1. Best Practice:

   A Risk/Threat/Vulnerability (RTV) assessment is one of the most important elements of a comprehensive safety and security plan/program.

   • Focused on the venue, transportation, food and beverage, lodging and events.
   • Comprehensive assessment of the risk environment, utilizing an all-hazards approach to identify vulnerabilities, adjust strategies and processes and develop contingency/mitigation plans to address risks and vulnerabilities.
   • Identify the hazards with the event’s activities, locations of the activities and perform

    

   Objectives:

   • Pre-planning, anticipate and preparation.
   • Must know and understand the safety and security risks, threats and vulnerabilities of the operating environment of the venue, transportation, lodging, event and attendees in order to address them through mitigation strategies or acceptance of risk.
   • Without the assessment one cannot effectively develop and implement a security and safety plan. Failure to recognize and respond to risk to health, safety and security may be evidence of either negligence or incompetence in event planning.

    

   Implementation:

   Involve event Risk Management and/or security department(s) in this process, if one exists.

   Insurers may provide resources at no, or minimal cost. NCS4 offers a DHS/FEMA-funded Risk Assessment course.
   
   

   Keep all of your prior assessments.

    

   Applicability/Scalability:

   This should occur regardless of the size of venue or type of event.
   
   

   Scalability is not necessarily a function of size or attendance.
   
   

   The same elements are present for both small and large events/facilities. Scaling comes into play during implementation/ mitigation/acceptance.
   
   

   If you have a static event site (one you use over and over) it will just be a matter of updating after your first assessment. However, if your event location changes for each event, it will be more time consuming. As you return, you will only need to review and update.

    

2. Best Practice:

   Create or utilize your risk assessment/crisis management/security team to conduct a Risk/ Threat/Vulnerability Assessment to determine and evaluate vulnerabilities, threats and areas of risk exposure.

    

   Objectives:

   A knowledgeable team to assess and address risks, threats, vulnerability, gaps.

    

   Implementation:

   Conduct an annual overall assessment as applicable and an event specific one before each event, evaluate and accept, mitigate or make changes as necessary.

    

   Applicability/Scalability:

   Make sure you use qualified personnel to conduct the assessments.

    

3. Best Practice:

   Conduct a Risk/Threat Assessment for vulnerabilities for ALL events including a detailed criminal, terrorism, fire, structural, environmental, safety and medical assessment. Take an all-hazards approach. Review the list in the EAP and ensure they include (as applicable):

   • Site(s) assessment and environment
   • Demographics of attendees
   • Number of attendees
   • Resources assessment
   • Environment/weather assessment
   • Historical assessment
   • Equipment assessment
   • Lodging assessment
   • Travel/transportation assessment

    

    

   Objectives:

   • Risks and threats exist, but until identified and ranked for mitigation there is a potential for disaster.
   • In our context, Risk is the possibility of loss resulting from a threat/vulnerability, security or safety incident or event.
   • Security, safety and health Risk Management is a systematic and analytical process that considers the likelihood that a threat will endanger an asset, individual or function.
   • Risk = Consequences x Probability

    

   Implementation:

   Break down assessments into three components:

   • STATIC – these generally remain fixed with small variations over time, such as: venue, event, sur- rounding area, attendee type, etc.
   • JOINT – this involves working with government organizations, com- munity organizations, utility companies, transportation providers and surrounding neighbors
   • DYNAMIC – this involves things that can change quickly, such as adverse weather, demonstrations,
   • criminal acts or terrorist acts, etc.
     
     

   Local DHS Protective Security Advisor (PSA) can assist.

   Applicability/Scalability:

   Consider risks/threats as high or low RISK compared to high or low FREQUENCY - compared to high or low IMPACT.

    

   Eight common categories of risk to consider:

   • Historical - what types of incidents have occurred in the community, at the venue, and other similar events in the area
   • Geographic - what could happen as a result of the event’s location
   • Technological - what could result from a process, system, or equipment failure
   • Human Error - what
   • can be caused by a staff error; have they been trained; do they know what to do; and have they been tested on training objectives
   • Physical - what can result from design/construction of the venue, utilities, tents, fencing, seating, rigging or staging
   • Regulatory – what regulatory issues are there (i.e., laws, ordinances, OSHA, NFPA)
   • Environmental – what can result from climate/ weather issues (heat, cold, wind, ice, tornado, flooding)
   • Business – what can result from bad practices, damage to brand, dissatisfaction of clients/ attendees

    

    

4. Best Practice:

   Typical Risk Management cycle includes:

   • Identify the threats/vulnerabilities
   • Establish what are the vulnerabilities to address
   • Identify measures to mitigate, reduce or accept the risk/vulnerabilities
   • Develop response plans to address risks/threats not mitigated or accepted
   • Evaluate security/safety measures and exercise mitigation plans

    

    

   Objectives:

   Completeness

    

   Implementation:

   Larger events will be more complex and some smaller events as well, depending on attendee type.

   Applicability/Scalability:

   Applicable all size events.

    

    

5. Best Practice:

   Once risks/threats/vulnerabilities are identified and understood, develop a corrective or mitigation plan to address those considered unacceptable or of concern/needing attention.

   • Identify external resources needed for mitigation and/or response
   • Coordinate with local community partners and public safety agencies

    

   Objectives:

   Deal with risks, threats and vulnerabilities.

    

   Implementation:

   This will be part of the basis for the Emergency Action Plan (EAP).

    

   There are many governmental and private sector resources available to assist.

   Applicability/Scalability:

   This will help you identify the level of scaling required based upon the assessment and need for mitigation or acceptance.

    

    

6. Best Practice:

   Conduct event management meetings prior to each event with sufficient lead time to address Risk Management issues and address mitigation where required

    

   Objectives:

   Planning and preparation is a year-round function.

    

   Implementation:

   Events at different venues occur year-round, so these meetings should occur for each event. As necessary, schedule weekly or at intervals appropriate for scale of events

   Applicability/Scalability:

   Based upon size, complexity, attendees and RTV assessment will determine depth and frequency of meetings.

    

    

    

    

7. Best Practice:

For repeat events at the same venue, update and disseminate, as required, to key leaders and appropriate components/ partners.

The same is true for transportation modes used.

       Objectives:

Currency and awareness.

       Implementation:

Use the last assessment as a starting point to update and build upon.

Applicability/Scalability:

Do not just assume the results of the last assessment.

1. Best Practice:

In all likelihood, information management systems will fall under one or more of the following:

• Venue Administration
• Event Administration
• IT Department or CIO
• Marketing Department
• Facilities Department
• Legal
• Risk and Compliance Team
• App/Tech/Preferred Providers
• Insurance
• Security Teams

Objectives:

• Meeting and event organizers frequently are not the business owners responsible for technology systems; however, they may be the owners of the information exchanged during event registration and execution.
• That is why it is essential to communicate and collaborate with the people managing information systems/applications to ensure security needs are met.

Implementation:

Having a designated person responsible/incharge for this is the best approach.

Each country has different rules for how data may be collected, what must be disclosed about its use, what it can be used for and when records need to be purged.

Work with information management owners to ensure each event is in compliance with data use regulations governing event attendees.

Applicability/Scalability:

Depending on the size of the event, data may determine whether or not professional support may be required.

No matter the size of the organization, collaborating and partnering almost always results in a better outcome.

2. Best Practice:

Types of information management systems used vary by event. Some examples include:

• Event registration for live or virtual events
• Association management systems
• Security cameras
• Metal detectors and magnetometers
• Augmented Reality and Virtual Reality platforms
• Voice-activated AI-technology
• Dropbox and other cloudbased platforms
• USB keys
• Texting platforms
• Marketing databases and email lists
• Surveys/polls and audience response systems
• Website cookies
• Social media channels and paid social
• Website retargeting campaigns
• Hotel reservation systems and loyalty programs
• Hotel rooming lists
• Strategic meetings management software
• Speaker management databases
• Event apps
• Text
• Location-based technology and trackers (GPS, Beacons, NFID/RFD)
• Badge scanners
• Lead retrieval devices
• Digital networking tools
• Appointment-setting software
• WiFi and other internet connections onsite
• Office or event-specific intranets
• Email servers
• Travel and expense management systems
• Master account billing
• Content capture and live-streaming technology
• Audiovisual and event production systems
• Access control/badging systems
• Customer Relationship Management software
• Airline or transportation manifest
• Vendor/exhibition management tools

Objectives:

Identify all the ways in which data is collected, stored or exchanged before, during or after the event.

Implementation:

Creating a list of all the ways information is collected, managed, communicated or analyzed helps identify potential vulnerabilities as well as cross-departmental dependencies.

Applicability/Scalability:

Some data collection and management systems may be managed by internal teams other than the meetings department. Others may be contracted to a third party.

The larger the event organizing/production organization, the more likely it is that the meetings/event team will be supported by internal business units. In smaller companies or for smaller meetings/events, the meeting/event organizer may have more direct control over information management systems.

3. Best Practice:

Identify who owns the information policies and content related to and generated by the employed technology system(s):

• Control and use of the system
• Controls and views content and reports
• Grants permissions and releases information
• Guarantees compliance with industry standards
• Ensures compliance with privacy and data use policies in relevant jurisdictions

Objectives:

• Accountability and accessibility Users (event organizers/venue operations) frequently are not the owners responsible for technology systems; however, they may be the owners of the information.
• Without control, it is essential to communicate and collaborate to ensure needs are met.

Implementation:

Event and/or venue may have a Chief Information Officer who is in charge. Determine venue/event needs and whether or not the existing systems meet these needs.

If not, define requirements and identify who can fulfill these needs.

Applicability/Scalability:

Event organizers should be able to tell participants what data is being collected, why it is needed, what it will be used for and how it will be protected.

Transparency is key to building trust, whether it is between buyers and suppliers or event organizers and participants.

4. Best Practice:

Confirm the reliability of the systems and the integrity of the data collected on an annual basis, along with the availability of the information through either automated diagnostics or manual testing.

Objectives:

Unreliable and unavailable data is worthless. Regulations change. Equipment and systems degrade over time and should be tested regularly.

Implementation:

Take ownership with what is under event/venue control and partner with others over what fall outside event/venue control.

Test IT prior to each event to include video cameras and recording capabilities.

5. Best Practice:

Consider using Command Center/event/incident/operations information management software.

• Web-based, accessible anywhere
• Central digital repository
• Mobile device accessibility
• Analytical tools

Objectives:

Keeps all entities current with the same information and serves as an official record for litigation and after-action.

Implementation:

There are various Information Management Systems on the market that contain modules to enter/maintain/recall reports for use and transmission to public safety units.

Applicability/Scalability:

When possible co-locate event operation centers and staff with local first responders, event security teams and law enforcement. If an incident occurs, relay information to the proper party so it may be resolved.

6. Best Practice:

Make sure all automated systems have redundancy and off-site backup capabilities.

Objectives:

Redundancy is often the only recovery capability.

Implementation:

Off-site backup is a must in case something happens to the primary system or location or its power source.

Applicability/Scalability:

Where is data stored? What happens if the power goes off or a cell tower goes down? If there are physical backups, what steps will be taken to prevent theft? If cloud-based, what kinds of firewalls are in place to deflect bad actors, like hackers? If the system is disrupted in any way, how long will it take to get it back online? What kind of gap will that create? What information do you need to have in physical form at the event if that happens or switch to the back-up system?

7. Best Practice:

Consider using a Geographic Information System (GIS).

• Mapping capabilities using geospatial information and live feeds for situation maps, briefing maps and interactive mapping that can track participants in real-time

Objectives:

For visual situational awareness and managing people movement.

Implementation:

This can accommodate NFC/RFID feeds tied to badges, mobile devices and event apps.

Applicability/Scalability:

Tied to an event app, GIS information can be used to send push notifications to move attendees away from crowded areas to less-trafficked exhibitors or sessions. It also may be used as an emergency communication system to alert affected attendees away from incidents or towards exits, or to convey other emergency-related information.

8. Best Practice:

Access control, patron monitoring systems/software used for data collection and analysis, such as electronic ticketing, RFID, apps, etc., should be protected from unlawful access and use.

Objectives:

To ensure the security of the data collected from event participants or others.

Implementation:

Where is the data being stored and who has access should be addressed. Understand how data should be encrypted and what security is in place to prevent access points from being compromised.

Applicability/Scalability:

Before signing contracts with vendors, become familiar with data collection and use policies and how data will be disposed of post-event. Understand how data is encrypted and protected.

9. Best Practice:

Travel Meeting Management software must have clear security controls as most contain Personally Identifiable Information (PII) and credit card info.

Objectives:

Prevent theft of patrons, personal and financial data.

Implementation:

Where is the data being stored and who has access should be addressed?

Applicability/Scalability:

Make sure vendors are in compliance with PII regulations. If there is a breech, how soon will you know? How would communicate and handle that? What are your notification responsibilities?

1. Best Practice:

Assemble an internal IT/ Risk Assessment team to conduct security assessment on technology and data-handling procedures before contracting vendors.

Objectives:

Determine what is an acceptable risk, internal ownership for each data collection or technology touchpoint and people internally or externally who will be cleared to access the data collected.

Implementation:

Sample discussion-starting questions:

• Where does the data go?
• Who owns the data?
• What criteria is there for gaining access to the data?
• Where is the historical event data and can we access it?
• What can we agree to on ownership and responsibility?
• How do we protect our patrons and their data?
• What’s an acceptable risk?
• All data should be private?
• When do we want customization?
• What are protocols for remote users?
• Who will be looking at the data we’re collecting?

Applicability/Scalability:

This is relevant to all events using digital data.

2. Best Practice:

Set data-handling and privacy policies for the event and be transparent.

• Allow patrons to opt-in verses opting-out

Objectives:

Transparency about what is being gathered, why it is being gathered and how it will be used is important.

Implementation:

List the policy or links to policy on all forms and websites where data is being collected or behavior is monitored.

If people are being recorded or if their movements are being tracked, signage or releases may be required.

Include data ownership, treatment and use details in vendor contracts.

Applicability/Scalability:

Most IT departments are aware of European GDPR regulations and have standard privacy and data use policies. Work with vendors and other third-party suppliers to ensure compliance.

3. Best Practice:

Set up internet access, devices and apps in ways that increase event security.

• Include security and access information in “know-before-you-go” communications as well as any applicable warnings about connecting to rogue hotspots.
• If possible, set up private networks for event Wi-Fi

Objectives:

Avoid public access (free) Wi-Fi connections to protect data being transmitted via email or through websites.

Implementation:

Don’t use open or public Wi-Fi channels for events. Instead, require networks that are password-protected. Stipulate in the contract the number of SSIDs and bandwidth required for the event. Know that bandwidth needs to support 3-5 devices per person. Include recourse, reparation and rebate language in the contract that protects the organization and spells out what will happen if something goes wrong with the internet.

Partner with the venue and/or its audiovisual team to ensure greater security: Know where their access points (AP) are, what they are and how they can be secured.

Applicability/Scalability:

Whether for personal or professional use, any device that is set to its preset factory password is vulnerable to cyberattack.

Include security and access information in know-before-you-go communications as well as any applicable warnings about connecting to rogue hotspots.

4. Best Practice:

Regularly screen USB charge ports or don’t use them.

Objectives:

Prevent infection of laptops, mobile phones and other devices by avoiding USB ports.

Implementation:

USB ports are easily infected by malware. In public spaces, such as airport lounges and hotel rooms, use the device’s charger plug rather than the USB port.

Disable USB ports on kiosks and laptops if they are not regularly screened.

Require speakers submit presentations weeks in advance to avoid USB key usage onsite.

Or use AV-supplied laptops, and don’t reuse USB keys after files are downloaded.

Applicability/Scalability:

Providers of charging stations and rental laptops should be able to inform how they prevent malware from infecting USB ports and how often they screen devices.

If a presentation management system is out of budget range, files can be shared by cloud-based technologies, or organizers can require speakers to bring their own laptops.

5. Best Practice:

Evaluate what should and should not be posted on event websites, signage and hotel reader boards.

Objectives:

• Protecting the identity of the group, if organizational policies, leaders, participants or speakers may be targeted.
• Protecting the identity of the individual attendees also may prevent cybercrimes such as room block poaching and identity theft.

Implementation:

Consider listing the name of the event rather than the company’s name on transportation signage and hotel reader boards.

If your event website has a “look who’s coming” area, list by companies only. Do not list by individual’s names. Room block poachers use that information to phish attendees. It also allows bad actors to gain access to your event by impersonating someone who’s on your list, or opens attendees up to potential harm if they’re being stalked.

Applicability/Scalability:

Important for all events using electronic information delivery.

Some events, for privacy or security reasons, may opt not to have information listed on the hotel reader boards at all.

6. Best Practice:

Collect emergency contact information when people register, use technology to communicate before and after incidents occur.

• Make cell phone and emergency contact fields mandatory on registration forms
• Explain the data will only be used in case of emergency

Objectives:

Finding information about what to do in case of an emergency should be fast and easy.

Implementation:

Emergency maps, plans and contact numbers should be in a prominent place in the event app.

While people are waiting for the event to begin, AV teams can show videos or slides instructing attendees about emergency procedures.

Push-to-text notifications for different kinds of incidents can be pre-loaded for quick deployment in case of emergency.

Applicability/Scalability:

Applicable to all size events.

Push-to-text notifications are fairly inexpensive but become useless if the mobile network goes down. So finding ways of communicating what people should do before anything happens is the best way to cultivate a safe and aware mindset.

7. Best Practice:

Train employees, attendees and exhibitors to recognize emails phishing for information.

Objectives:

Avoid fraud and theft by educating event stakeholders and participants.

Implementation:

Some phishing emails look like conference communications. Train staff, attendees and exhibitors to avoid emails that deviate from the event’s format, include execution (.exe) files or ask for a password in exchange for downloading a file.

Applicability/Scalability:

In first communication (such as registration confirmation) think about including information about types of communication that will follow.

For example, it will always come from a certain person or outline what instances (if ever) you might require them to enter a password or download a file. Include contact information for whom to alert if they receive a suspicious communication.

8. Best Practice:

Correctly dispose of information and data.

Objectives:

Protect intellectual property and sensitive conference materials.

Implementation:

Bring a shredder onsite. Sweep the conference rooms and dispose of anything left behind.

Know what AV teams will do with rental laptops or presentation management systems after the event ends. Include in contract language expectations for data disposal, treatment and use.

Applicability/Scalability:

Important regardless of event size.

If clean-up falls to venue staff, know what they do with the materials, are they are shredded or how data is disposed.

9. Best Practice:

Use collected data to improve the quality of the event experience.

Objectives:

• Enhance safety and security without compromising the event experience.
• Data collection with a purpose.

Implementation:

Include questions about food allergies and physical impairments on the registration form so those needs may be anticipated and met.

Use data collected via surveys and polls, speaker evaluations and attendee movement information from badge-scanning or other tracking technology to determine where attendees went, what attendees liked and disliked. Use information to determine how to improve subsequent events.

Monitor social media for anecdotal evidence as well as complaints for event issues that need to be addressed.

During the post-con meeting, ask venues about event bandwidth usage. It helps organizers estimate need for budgets and determine usage for future events.

Applicability/Scalability:

In today’s use of technology this is applicable to all events.

Few event organizers share how survey data is used. Telling the story of how an event was improved by listening to feedback can be a powerful way to engage audiences and encourage two-way feedback.

Relying on data also will strengthen the meeting or event professional’s strategic role within the organization.

• Best Practice:

Isolate medical records and other sensitive personal or financial information to a separate encrypted environment.

• Employ two-factor authentication or other extensive password protocols

Objectives:

Block bad actors from accessing sensitive data.

Implementation:

Set different access levels to data based on need-toknow basis.

Anything that needs to be protected should be encrypted.

Applicability/Scalability:

This is applicable regardless of event size.

Consider, block chain, if a practical solution.