7. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.
8. Reporting promptly to the ISO the loss or misuse of ORGANIZATION XYZ information.
9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified. D. User Management: ORGANIZATION XYZ management who supervise users as defined below. User management is responsible for overseeing their employees’ use of information, including:

• Reviewing and approving all requests for their employees access authorizations.
• Initiating security change requests to keep employees’ security record current with their positions and job functions.
• Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.
• Revoking physical access to terminated employees, i. e. , confiscating keys, changing combination locks, etc.
• Providing employees with the opportunity for training needed to properly use the computer systems.
• Reporting promptly to the ISO the loss or misuse of ORGANIZATION XYZ information.
• Initiating corrective actions when problems are identified.
• Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.

A user of information is expected to:

1. Access information only in support of their authorized job responsibilities.
2. Comply with Information Security Policies and Standards and with all controls established by the owner and custodian.
3. Refer all disclosures of PHI  outside of ORGANIZATION XYZ and within ORGANIZATION XYZ, other than for treatment, payment, or health care operations, to the applicable entity’s Medical/Health Information Management Department. In certain circumstances, the Medical/Health Information Management Department policies may specifically delegate the disclosure process to other departments. (For additional information, see ORGANIZATION XYZ Privacy/Confidentiality of Protected Health Information (PHI) Policy. )
4. Keep personal authentication devices (e. g. passwords, SecureCards, PINs, etc. confidential.
5. Report promptly to the ISO the loss or misuse of ORGANIZATION XYZ information
6. Initiate corrective actions when problems are identified.

VI. INFORMATION CLASSIFICATION

Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes.

Information recorded in several formats (e. g. , source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information:

• A. Protected Health Information (PHI)

1. PHI is information, whether oral or recorded in any form or medium, that: a. is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or health clearinghouse; and b. relates to past, present or future physical or mental ealth or condition of an individual, the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual; and c. includes demographic data, that permits identification of the individual or could reasonably be used to identify the individual.
2. Unauthorized or improper disclosure, modification, or destruction of this information could violate state and federal laws, result in civil and criminal penalties, and cause serious damage to ORGANIZATION XYZ and its patients or research interests.

• B. Confidential Information

1.  Confidential Information is very important and highly sensitive material that is not classified as PHI. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access. Examples of Confidential Information may include: personnel information, key financial information, proprietary information of commercial research sponsors, system access passwords and information file encryption keys.
2. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for ORGANIZATION XYZ, its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner.

• C. Internal Information

1.  Internal Information is intended for unrestricted use within ORGANIZATION XYZ, and in some cases within affiliated organizations such as ORGANIZATION XYZ business partners. This type of information is already idely-distributed within ORGANIZATION XYZ, or it could be so distributed within the organization without advance permission from the information owner. Examples of Internal Information may include: personnel directories, internal policies and procedures, most internal electronic mail messages.
2. Any information not explicitly classified as PHI, Confidential or Public will, by default, be classified as Internal Information. 3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.

• D. Public Information

1. Public Information has been specifically approved for public release by a designated authority within each entity of ORGANIZATION XYZ. Examples of Public Information may include marketing brochures and material posted to ORGANIZATION XYZ entity internet web pages.
2. This information may be disclosed outside of ORGANIZATION XYZ.

VII. COMPUTER AND INFORMATION CONTROL

All involved systems and information are assets of ORGANIZATION XYZ and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.

• A. Ownership of Software: All computer software developed by ORGANIZATION XYZ employees or contract personnel on behalf of ORGANIZATION XYZ or licensed for ORGANIZATION XYZ use is the property of ORGANIZATION XYZ and must not be copied for use at home or any other location, unless otherwise specified by the license agreement.
• B. Installed Software: All software packages that reside on computers and networks within ORGANIZATION XYZ must comply with applicable licensing agreements and restrictions and must comply with ORGANIZATION XYZ acquisition of software policies.
• C. Virus Protection: Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc. ) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.
• D. Access Controls: Physical and electronic access to PHI, Confidential and Internal information and computing resources is controlled.

To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by ORGANIZATION XYZ. Mechanisms to control access to PHI, Confidential and Internal information include (but are not limited to) the following methods:

1. Authorization: Access will be granted on a “need to know” basis and must be authorized by the immediate supervisor and application owner with the assistance of the ISO. Any of the following methods are acceptable for providing access under this policy: Context-based access: Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of the user, strength of user authentication, etc. b. Role-based access: An alternative to traditional access control models (e. g. , discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities.

Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role. c. User-based access: A security mechanism used to grant users of a system access based upon the identity of the user.

2. Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access PHI, Confidential and/or Internal Information. Users will be held accountable for all actions performed on the system with their user id.

• a.At least one of the following authentication methods must be implemented: 1. strictly controlled passwords (Attachment 1 – Password Control Standards), 2. biometric identification, and/or 3. tokens in conjunction with a PIN.
• b. The user must secure his/her authentication control (e. g. password, token) such that it is known only to that user and possibly a designated security manager.
• c. An automatic timeout re-authentication must be required after a certain period of no activity (maximum 15 minutes).
• d. The user must log off or secure the system when leaving it.

3.Data Integrity: ORGANIZATION XYZ must be able to provide corroboration that PHI, Confidential, and Internal Information has not been altered or destroyed in an unauthorized manner. Listed below are some methods that support data integrity:

• a. transaction audit
• b. disk redundancy (RAID)
• c. ECC (Error Correcting Memory)
• d. checksums (file integrity)
• e. encryption of data in storage
• f. digital signatures

4. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks.

The following features must be implemented: a. integrity controls and b. encryption, where deemed appropriate

5. Remote Access: Access into ORGANIZATION XYZ network from outside will be granted using ORGANIZATION XYZ approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, PHI, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the ORGANIZATION XYZ network.

6.Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals. The following physical controls must be in place:

• a. Mainframe computer systems must be installed in an access-controlled area.

The area in and around the computer facility must afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations.

• b. File servers containing PHI, Confidential and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.

Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Local procedures and standards must be developed on secure and appropriate workstation use and physical safeguards which must include procedures that will:

1.  Position workstations to minimize unauthorized viewing of protected health information.
2. Grant workstation access only to those who need it in order to perform their job function.
3. Establish workstation location criteria to eliminate or minimize the possibility of unauthorized access to protected health information.
4. Employ physical safeguards as determined by risk analysis, such as locating workstations in controlled access areas or installing covers or enclosures to preclude passerby access to PHI.
5. Use automatic screen savers with passwords to protect unattended machines.  Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements:

1.Contingency Operations – Documented procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

2. Facility Security Plan – Documented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

3. Access Control and Validation – Documented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. . Maintenance records – Documented policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks).

4.Emergency Access:

• a. Each entity is required to establish a mechanism to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency.
• b. Procedures must be documented to address:

Equipment and Media Controls: The disposal of information must ensure the continued protection of PHI, Confidential and Internal Information. Each entity must develop and implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility. The following specification must be addressed:

1. Information Disposal / Media Re-Use of: a. Hard copy (paper and microfilm/fiche) b. Magnetic media (floppy disks, hard drives, zip disks, etc. )
2. Accountability: Each entity must maintain a record of the movements of hardware and electronic media and any person responsible therefore.
3. Data backup and Storage: When needed, create a retrievable, exact copy of electronic PHI before movement of equipment. F. Other Media Controls:

• 1. PHI and Confidential Information stored on external media (diskettes, cd-roms, portable storage, memory sticks, etc. ) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as PHI or Confidential Information.

Further, external media containing PHI and Confidential Information must never be left unattended in unsecured areas.

• 2. PHI and Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PC’s, etc. ) unless the devices have the following minimum security requirements implemented:

a. Power-on passwords

b. Auto logoff or screen saver with password

c. Encryption of stored data or other acceptable safeguards approved by Information

Security Officer Further, mobile computing devices must never be left unattended in unsecured areas. . If PHI or Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of ORGANIZATION XYZ Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with ORGANIZATION XYZ. H. Data Transfer/Printing:

• Electronic Mass Data Transfers: Downloading and uploading PHI, Confidential, and Internal Information between systems must be strictly controlled.

Requests for mass downloads of, or individual requests for, information for research purposes that include PHI must be approved through the Internal Review Board (IRB). All other mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request. Applicable Business Associate Agreements must be in place when transferring PHI to external entities (see ORGANIZATION XYZ policy B-2 entitled “Business Associates”).

• Other Electronic Data Transfers and Printing: PHI, Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals.

PHI and Confidential information must not be downloaded, copied or printed indiscriminately or left unattended and open to compromise. PHI that is downloaded for educational purposes where possible should be de-identified before use. I.

Oral Communications: ORGANIZATION XYZ staff should be aware of their surroundings when discussing PHI and Confidential Information.

This includes the use of cellular telephones in public areas. ORGANIZATION XYZ staff should not discuss PHI or Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation. J. Audit Controls: Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI must be implemented.

Further, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. These reviews must be documented and maintained for six  years. K. Evaluation: ORGANIZATION XYZ requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic PHI to ensure its continued protection. L. Contingency Plan: Controls must ensure that ORGANIZATION XYZ can recover from any damage to computer equipment or files within a reasonable period of time.

Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain PHI, Confidential, or Internal Information. This will include developing policies and procedures to address the following:

• Data Backup Plan:

a. A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information.

b. Backup data must be stored in an off-site location and protected from physical damage.  Backup data must be afforded the same level of protection as the original data.

• Disaster Recovery Plan:

A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. 3. Emergency Mode Operation Plan: A plan must be developed and documented which contains a process enabling the entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure.

• Testing and Revision Procedures:

Procedures should be developed and documented requiring periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary.

• Applications and Data Criticality Analysis:

The criticality of specific applications and data in support of other contingency plan components must be assessed and documented.

Failure to comply with Information Security Policies and Standards by employees, medical staff, volunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable ORGANIZATION XYZ procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply with Information Security Policies and Standards by students may constitute grounds for corrective action in accordance with ORGANIZATION XYZ procedures. Further, penalties associated with state and federal laws may apply.

B.Possible disciplinary/corrective action may be instituted for, but is not limited to, the following:

1. Unauthorized disclosure of PHI or Confidential Information as specified in Confidentiality Statement.
2. Unauthorized disclosure of a sign-on code (user id) or password.
3. Attempting to obtain a sign-on code or password that belongs to another person.
4. Using or attempting to use another person’s sign-on code or password.
5. Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review. . Installing or using unlicensed software on ORGANIZATION XYZ computers.
6. The intentional unauthorized destruction of ORGANIZATION XYZ information.
7. Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access.

ATTACHMENT

Password Control Standards The ORGANIZATION XYZ Information Security Policy requires the use of strictly controlled passwords for accessing Protected Health Information (PHI), Confidential Information (CI) and Internal Information (II). See ORGANIZATION XYZ Information Security Policy for definition of these protected classes of information. ) Listed below are the minimum standards that must be implemented in order to ensure the effectiveness of password controls. Standards for accessing PHI, CI, II: Users are responsible for complying with the following password standards:

1. Passwords must never be shared with another person, unless the person is a designated security manager.
2. Every password must, where possible, be changed regularly – (between 45 and 90 days depending on the sensitivity of the information being accessed)
3. Passwords must, where possible, have a minimum length of six characters.
4. Passwords must never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the ISO. This feature should be disabled in all applicable systems.
5. Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them.
6. When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i. e. children’s names, pets’ names, birthdays, etc…).

A combination of alpha and numeric characters are more difficult to guess. Where possible, system software must enforce the following password standards:

1. Passwords routed over a network must be encrypted.
2. Passwords must be entered in a non-display field.
3. System software must enforce the changing of passwords and the minimum length.
4. System software must disable the user identification code when more than three consecutive invalid passwords are given within a 15 minute timeframe. Lockout time must be set at a minimum of 30 minutes.
5. System software must maintain a history of previous passwords and prevent their reuse.

CHAPTER FIVE CONCLUSION INTRODUCTION Since its inception in 1945, the United Nations has been involved in peacekeeping operations and conflict resolutions in the international system.

According to Article 1 of the Charter of the United Nations, the UN is expected “to take effective collective measures for the prevention and removal of threats to the peace, and for the suppression of acts of aggression or other breaches of the peace, and to bring about by lawful means, and in conformity with the principle of justice and international law, adjustment or settlement of international disputes or situations which might lead to a breach of the peace. The United Nations has been charged with vast responsibilities for the maintenance of international peace and security. Two organs were created for this purpose: the Security Council (which consists of fifteen members, five permanent members with veto power and ten non permanent members) and the General Assembly (which consist of representatives from all member states). This essay seeks to examine and analyze the role of the United Nations in the maintenance of international peace and security using the Korean War as a case study. THE UN AND PEACEKEEPING

Peacekeeping is defined by the United Nations as “a unique and dynamic instrument developed by the organization as a way to help countries torn by conflict, create the conditions for lasting peace. The Security Council of United Nations has been given the responsibility to take collective action to maintain international peace and security. The “Uniting for Peace” resolution adopted by the General Assembly in 1954 imposes the responsibility of maintenance of international peace and security on the General Assembly under certain conditions.

The United Nations, after the approval by the Security Council sends peacekeepers to regions where armed conflict has recently ceased or paused to enforce the terms of peace agreements and to discourage combatants from resuming hostilities. Since the United Nations does not maintain its own military, peacekeeping forces are voluntarily provided by member states of the United Nations. The founders of the United Nations envisaged that the organization would help to prevent conflicts between states and in the process, prevent outbreak of another major war in the future.

The United Nations would have been able to achieve this successfully if not for the outbreak of the Cold War. The outbreak of the Cold War made it extremely difficult for the United Nations to successfully resolve issues and conflicts because of the division of the world into hostile camps. The United States and Western Europe on one side and the Soviet Union, Eastern Europe and part of Asia on the other side. This caused a stalemate in decision making in the Security Council as both powers (United States and Soviet Union) used their veto power to check each other.

The United Nations found it extremely difficult to come to a resolution on issues where both super powers had national interests. In such case as the Korean War where after the Soviet Union used her veto power to reject resolutions and left the Security Council completely paralyzed, the General Assembly through the “Uniting for Peace” resolution assumed the responsibility of making decisions. In spite of the various obstacles the United Nations faced during the Cold War era in conflict resolution, it was however to an extent successful in maintaining international peace and security and most importantly, the outbreak of another World War.

THE UNITED NATIONS AND THE KOREAN WARThe Korean War from 1950 to 1953 was the most severe test the United Nations had to face since its inception in 1945. As part of the Cold War scenario, the Korean War was a complicated issue with which the United Nations had to successfully deal with or lose credibility just five years after it had come into being. The Korean experience tested the United Nations ability and credibility in maintaining international peace and security. In some ways the Korean episode could be regarded as the United Nations finest hour.

Here for the first and only time in its history, the Security Council called on its members to go to the defense of a state under armed attack1. It also marked the first attempt by an international organization to check an act of aggression, and it stands as the only occasion on which enforcement action had been taken against aggressor states or other authorities2. Here in consequences the forces of a number of countries fought under the United Nations flag to defend the principle that aggression should not be allowed to succeed3. But the concept of collective security was not upheld as only a quarter of the membership of he United Nations sent military assistance to South Korea and the sixteen states which did so were all Western countries. This was an example of alliance strategy than of enforcement action by an international organization; of collective defence rather than collective security. The fact that a great majority of the United Nation membership though pro- western were unwilling to send significant armed support to the country whose existence was threatened showed that the action would scarcely be said whole heartedly to fulfill the ideals enshrined in the Charter of the UN4.

The dominance exercised by the United States over the entire operation in the Korean crisis deprived it of the name of the genuine collective security. This was demonstrated in the early stages by the fact that most of the Security Council initiatives and resolutions were really in origin United States proposals. At the onset of North Korea attack on South Korea, the United States was the first state to send assistance both financially and militarily to South Korea even before the United Nations had taken a decision on the matter.

The military operation was headed by a United States commander and decision that were taken originated directly from the White House and not from the UN secretariat. This defeated the purpose of collective security by placing the responsibility of a peacekeeping mission in the hands of a super power. This contrasted radically with the subsequent practice of the UN in organizing peace-keeping forces from 1956 onward. In these cases the super power were normally excluded from participation altogether. And no single power or even a group of powers was able to dominate policy in the way the United States was allowed to do in Korea5.

This gave a clear indication that the UN was dominated by the United States. Nearly 90% of all army personnel, 93% of all air power and 80% of all naval power for the Korean War had come from the United States. The Chinese got involved in the war (this escalated and prolonged the war) on the basis that they viewed the whole operation not as an United Nations peacekeeping mission but an effort by the United States to gain control of Asia using the United Nation as a cover to invade both Koreas and China.

The decision of the United Nations Forces to cross the 38th parallel also originated from the United States. The United States brought the proposal for the United Nations forces to cross the 38th parallel and enter North Korea before the General Assembly even though most of the participating states were against it. Even though there were other states that participated in the peace keeping operations, their opinion were barely considered by the United States. Major of the decision making processes was held in Washington rather than New York.

While the success of the United Nations in repelling aggression in Korea had been in large part due to the contribution of the United States, the dominant role of the United States weakened the collective character of the operation6. Throughout the whole episode, the United Nations failed to institute or even attempt to institute any effective negotiations among the parties concerned as in the case of South Korea and North Korea and also the United States and the Soviet Union after the division of Korea.

The United Nations also failed before 1950 to bring the two parties (North and South Korea) into discussion to as to bring about a resolution or involve the use of a mediator or good office to help along with negotiations; instead the United Nations held on to its demands for all Korean – election under the UN auspices. The Korean experience has shown that the Charter provision and machinery for which the Charter provides can be adapted and utilized under certain conditions to defeat aggression and to discourage aggression in advance7.

Since the decline of the Cold War, the UN however, has been more effective and efficient in maintaining international peace and security. The Korean experienced questioned the UN as a useful and promising means of dealing with threats to and breaches of the peace by collective measures and its limitations. The “Uniting for Peace” resolution which was passed by the General Assembly during the Korean War created a whole new dynamic.

The veto power of the permanent members of the Security Council sometimes cripples the Council as it make decision making harder and slower in cases where the super powers have different contrasting interest as could be seen in the Korea conflict where the Soviet Union used her veto power to cripple the resolution passed by the other members of the council. The “Uniting for Peace” resolution gave the General Assembly the power and responsibility to make decisions under such circumstances where the Security Council is crippled and in capable of making decisions concerning the security matters.

The Korean experience served as an important lesson for the UN in its pursuit of international peace and security. It has also shown that the purpose of collective security is to restore international peace and security and not do justice, particularly if the doing of justice, which often is highly controversial and in practice requires some accommodation of conflicting interests involves a serious risk of extending the war.

Furthermore there is the additional danger where one member has disproportionate share in the direction of the operation that the member will seek to use the operation for implementation of its own national policies, policies which may not be in harmony with the interests and policies of other members of the United Nations. The United Nations could justifiably hold that it had fought a successful war to defend a nation under attack what it could not claim, after eight years of discussion, was that it had brought any nearer a resolution of the Korean problem.

CONCLUSION The Korean War served as an important lesson to UN. In spite of the various obstacles it has faced the United Nations had been able to improve and make amendment. Since the decline of the Cold War which was a major factor in the outcome of the Korean War has also strengthened the United Nations in the area of conflict resolution and peace keeping operation. ENDNOTES 1. Evan Luard, A History of the United Nations Volume 1: The Years of Western Domination 1945-1955 (Macmillan 1982), p. 71-272. 2. D. W. Bowett, United Nations Forces. A Legal Study of United Nations Practice (London, Sterens and Sons, 1984), p. 30 3. Evan Luard, A History of the United Nations Volume 1: The Years of Western Domination 1945-1955 (Macmillan 1982), p. 272. 4. Ibid, p. 272-273. 5. Ibid, p. 273. 6. Leland M. Goodrich, “The United Nations and the Korean War: A Case Study”, Proceedings of the Academy of Political Science, Vol. 25. No. 2. United Nations: Success or Failure p. 103. 7. Ibid, p. 102.

Introduction Security is the freedom from danger and risk, which provides one with complete satisfaction and safety. Full-body scanners have been in use for various health reasons, but have recently started to be utilized at airports for security measures in 2007. Full-body scanners used for safety purposes are a recently invented technology device that claims to ensure entire safety to travelers at airports by generating a computerized stripped image of passengers boarding flights. Additional security procedures along with full-body scanners are also taken place.

This assures that no passengers are carrying any harmful material to prevent the act of terrorism. Although full-body scanners allow airport security to avoid physical frisking, which may arise as a problem to many travelers, personally and religiously, there are many disadvantages as well. According to surveys, even though it is for the sake of security, passengers feel uncomfortable about the fact that they are technologically being viewed bare naked. Also, the personal who specifically view your full body scan can amplify security which creates a reasonable issue of racism and prejudice.

Additionally, it has been proven that this “new and improved” full-body scanner and other security measures in action have not been functioning to satisfy complete safety and security to travelers. Private and religious invasion, discrimination, and inefficiency are three major concerns that regard the use of full-body scanners and other security measures, which are becoming increasingly problematic at airports internationally. It is coherent that these apprehensions must be taken into serious consideration regarding the decision whether or not the use of full-body scanners and other security enforcements should be continued.

Private and Religious Invasion It is evident, through religious laws and several personal opinions, that the use of full-body scanners may invade an individual’s religious and personal privacy. Generally speaking, one would undoubtedly feel personally invaded if another has the access to observe their uncovered body unwillingly. This is why a certain population feels strongly against the fact that they are forced to be viewed undressed, through the use of a full-body scanner. Rabbi Bulka states that “…a full body check – you have to be able to have access o every single part of the body, including those we would consider off limits” (MacLeod, 2010). This displays that the private body parts of individuals who pass through full-body scanners are being “viewed by a screener in a separate room, who doesn’t know the identity of the person”(Gulli, 2010). It is apparent that the passenger being observed by the anonymous viewer will undoubtedly feel that their privacy is being strongly invaded through the use of full-body scanners. Among the lines of privacy invasion, there are other methods to attack a passenger’s boundary to make them feel uncomfortable.

On that note, the use of full-body scanners has also broken the religious laws of the population amongst certain beliefs. The author mentions that, “Passengers who do not wish to pass through the metal detector for religious or cultural reasons can request a pat-down as an alternative. Head coverings, whether religious or not, are also permitted, though they may be subject to a pat-down search or removal in a private area” (Higgins, 2010). This demonstrates that full-body scanners may be a threat to an individual’s religious beliefs by forcing them to remove any religious attire such as a hijab for Muslim women or a turban for Sikh men/women.

Additionally, this population would be very sensitive to physical pat-downs in private areas as they have already avoided the use of full-body scanners due to religious terms. Not only does this raid religious belief, but may also invade an individual’s personal space as well. With this information, it is prominent that religious and personal privacy may be invaded with the utilization of full-body scanners. Discrimination Along with religious and personal invasion, the utilization of full-body scanners and other security measures have proven to raise problems of discrimination and prejudice.

This causes travelers to wonder whether they are being scrutinized at airports for the safety of others, or for the indignity of their identity and background. It is clear that the background and race of an individual largely alters the way airport security personal treat passengers in relation to full-body scanners. The author, Micheline Maynard, expresses that “Citizens of 14 nations, including Pakistan, Saudi Arabia and Nigeria, who are flying to the United States will be subjected indefinitely to intense screening at airports worldwide…”(Lipton, 2010).

However, she also states that “…American citizens, and most others who are not flying through those 14 nations on their way to the United States, will no longer automatically face the full-range of intensified security…” (Lipton, 2010). This shows that the targeted countries such as Pakistan, Saudi Arabia and Nigeria along with others are clearly being classified under terrorism-related countries. A massive issue is created for the majority of the population from those countries, who are innocent, yet are forced to undergo intense full-body screening for no political reason.

Therefore, airport security is proven to produce discrimination in association with full-body scanners against those targeted nations. Furthermore, prejudice along with discrimination is evidently exists in the process of airport security measures other than full-body scanners. As Rafi Sela, the president of AR Challenges, a global transportation security consultancy, speaks about the body and hand-luggage check, he states that “…they’re not looking for liquids, they’re not looking at your shoes.

They’re not looking for everything they look for in North America. They just look at you” (Kelly, 2009). This quotation is an ideal example of prejudice present at airport security. As prejudice refers to an unfavorable opinion, Rafi Sela explains that the traveler at the body and hand-luggage check will be judged based on his/her appearance as opposed to making sure that the passenger is not carrying any harmful substances for the flight.

Finally, it is apparent that discrimination and prejudices have been established as a method of the security system at airports, which is wrongful in a countless number of ways. Inefficiency Another problem that arises from the use of full-body scanners is that they do not provide complete efficiency to bring forth entire safety. Also, trained dogs are a more enhanced component of the security system that tends to function superior to full-body scanners. Moreover, full-body scanners may not perform as effectively to deter deadly weapons that a terrorist may have possession of.

Cathy Gulli says, “…body scanners probably won’t pick up explosives concealed in body cavities or consumed, which still leaves bombers with the ability to get explosives onto the plane” (Gulli, 2010). This clearly displays that using these full-body scanners can o be claim to be highly effective, are proven wrong. As using these machines is putting a risk and danger to lives of travelers internationally, there is a major flaw in the system and may become very problematic. As Rafi Sela says, “…if you have a gap in security, you have no security” (Gulli, 2010).

On the other hand, having a canine is a more effective security method as it provides a supplementary and a serviceable protection to travelers worldwide. “Cliff Samson, president of the Canadian Police Canine Association, believes dogs are ‘every bit as effective’ as machines at detecting explosives, and they can seek them out in a way that huge, stationary equipment can’t” (Gulli, 2010). This evidence supports the fact that using trained canines for security purposes as opposed to ineffective and risky full-body scanners, there is also a financial advantage as well.

Mr. Samson also mentions that “…a dog can cost a police department $12,000…” whereas a security expert states that “…body scanners, each worth $250 000, at Canadian airports… ” (Gulli, 2010). Not only does this give airports an opportunity to increase security for a positive cause, but also allows airports to capitalize financially. Conclusively, inadequacy in the functioning of full-body scanners has proved to be problematic security factor without bringing complete security that even dogs can outsmart. Conclusion

Various apprehensions that are becoming increasingly problematic as time passes regarding the doubtful airport security systems include invasion of privacy and religious laws, discrimination and prejudices, as well as ineffectiveness of full-body scanners. It is extremely important for the public citizens across the world to act towards bringing a much safer security system that is capable of accommodating the various respected religions internationally without the process of determining whose security should or should not be intensified based on their ethnic background and race.

It is also important for everyone to acknowledge that it is just as important to defend ones rights and beliefs as it is to protect an airline flight without physically or religiously violating an individual’s space. This is why it is an excellent idea to create a universal security system that is convenient in use, unbiased and respected of physical and religious liberty. It is the responsibility of every person to contribute towards the creation of a precious and needed system that potentially holds the lives of many as it will largely donate towards the prevention of terrorism.

With the rapid developing technology witnessed in the past decade, there is absolutely no excuse to live without a safety scheme most needed around the world. Not only should this worldwide security system be used for the isolated purpose of airport safety, but should also be utilized at public locations such as theme parks, subway and bus terminals and sea ports as well. This way every country, city, and community across the world will be satisfied and secure of any danger and risk.

Since our current security structure clearly cannot handle the situations faced today, a more effective method of security will serve its purpose to protect every valuable individual globally. References Gulli, C. (2010). The scary truth about airport security. Maclean’s (2), 18. Retrieved February 02, 2010, from ProQuest database. Higgins, M. (2010). Security ahead? pack patience:[travel desk]. New York Times, p. TR. 3. Retrieved March 14, 2010, from ProQuest database. Kelly, C. 2009, December 30). The ‘Israelification’ of airports: high security, little bother. The Star. Retrieved March 15, 2010, from http://www. thestar. com/ Lipton, E. (2010). Strict airport screening to remain for citizens of 14 nations; [foreign desk]. New York Times, p. A. 3. Retrieved February 16, 2010, from ProQuest database. MacLeod, J. (2010). Full-body scans ok to save lives, rabbis say. Canadian Jewish News, p. 3,15. Retrieved March 14, 2010, from ProQuest database.

Chapter 1

Introduction

Security is one of the major issue in the present universe. Robbery, offense and larceny are the chief important causes that make security as an issue. Smart security system includes easiness of monitoring and observing the presence of the human utilizing different type of detectors like IR, PIR detector etc. Earlier security systems were personally monitored by security guards. Scope of this type of system was reduced due to unprofessional security guards. Therefore to get the better of this, many research workers have been done in the country of the place security to run into occupant’s convenience and safety. Conventional security systems were introduced which used cameras, burglar dismay. Main drawback of this system was the big power ingestion by cameras as they continuously enter the events traveling around it [ 1 ] . This system was costlier. To supply excess bed of security and to get the better of the disadvantage of conventional security system, machine-controlled security systems were introduced. Many researches have been done in the field of development and execution of automated security system.

Automated security system uses different types of detector to observe the human presence and gesture. IR and PIR detectors are the most widely used detectors. Advantage of this system was low cost and easiness of observing the interloper presence. Home security system becomes as an of import thing, specially when we are populating in a topographic point where there is a possibility of high-crime rate. It is better to hold good security system alternatively of seting our lives into a hazard. Three chief constituents that are to be considered in put ining a place security system are detector, dismay and control unit. Sensor is the constituent that monitor the country continuously. Once it detects any motion, it will do the dismay to trip. Control unit helps the dismay to do sound so that if there is an invasion activity takes topographic point it could be identified.

Home security system can be operated to run on electrical system or on batteries.Installing an battery operated place security system is easy but are less effectual compared to those system that run on electricity. Less functionality can be seen in battery operated system. There are many different types of dismay system. For smaller places self contained place security systems are easy to put in but for big houses or office infinite, place security system holding separate constituents leads to efficient security system compared to self contained place security system.

Problem Designation

Main and of import consideration in the bing modern places is the security system. Earlier the place security systems were expensive and were really difficult to supervise. In order to get the better of the drawbacks of the earlier conventional security systems and to carry through the security concerns of the house proprietors, an efficient and cost effectual security systems were introduced. One of the chief job in the bing security system is the architecture and execution cost. Hence this undertaking aims at security system for places that introduces three different degrees of security and an notification signal via short directing message ( SMS ) will be achieved if any instance of security breach.

Why do we Need Home Security System?

Now-a-days with the emerging tendencies in the universe, condemnable activities like larceny, robbery has besides been increased. Homes without security systems will be the chief marks for the stealers. Homes equipped with the well developed security system will hold less opportunity of being robbed. Security system enables our place to be safe at any clip. As security system uses different constituents, these constituents will be monitored by the several security centre. Hence there will be decrease in the offense rates.Home security system is needed to forestall burglaries and place invasions. Installing a security system in places provides a piece of head that our household is under protection. Alarm systems will assist to hedge the place invasions. It is non possible to supervise the place continuously by manual hence this sytem will gives added protection when the place proprietors are off. security system will besides assist in protecting the place from fire. Early sensing of the state of affairss by the monitoring station will assist in cut downing the harm to the home.Security is needed because of the undermentioned grounds

• To protect the place and household from interlopers.
• To protect place from fires.
• To protect valuable things from being stolen.
• Provides medical aid if in instance of any exigency.
• Secured signifier of proctor can be achieved through radio signalling device.

Types

There are many different types of security system. Security systems are classified into two major classs viz. conventional and automated security system. Another categorization includes monitored and unmonitored security system.

Monitored security system:

This is one of the most normally used security system. In this type of security system centre, place will be straight connected to security centre and this centre will supervise the position of the place continuously. Security centre will be active merely when any one of the constituents or supervising devices in the place are triggered. System includes dismay system that alerts call centre and near by constabulary station. In many of the systems, watchful causes the security centre to do an automatic phone call, text message, e-mail etc to the house proprietor or to the close by help-line centre for the immediate deliverance.

Benefits

1. System includes 24/7 monitoring that ensures that the place is under changeless monitoring.
2. Video surveillance system can besides be included to increase the security of the place.
3. Video survelliance system is most effectual in monitoring and observing the interlopers, belongings tresspassers.
4. As cameras are used in this type of system, it can besides be used as an grounds against an interloper.

Types of monitoring

Monitored place security system uses three different type of supervising methods they are

( a ) Monitoring utilizing land line: This is specially designed for families that have landline. Because of the ground that the security system control panel is connected to phone line, land line is used as monitoring device.

( B ) Internet/wireless monitoring: This system is used in places that don’t have landline. System makes usage of cyberspace or broadband connexion to direct watchful signal to security centre via short directing message or electronic mail.

( degree Celsius ) Two-way voice monitoring: This is one of the particular type of monitoring device that is used in supervising type of security system. One of the particular characteristic of this system is that it allows the individual inside the place to straight pass on with the individual in the security centre in instance of any exigency for immediate deliverance.

Unmonitored security system

This is the another categorization of place security system which sets off a Siren inside and outside the place. Compared to monitored place security system, this system will be cheaper as it does non include more constituents for monitoring. Unmonitored security systems can besides utilize brassy visible radiations. If there is any invasion activity taking topographic point in the place, so automatically these brassy visible radiations will glow. Due to that high strength light breathing from the peculiar topographic point, the neighbors can come to cognize that there is any exigency.

Benefits

• No monitoring fees.
• As loud Siren will be used this will deflect and scares the intruder/burglars.
• Cheaper as less monitoring constituents are used.

Disadvantage

• If the neighbor does non hear the Sirens so they can’t describe it to the close by constabulary station.

Overview of the proposed system

Overview of the proposed smart security system for places is as shown in figure above. The undertaking is aimed at developing a smart security system for places. Undertaking has been planned to include three-tier security system. Three different degrees of security is used in this undertaking. Security system is designed and developed to supervise the place utilizing different type of detectors. Proposed system uses detectors like Finger-print detector, IR detector, PIR detector at different degrees and besides makes usage of Image treating tool in face acknowledgment procedure. At the first degree of security, finger-print detector is used for hallmark to let the individual into the place. When the person/intruder comes to the door, his/her finger print will be checked. If the finger print lucifers so the individual will be allowed to come in into the following degree of security procedure.

At the 2nd degree of security, entry of the individual into the place will be detected utilizing IR detector. This detector will feel certain features of the milieus by either breathing or observing the infrared radiation that emits from the human organic structure. Hence the human presence will be detected at this phase. PIR detector is an gesture detection detector that detects the human gesture utilizing infrared radiation breathing from the human organic structure. As a individual passes in forepart of the detector, temperature at that point which is under detectors field of observation will alter. This alteration in temperature detects the human gesture.

Finally at the 3rd degree, image of the individual will be captured. Here some images of the individuals belonging to the place will be pre-stored. Then the captured image is compared is compared with the pre-stored database, if the databases does non fit so an watchful signal will be generated. Alert signal includes doorbell and GSM engineering. If the image does non fit so at that clip doorbell will get down beeping and an short sending message will be sent to the authorised figure as an watchful signal utilizing GSM engineering.

The full undertaking is designed and developed utilizing constituents like Finger-print detector, IR detector, PIR detector, accountant unit, consecutive port, webcam, doorbell, GSM etc. One of the characteristics of this designed place security system is that an Image processing tool is used in combination with the embedded system to plan three-level smart security system for places.

Face acknowledgment is used as an 3rd degree of security. This method includes the face acknowledgment which is one of the important and of import process in face acknowledgment method. In this undertaking, cross correlativity attack is used. This is one of the basic statistical attack to image regristration. cross correlativity is one of the standard tool for measuring the similarity between two images. Main ground for choosing the cross correlativity attack in this undertaking is due to its advantages. First advantage is that attack is simple to calculate. Second is the calculation of cross correlativity can be achieved utilizing fourier methods. One more advantage is that cross correlativity method is independent of scaling and interlingual renditions in the strength.

Advantages

The advantages of place security system are:

• Detects offenses, protects ownerships from larcenies.
• As the system includes three different degrees of security, there will be less opportunity of being theft as dismay sound will be generated that alerts the neighbors.
• There will be increase in the place resale value during sale in the market.

Describe how key legislation in relation to health, safety and security influence health and social care delivery. Health and social care settings are covered by specific legislation and laws from the government to enable the care setting is operating the optimum way. Acts like the Health and safety at work act (1974) this act applies to all workplaces and it pull all the laws together so that all organisations were covered by the same legislation. However, there are other regulations that apply to specific areas of work. These are the food safety act 1990. This act ensures that all food complies with the food safety act and its definition which includes drinks and chewing gum. There are four major offences in this act.

• Making food dangerous to health deliberately or accidentally (adding things to food)
• Selling food that does not complies with the food safety requirement being unfit for human consumption.
• Selling food that is not of the nature or quality required by the consumer.
• Falsely describing, labelling or advertising food and food products.

Safety (General Food Hygiene) Regulations 1995

This act ensures all food is handled correctly, the area where food is prepared must be clean, hands must be washed, hair should be covered, separate work areas should be used to prevent cross contamination of cooked and raw food. Following this regulation is especially important in health and social care settings as service users may be vulnerable. • Reporting of injuries, diseases and dangerous occurrences regulations (RIDDOR)1995 The RIDDOR regulation applies to all places of work, but not to all work incidents need to be reported.

Incidents that need to be reported are ones that happened because of the work the people were doing. To be serious enough to be reported under RIDDOR an accident would have to result in an employee:

• dying
• injuries resulting in 3 days or more off from work
• suffering from major injuries like fractured bones (these exclude fractures to the fingers, thumbs or toes), amputation of limbs and dislocation.

Control of Substances Hazardous to Health Regulation (Coshh) 2002

This legislation was introduced in 2002 and covers the use and storage of chemicals.

All health and social care services have to ensure that their working environment is safe and can not harm the service users or care professionals. An example of this would be at a nursery cleaning products like bleach being left in the reach of children. • Manual handling operations regulations 1992 This act promotes safer moving and handling and appropriate use of equipment for example using lifts to help service users in an out of the bath instead of trying to live a service user by hand.

This is an important act in health and social care because it prevents injuries to service users or care employees.

Data Protection Act 1998

This act protects individual’s rights to their personal data being stored. This act covers the processing, gathering, storing and sharing of an individual’s data. This is important in health and social care settings as service users information is used daily. When sharing an individual’s personal data consent to the sharing of their data is needed.

Management of Health and Safety at Work Regulations 1999

This regulation requires employers to carry out regular risk assessments, look at changes and then re-asses the risks as necessary. This is important in health and social care settings as care organisations have a duty to minimise to their service users.

Describe how policies and procedures promote health, safety and security in a health and social care workplace. Whilst on work experience at Jubilee children centre I was informed on a number of different policies and procedures.

I was shown where the first aid box was and shown a book that I would have to write in if I injured myself this comes under (RIDDOR). The nursery officer told me that all the staff where qualified first aiders. Names of staff and children were registered in the morning as a safety precaution and also as a fire procedure. This is to ensure that all people present in the nursery can be accounted for in the event of a fire. A safety gate to the nursery had to be closed at all times and

Indexation of benefits

It is an adjustment of pensions and other cash benefits to take account of price movements and protection against inflation to the beneficiaries.

Indexes may include prevailing statutory minimum wages, yearly average earnings of the contributors e. t. c.

Portability of Benefits

This is a system which ensures that members accrued benefits are not lost by a member changing employer, changing employment from one sector to another or by migrating from one country to another. The system ensures continuity of benefit rights accrued.

Means-tested Basis

It is the basis of provision and adjustment of social assistance benefits by the government depending on a person’s means of living.

The most considered group of people for the provision of social assistance benefits by meanstesting include, elderly, sick, invalids (disabled), survivors, unemployed. Normally these groups of people fall out of contributory schemes. In other words assistance is provided to citizens according to their inability to meet basic needs for survival, or defending themselves against natural calamities.

Three-Tier System

According to ILO framework, Three Tier system is an arrangement/system designed to cater for different needs of protection for different categories of people depending on their level of incomes.

Tier one, which is financed by the government, caters for those who are not able to purchase social security services e. g. sick, disabled, elderly e. t. c. Tier two caters for those who can contribute and is compulsory and supervised by the government. Tier three caters for those who can afford to supplement their Tier two security by purchasing commercial insurance benefits. Tier three is voluntary and privately managed. Three-Tier system is designed to reduce the government expenditure on social assistance/security programs through expansion of coverage of Tier Two and Three.

Actuarial Valuation: It is the process which involves assessing the current level of funding of the scheme by comparing scheme assets with liabilities accrued to the date of valuation and to determine the level of contributions that need to be paid in future to achieve the level of funding necessary to pay out the benefits promised. Actuarial reviews are conducted in intermediate periods to ensure that the fund is sustainable and this is reflected in the projections are of a long time frame 25 years.

Social Insurance Principles

Is a social security administration where the resources are pooled together for meeting various contingencies, every one is included regardless of the level or risk exposure and the motive is social protection as opposed to profit maximization.

Defined Contribution vs Defined Benefits

Defined contribution is a situation where benefits from a social security is not known, but depends on the contributions to be made and interests rates obtainable.

Defined benefits is a situation where benefits to be obtained are known well in advance regardless of the contributions to be made, provided that the members meets prescribed minimum conditions. Defined contributions are associated with provident fund schemes, while defined benefits are associated with social insurance schemes.

Foreword

The socio-economic and political changes, which are taking place in Tanzania, have prompted the formulation of the National Social Security Policy in order to address such changes for the benefit of its citizens and to ensure that sectoral programmes and activities are well coordinated.

The formulation of the National Social Security Policy came at a time when Social Security Providers are reorganizing their activities to respond to the market demand as related to free market economy. Since independence to-date, some few institutions have been enjoying monopolistic status of providing social security services in the country. However under this policy social security sector will be liberalized. The National Social Security policy is a product of a series of consultations with stakeholders which started in year 2001. The policy was adopted by the government early in year 2003.

The aim of this policy is to realize the goals and objectives set out in the vision 2025 by extending social security services to the majority of the Tanzanians. The structure of the Policy document provides background information of social security, status and challenges of the sector in Tanzania, and the rationale for its formulation. There are also chapters that provide policy issues and statements, institutional frame- work and responsibilities during its implementation. With great pleasure I would like to welcome the social security policy for the development of our country.

Introduction

Background Every human being is vulnerable to risks and uncertainties with respect to income as a means of life sustenance. To contain these risks, everyone needs some form of social security guaranteed by the family, community and the society as a whole. Such socioeconomic risks and uncertainties in human life form the basis for the need of social security. Social security is rooted in the need for solidarity and risk pooling by the society given that no individual can guarantee his or her own security.

Formal social security system in Africa and other developing countries is a product of colonialism. In Tanzania during the colonial era, social security coverage was extended to the few people who were in the colonial employment. Most of the people were excluded from any type of public social security scheme. The majority of the Tanzanian people depended upon the traditional social security system for their protection, which is still the case to date, though effects of urbanization and difficult economic environment have weakened the same.

After independence, the Government of Tanzania introduced a series of policies and measures to reverse the situation that prevailed during the colonial era. The measures included access to free education and healthcare, provision of social welfare services to marginalized groups such as the elderly, people with disabilities and children in difficult circumstances, as well as establishment of statutory social security schemes.

However, tax financed social services have proved to be unsustainable as evidenced by introduction of cost sharing in sectors such as education and health.

The Concept of Social Security

Social security means any kind of collective measures or activities designed to ensure that members of society meet their basic needs and are protected from the contingencies to enable them maintain a standard of living consistent with social norms.

The social security concept has been changing with time from the traditional ways of security to modern ones. As societies became more industrialized as a result of industrial revolution in the 19th century and more people became dependent upon wage employment, it was no longer possible to rely upon the traditional system of social security. The negative impact of industrialization and urbanization attracted the attention of policy makers to formalize social security system that addressed the emerged social issues.

Social security is defined in its broadest meaning by the International Labour Organization (ILO) as: “The protection measures which society provides for its members, through a series of public measures against economic and social distress that would otherwise be caused by the stoppages or substantial reduction of earnings resulting from sickness, maternity, employment injury, unemployment, disability, old age, death, the provision of medical care subsidies for families with children. The ILO framework of social security is based on a three-tier structure, which seeks to utilize various funding sources for provision of better protection to the country’s population. This structure also seeks to address needs of different groups in the 2 society with respect to income and degree of vulnerability. The structure consists of the following:

1. Tier One – Social Assistance Schemes This constitutes provision of services such as primary health; primary education, water, food security and other services on a means tested basis. These services are usually financed by the government and Non Governmental Organisations (NGOs).
2. Tier Two – Mandatory Schemes These are usually compulsory and contributory schemes financed by both employer and employee during the working life for terminal and short-term benefits.
3. Tier Three – Voluntary or Supplementary Schemes The schemes under this tier include personal savings, co-operative and credit societies, occupational pensions schemes and private schemes; managed by employers, professional bodies, communitybased organizations and other private sector actors.

Situational analysis of social security system in Tanzania

Objectives of the Social Security Services

Social security in Tanzania covers a wider variety of public and private measures meant to provide benefits in the event of the individuals’ earning power permanently ceasing, being interrupted, never developing, being unable to avoid poverty, or being exercised only at an acceptable social costs. The major domains of social security are: poverty prevention, poverty alleviation, social compensation and income distribution.

Many issues relating to social security are sensitive, as they touch on the material interests of organized workers and the unorganized poor as well as insurance industry and employer organizations. The social security system in Tanzania has the following key elements:

• Social assistance schemes which are non-contributory and income-tested, and provided by the state to groups such as people with disabilities, elderly people and unsupported parents and children who are unable to provide for their own minimum needs. In Tanzania social assistance also covers social relief, which is a short term measure to tide people over a particular individual or community crisis;
• Mandatory schemes, where people contribute through the employers to pension or provident funds, employers also contribute to these funds;
• Private savings, where people voluntarily save for retirement, working capital and insure themselves against events such as disability and loss of income and meet other social needs. Despite the existence of this framework, service delivery has not reached the majority of Tanzanians due to inadequate financing and fragmented institutional arrangements.

The estimated total population of Tanzania is 33. 5 million1. Out of this, 70 per cent are in the rural areas, while the rest are in urban areas. The total labour force of Tanzania is estimated at 16 million, where 5. 4% of the total labour force or 2. 7% of the total population is covered by the mandatory formal social security system. 93 per cent of the capable workforce is engaged in the informal sector in both rural and urban areas; out of that 80 per cent is in engaged in the agrarian economy

Informal Social Security System

Tanzania, like many other countries in the developing world has had strong informal and traditional social security systems built on family and/or community support.

In times of contingencies such as famine, diseases, and old age; individuals have depended on family, clan members and members of the community for assistance in the form of cash or in kind. While it is recognized that over time, traditional social security system has tended to decay and change forms in response to the forces of urbanization and industrialization, there is evidence that in Tanzania family and 2 National Bureau of Statistics, 2001 National Labourforce Survey, 1999 5 community social support system have remained as means of social security within different social groups. Overtime, socio-economic reforms have slowly resulted into disintegration of the family-based social security protection leading to the formation of self-help groupings such as UPATU, UMASIDA and VIBINDO.

Formal Social Security System

Formal social security is a regulated mechanism of protecting citizens against social contingencies.

This system has existed in Tanzania well before independence; whereby various policy statements have been made and Acts passed in regard to the protection of the population against contingencies like injury, loss of employment and old age. These include the Master and Native Ordinance Cap 78 as amended by Cap. 371, Provident Fund (Government Employees) Ordinance Cap 51, Provident Fund (Local Authorities) Ordinance Cap. 53 and the Workmen’s Compensation Ordinance Cap 262. After independence new legislations were enacted and others amended.

These include the Severance Allowance Act No. 57 of 1962; the National Provident Fund Act No. 36 of 1964 amended by Act. No. 2 of 1975 which was later repealed and replaced by the National Social Security Fund Act No. 28 of 1997; the Parastatal Pensions Act No. 14 of 1978, the Public Service Retirement Benefits Act of 1999, the National Health Insurance Fund Act No. 8 of 1999 and Local Authorities Provident Fund Act. No. 6 of 2000. 6 Currently, there are five major formal institutions that provide social security protection in Tanzania.

These are the National Social Security Fund (NSSF) offering social security coverage to employees of private sector and non-pensionable parastatal and government employees, the Public Service Pension Fund (PSPF) providing social security protection to employees of central Government under pensionable terms, Parastatal Pension Fund (PPF) offering social security coverage to employees of the both private and parastatal organizations, the Local Authorities Provident Fund (LAPF) offering social security coverage to employees of the Local Government and the National Health Insurance Fund (NHIF) offering health insurance coverage to pensionable employees of central government.

The formal social security total coverage in Tanzania is about 871,000 members distributed as 363,000 for NSSF, 193,000 for PSPF, 180,000 for NHIF, 90,000 for PPF and 45,000 for LAPF. This represents about 85% of the persons employed in the formal employment sector.

The Impact of Social Security System in Tanzania

Efforts by the government to provide social security protection in the country have brought about significant development. However, due to the absence of an elaborate social security policy to guide effective functioning of the industry, there are some structural, operational and policy weaknesses inherent in the social security system.

Achievements Investment of Social Security Funds

1. Social security institutions in Tanzania have been investing in portfolios such as commercial loans, real estate, government securities, Loanable funds, bank deposits and equities; all of which have contributed to social and macro-economic development of the country.
2. Awareness on Social Security Matters There has been an increase in the level of public awareness on the social security system in respect of benefits offered, coverage, investments and general operations of the sector.
3. Organized Self-help Groups Informal social security scheme in the form of self-help groups has been more organized than before.

Shortcomings in the Current Social Security System

The existing social security system in Tanzania is characterised by a number of shortcomings, which need to be addressed by this policy.

Among these shortcomings are:

1. Limited Coverage Persons covered by the social security schemes are those who are employed in the formal sector estimated at 1. 0 million. This is only about 5. 4% of the whole labour force of over 16 million Tanzanians. This means the remaining 15 million labour force, engaged in informal sector and comparatively more vulnerable are not covered by the formal social security protection.
2. Inadequacy of Benefits Paid (Number and Meaningfulness). The number of benefits offered by most of the existing schemes fall below the ILO Minimum Standards in terms of number, quality and indexation to the current levels of earnings.
3. Fragmentation and Lack of Co-ordination The social security sector lacks co-ordination at national level as each Fund reports to a different Ministry with differing operational rules and procedures. As a result, contribution rates, benefit structures, qualifying conditions as well as plans and priorities differ form one institution to another.
4. Lack of Mechanism for Portability of Benefit Rights There is no established mechanism that can allow benefit rights of a member to be transferred from one scheme to another. This results in employees losing some of their benefit rights when they move from one sector to another.
5. Social Security Benefits In some of the Tanzania’s social security schemes, members’ benefits are not rights but privileges. Normally, members loose some of their benefits if they leave employment before attainment of their pensionable ages. nature of termination.
6. Conflicts in the Existing Legislations Establishing legislations of the current social security institutions have provisions that conflict in terms of operations. In other circumstances, members’ benefit rights are determined by the employers depending on the 9
7. Non-contributory Social Security Benefits Currently, there is a segment of salaried workers who are getting social security benefits fully financed through tax revenues; this is a strain to the Government budget.
8. Liberalization There has been a monopoly in the operation of social security institutions in the country. ix) Investment of Social Security Funds There has been inadequate guidance on investment of social security fund at national level

Challenges In The Social Security System

Weakening of Informal Social Protection System

Socio-economic developments taking place in Tanzania have resulted into a slow but steady disintegration of the kinship or family-based social support systems on which the majority of Tanzanians have depended for protection against contingencies. Economic hardships have made it difficult for individuals, families and/or kin members to provide assistance to each other in time of crisis and need. The high rate of urbanisation has also taken its toll on traditional social protection systems.

There has been increasing fragmentation with families becoming more dispersed thereby eroding the capacity of extended families to function as social safety nets.

Limited Growth of the Formal Employment 10 Public sector reforms have resulted into retrenchment of workers, freezing employment in the public sector and privatisation of public enterprises. These have led to increased unemployment, which in turn has forced more people to resort to employment in the urban informal sector where earnings are often inadequate and/or uncertain. There is however a limited growth in employment in the private sector.

Reduced Access to Social Services Despite the deliberate measures by the government to improve provision of ocial services to the public, considerable part of the population has either limited or no access to services. In some instances, cost sharing in the provision of social services has reduced the capacity of the people to access the services.

Low levels of income.nIncomes for the majority of the people in Tanzania are generally inadequate to meet their basic requirements and save for future use.

Declaration of Low Insurable Earnings Some employers provide remunerations composed of basic salaries and allowances, while deductions for social security are based on basic salaries only, leading to lower benefits from social security institutions upon retirement.

Rationale for a social security policy

The existing social security system has many shortcomings that include low coverage of the Tanzanian Society, fragmentation of 11 legislation, lack of regulatory framework, lack of a mechanism for portability of benefits and inadequacy of benefits provided. Therefore, the need for a well-articulated national social security policy is more eminent now than ever. In view of the foregoing, there is a need for having a comprehensive national social security policy that shall address the needs of employed people in the formal sector, self employed population in the informal sector, the elderly, people with disabilities and children in need of special protection.

Therefore the social security policy is expected to: Widen the scope and coverage of social security services to all the citizens; Harmonize social security schemes in the country so as to eliminate fragmentation and rationalize contribution rates and benefit structures; Reduce poverty through improved quality and quantity of benefits offered; Institute a mechanism for good governance and sustainability of social security institutions through establishment of a regulatory body; Establish a social security structure that is consistent with the ILO standards but with due regard to the socio-economic situation in the country; and Ensure more transparency and involvement of social partners in the decision making with respect to social security institutions

Policy issues and statements

The general objective of the policy is to ensure that every citizen is protected against economic and social distress resulting from substantial loss in income due to various contingencies. Underlying the above–mentioned general objective, this policy shall therefore address the following specific issues:

Policy Issue: The Structure of Social Security Sector

Different social groups face different contingencies, hence calling for varied types of protection. Provision of comprehensive social security services should follow a structure that recognises different levels of needs, utilises different funding sources and reflects roles of various stakeholders.

Policy Statement

Provision of social security services in the country shall be structured as follows

Social Assistance Programmes

The Government shall enhance the capacity to attend to the social assistance programmes that constitute services such as primary health; primary education, water, food security and social welfare services to vulnerable groups such as people with disabilities, the elderly and children in difficult circumstances on a means tested basis. Moreover, the government shall create an enabling environment for other institutions such as Non Governmental Organisations (NGOs), charitable organisations, families and mutual assistance groups to supplement the government’s effort in the provision of such services.

Mandatory Schemes

Mandatory social security institutions that shall operate under the social insurance principles in accordance with minimum acceptable standards and benchmarks.

Supplementary Schemes

Supplementary schemes shall be established to cater for different social services like health, pensions and other types of insurance over and above those provided by mandatory and social assistance programmes. These schemes shall be run by employers, bodies private and companies, professional community-based organisations (CBOs).

Policy Issue: Coverage

The existing mandatory social security schemes currently cover only 5. 4 % of the labour force estimated at 16. 0 million.

The larger part of the labour force engaged in the informal sector that includes smallholder agriculture, small-scale mining, fishing, and petty businesses are inadequately covered by self-help initiatives. Moreover, accessibility to the social welfare services by the disadvantaged groups is limited; hence the majority of the people are not covered by the formal social security schemes.

Policy Statements

1. Social Welfare Service shall be improved and extended to enhance accessibility to disadvantaged groups including people with disabilities, the elderly and children in difficult circumstances.
2. A legal framework shall provide for all employees in the formal sector and devise means of extending coverage to the informal sector such as agricultural, 14 ining, fishing and small businesses.
3. There shall be an act to support the formation of mutual assistance initiatives by the NGOs, CBOs and other groups operating at community level.
4. Employers, financial institutions, professional associations, insurance companies, social security institutions and other organisations shall be enabled to establish supplementary schemes to provide social security benefits over and above those provided by mandatory and social assistance programmes.

Policy Issue

Social Security as a Right According to Article 22 of the Universal Declaration of Human Rights of 10th December 1948; social protection is a rights issue.

Likewise, Article 11(1) of the Constitution of the United Republic of Tanzania stipulates that:“The state authority shall make appropriate provisions for the realisation of a person’s right to work, to self education and social welfare at times of old age, sickness or disability and in other cases of incapacity….. ”3 In view of such provision there is still inadequate coverage of social security services to the Tanzanian Society. Policy Statement Efforts shall be made to enhance awareness and 3 United Republic of Tanzania (1998) “The Constitution of the United Republic of Tanzania of 1977” 15 sensitisation of the society regarding the important and provision of social security services as a right.

Policy Issue: Inadequacy of Benefits offered

The number and quality of benefits offered by most of the existing social security funds are not adequate to meet the basic needs of beneficiaries; in terms of the number of benefits, magnitude and indexation to the current levels of earnings. Policy Statement: Social security schemes shall have a standard minimum number of benefits offered and indexed to the current levels of earnings of contributors.

Policy Issue: Portability of Social Security Benefits

Benefit rights are not portable when a member moves from one scheme to another due to differing legislations, operational rules and procedures. As a result members loose some of their benefit rights just by moving from one scheme to another. Policy Statement There shall be regulated mechanisms established to enable portability of benefit rights when a member moves from one scheme to another.

Policy Issue: Lack of Co-ordination

The current social security institutions are placed under different Ministries with different rules and procedures, as a result there is a conflict in the administration of social security matters. Policy Statement: The social security sector shall be coordinated by the Ministry responsible for social security matters.

Policy Issue: Reciprocal Agreements for Transfer of Benefits

Labour mobility across nations has become a common phenomenon due to globalisation and foreign investment, there by require people work and live in different countries; and hence find themselves contributing to various social security institutions.

Lack of a mechanism for transfer of benefit rights across nations may result into some members loosing their rights or being unable to qualify for better benefits. Policy Statement: Legal mechanisms shall be developed to provide for reciprocal agreements with other countries for transfer of social security benefits across nations.

Policy Issue: Partial Withdrawal of Benefits

Social security schemes do not provide for pre-mature withdrawals of benefits by members before attainment of the pensionable age. However, due to unstable employment environment, low level of income of most of the workers and little awareness on social security matters, members have a tendency of demanding total withdrawal of benefits upon termination of employment before the attainment of pensionable age.

• Policy Statement: Legal mechanisms shall be developed to allow for withdrawal of part of the accumulated benefits; while the balance shall remain for long-term benefits on premature termination of their employment.

Policy Issue: Financing of Social Security Services

The Government has the responsibility of providing social security services to its citizens. However, due to limited resources the Government still provides limited services for salaried employees and individuals who can afford to contribute for the services.

Policy Statements

1. Services under Social Assistance Programs shall be offered on a means-tested basis and financed by the general tax revenue and other grants.
2. Mechanisms shall be established to ensure that all salaried employees and individuals, who can afford to contribute to the mandatory schemes, do so to ensure enhancement of benefits.

Policy Issue: Guaranteeing of Mandatory Schemes

The Government has the responsibility to guarantee members’ benefits in the event the established mandatory social security 18 schemes become insolvent. So far there is no concrete commitment by the Government to instil contributors confidence in their membership

Policy Issue: Taxation on Contributions, Investment Income and Benefits

Contributions and income accrued from investment by social security institutions are being taxed thus weakening the capacity of the schemes to offer quality benefit to members. Policy Statement: The government shall continue to review tax policies to ensure contributions, benefits and income from investments to enable mandatory schemes offer meaningful benefits to members.

Policy Issue: Investment of Social Security Funds

Investment of social security funds is an inseparable function of social security institutions. Sustainability of the schemes and improvement of benefits depend on investment income.

Social security funds have often been directed to areas where there is no stimulation of economic growth. There are no clear-cut guidelines directing investments of social security funds at the national level. Policy Statement: Guide lines will be developed based on principles of safety yield and liquidity.

Policy Issue: Good Governance

Good governance is the key to smooth functioning and efficiency in all social security schemes, as they are entrusted to manage funds on behalf of the contributors. There has been poor governance in social security services. Policy Statement There shall be guidelines to ensure that all social security schemes are transparent and accountable to the members and the public at large.

Policy Issue: Legal Framework and Minimum Standards

There is fragmentation of social security system in the country with respect to different legislations and design of the schemes. These schemes also lack minimum standards to guide their operations. Policy Statement: There shall be an act to govern and standardize operations of the social security sector. The law shall also provide for the establishment of a regulatory body that shall ensure smooth and efficient operations of the sector.

Policy Issue: Liberalization of the Social Security Sector

The current trend in the country is to liberalize various sectors in the economy. However, the current social sector is based on organization/institution monopoly in its operation.

• Policy Statements: Social security institutions shall operate in a regulated liberalized market as follows: While the existing Social mandatory Security social Services security under institutions shall operate and compete among themselves supplementary schemes shall be fully liberalized.

Roles of stakeholders

The different stakeholders shall have the following roles to play in the social security sector:

The Government

Coverage of the social assistance programmes Put an enabling environment for smooth operations of the social security To institute regulatory and legal framework Supervision of the sector. Guarantor of mandatory schemes

Social Security Institutions

Offering quality benefits and services

Good governance of the schemes Involvement of Stakeholders Widen coverage Awareness creation and sensitisation

Employers

Registration of employees Timely and accurate remittance of contributions Awareness creation and sensitisation Adherence to safety and occupational health rules

Workers’ unions

Representation of workers’ interests in the social security Awareness creation and sensitisation Support the social security industry.

NGOs/CBOs

• Complement efforts by the Government in the provision of social
• assistance programmes and establishment of supplementary schemes Awareness creation to the public

Communities

Responsiveness to the needs of the vulnerable persons Maintain self-help traditions