Under traditional risk management practices, companies have addressed potential threats to the organization by defining threats as either physical or IT-related. But such classifications often result in stand-alone security solutions without regard to their impact on the organization’s threat profile as a whole.
Some companies have begun to recognize the weakness in that fragmented approach. They are, instead, integrating security across their enterprises. They have found that integrated security creates efficiencies by increasing communication, reducing redundancies, and clearly assigning responsibilities within the enterprise. Here is how one company did it, and some pointers for making convergence happen smoothly at your company.
Our example organization is an international company with more than 10,000 employees. Before it confronted the challenge of integrating all of its security operations, security within the company was disconnected; emergency management and physical security reported to corporate security, while information security and business continuity reported to information technology. As a result of this model, these functions did not have any formal processes for relaying information to one another.
This fragmentation led to problems. For example, when an employee’s laptop computer was stolen from her office, she was not sure which department to notify. The laptop was a physical asset, but because it came from the IT department, she was uncertain whether IT or the security staff should be notified. Ultimately, she informed only the IT department. And no one at IT involved the physical security unit.
Incidents like these highlighted the fact that while there was a clear convergence of the security needs of each department, there was no convergence of the departments’ actions, no holistic view or planning of security across the enterprise, and no one person with end-to-end ownership of the security, business continuity, and emergency management process.
The first step toward changing how incidents were handled was to clearly identify the existing holes in the company’s security system. To that end, physical, IT and other security staff, working with business managers, began to develop an explicit model of how the company’s business processes functioned.
With this current-process model, the team diagrammed how the company managed security and emergency management, and it found that in many cases, specific security concerns were handled individually by each department and were never referred to the physical security department. The model also made it clear that strategic and governance functions could be improved by integrating like processes.
This current-process model told them where they were. It did not, however, tell them where they wanted to be.
In the next step, a team was assembled to recommend a future-process model. The team included subject matter experts in physical and personnel security, emergency management, information security and business continuity. These topics constituted the company’s four main security concerns. Also involved with the team were four executives who served as executive sponsors.
The team prepared biweekly reports to the sponsors to ensure that milestones were met and deliverables were agreed to by all. Examples of deliverables that the group would generate included process maps, results from interviews, and best practice information gathered from discussions with comparable companies and relevant associations.
There was consensus among the team that if the new model did nothing but encourage collaboration, it would fail; that is, ownership by committee would not work. Departments would retain their own competing self-interests.
For example, an argument might arise between IT and physical security units over how to spend limited funds budgeted for access control. But a committee comprising representatives from both departments would not easily be able to resolve how to distribute the money.
To avoid that problem, the team decided to designate an owner for each security function—IT, emergency management, business continuity and physical security—who would report to a newly appointed chief security officer, in what the company now calls end-to-end process ownership.
The future-process model started with companywide business protection as the ultimate goal, and the team identified the two main drivers of business protection as business security (physical, personnel and information) and business continuity/emergency management. Certain components were shared across both of these drivers, such as communication, education, compliance assurance, policies and procedures, and strategic planning. For example, each security function mandates strategic planning to prepare for possible threats or security breaches.
However, the company also found that certain processes were function-specific. For example, access control and investigations were processes performed by business security, while system recovery was a niche that belonged only to business continuity (a chart illustrating this analysis can be viewed online at www.securitymanagement.com).
With a CSO in charge of all security, and with a deeper understanding of which security functions were shared and which were not, the team was able to make an overall plan that would generate strategic advantages. It would do so by creating processes that worked across the components of security, continuity, and emergency management. This approach would allow better and more complete awareness of any security issues across the company. It would also eliminate confusion about which department handled each issue.
Real, tangible benefits were soon apparent. For example, while physical security was researching proximity cards to replace magnetic stripe cards for access control, information security was exploring biometric cards for access to computing resources. The fact that the two divisions now both reported to a single CSO and worked closely together meant that they were both aware early on of each other's plans and of the potential benefits of combining their work on these projects.
The collaboration allowed the company to coordinate the efforts so that each employee would not be forced to carry two separate cards. The integrated effort between security and information technology in this project will ultimately result in one card instead of two.
The process of converging security in this very large organization was not simple, but it does provide some pointers for other organizations that wish to follow suit. These steps include appointing a central security figure and mapping the company's processes. Other steps are creating an effectiveness model to ensure that resources are being properly used, and ensuring that employees are educated about security.
Every company should designate a chief security officer as the defined central figure responsible for all security processes. This person will be responsible for implementing the necessary steps to create a strategic and integrated approach to enterprise security.
The CSO must work with security staff to define and then assign ownership of each specific security responsibility. This step is critical because in an emergency situation, the key facilitators must be prepared to immediately fulfill their responsibilities, and on a day-to-day basis, employees must understand how they can contribute to the entire security process.
The chief security officer will typically map out these responsibilities across the enterprise. One benefit of this mapping exercise is that it may initially identify some security-related responsibilities that were not covered by anyone.
A critical step toward bringing together an organization's diverse security functions into what is known as enterprise security begins with process mapping. Process mapping has several components. The first shows any interdependencies among departments. The second looks at external factors such as suppliers and partners.
Mapping departmental interdependencies is extremely important because it provides the basis for establishing sound and coordinated security policies by identifying security vulnerabilities across the enterprise.
The mapping should also include a complete assessment of existing IT infrastructures to determine what components may be required to build and maintain a sustainable IT foundation that meets current needs as well as future technology expansion plans for physical and IT security. Developing this map requires a review of business processes and a detailed understanding of information access, workflow needs, budgets, timelines and performance benchmarks.
The process begins by listing all of the security functions, such as investigations or crisis response, and mapping how organizational components like corporate security and human resources relate to the carrying out of security functions. The diagram should show whether or not the organizational component owns the process related to each function, is a cross-functional team member, or is not involved in the process. (See figure 1 for an example of this map.)
Companies that never map out departmental process responsibilities are likely to run into problems. For example, one company received a bomb threat directed at its data center. Its physical security protocol required immediate evacuation of the center, regardless of the threat’s legitimacy, but the information systems department was not consulted before the evacuation began.
While the threat was investigated, the data center was forced to close down, thus interrupting the important data flow for company. The company could have avoided this situation by previously identifying its business units' interdependencies and establishing protocols for responding to such threats without affecting data flow, particularly before the severity of the threat is evaluated.
After mapping departmental interdependencies, the next step in process mapping is to map interdependencies among suppliers and partners.
One external factor that needs to be carefully considered is remote access. As partners play more critical roles in the supply chain, they are often provided with remote access to the company's network to help ensure that the process runs efficiently. In large corporations, this can represent several thousand additional access privileges to nonemployees to facilitate transactions, deal with interruptions, and meet contractual commitments to the corporation. Unfortunately, access privileges are not always removed after employees leave or preferred suppliers change and no longer require remote access to the network.
In one situation the authors are familiar with, a corporation's physical security team created a rigorous process for terminating a contractor which ensured that all tools, supplies and ID cards were properly returned. Additionally, physical security reviewed the nondisclosure agreement with each individual contractor to ensure that they understood the obligation not to divulge any proprietary information or process observed while working in the facility.
However, an audit of network access determined that a large number of former contractors' passwords and logical access controls had not been disabled. The supply management, physical security, and IT functions did not have an integrated approach to notifying each other of dismissals or changes in contractors, resulting in an enormous security vulnerability.
One goal of convergence is to contain costs by working more efficiently, and one tool that organizations can use to assess costs and improve operating efficiencies is an effectiveness-assessment model that helps determine whether there is an appropriate balance between technology in place and staffing levels.
In one case, an assessment revealed that there was excessive staffing in the single-tenant building owned by a multinational research and development firm. Employees had card access through a lobby that was monitored by CCTV in the onsite control center. The security post was staffed from 6 a.m. to 8 p.m., ostensibly for visitors. But a review of the visitor signin sheets indicated little visitor traffic during the business day and no traffic outside business hours. Through this assessment, the company was able to save money by reducing staffing without sacrificing security levels.
Security programs are most effective when stakeholders are empowered to take an active role in risk mitigation and when they understand how important security is to the organization. After all, it makes little sense to invest in sophisticated access controls, passwords or related technology if employees can be easily duped into allowing others to circumvent or have access to these controls. Thus, education and awareness programs are important elements of the long-term success of an enterprise security program.
Education is equally important for communicating to employees and senior management the value and benefits of ongoing enterprise security activities, including measurable return on investment (ROI). Thus, the organization’s employee awareness program becomes the essential final step of enterprise security implementation.
Simple educational tools include newsletters, a corporate security intranet site to relay information, an e-mail address for reporting security incidents, a confidential toll-free ethics hotline, and surveys to provide feedback to help tailor messages and increase employee engagement.
One company that the authors know of tracks traffic at its corporate security intranet site, which allows the company to recognize what materials employees are looking at on the intranet, and thus helps to identify the most effective means of relaying information on the site.
In another organization, the security director initiated a survey to determine the level of knowledge of and compliance with the company’s policies on the protection of proprietary information. In this survey, the work force provided recommendations for improvement and indicated that the newhire training for the protection of proprietary information was inadequate.
While a survey is not typically considered an educational tool, in this case it did increase awareness about the protection of proprietary information. It also provided the company valuable information about how best to ensure this awareness.
In addition to enhancing an organization’s security posture, convergence allows companies to fully capitalize on security investments. The result is increased operational efficiencies and added value.
For example, a digital video surveillance system has an obvious security use—providing visual awareness of people and property for asset-protection purposes in retail environments—but it can also be used by sales or marketing departments to evaluate how passersby respond to visual displays. Similarly, a biometric hand reader that can provide secure access control to a manufacturing plant can also operate as a time and attendance device for payroll purposes. It might also serve as the access control device to the computer network.
The benefits of integrated security are considerable. A higher level of security for business processes and transactions across the organization minimizes exposure to risk, decreases security threats, and improves compliance with industry and government regulations. Converged security functions allow for faster, more responsive collaboration between the organization and remote business partners, suppliers and customers, ensuring a higher level of business continuity. A single budget for security reduces friction among departments with regard to funding sources for purchasing shared resources. And a single point of contact for ensuring that the enterprise is secure reduces the possibility that a department or security component will be overlooked.
Threats to a company do not care about organizational charts or corporate turf battles, and neither should security. Converging security functions is the best way to make sure that your company is protected against any kind of threat.
Ray O'Hara, CPP
is senior managing director of Vance, a global security consulting and investigative firm. He serves on the ASIS International board of directors.
Tim Williams, CPP
is vice president of corporate and systems security for Nortel Networks. He also serves on the ASIS International board of directors.
is manager of corporate security investigations for Southern California Edison. He serves on the ASIS Utilities Security Council.
ASIS International and ISACA, together with the Information Systems Security Association, are members of a security alliance with more than 90,000 collective members dedicated to addressing the management of risks and emerging regulations that require a more thorough, enterprisewide approach to security.
Copyright © 2005 ASIS International. Reprinted with permission from the July 2005 issue of Security Management Magazine.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005