Standard Wire

Edition 11 – March 2006

IN THIS ISSUE
FOCUS: CONVERGENCE... BRIDGING THE GAP

 

Special Feature:
Mike Lemons – Vintara’s Director of Security Engineering, discusses key steps to implementing an Integrated Security System (ISS)

Summary:
Physical security; guns, guards, gates, incidents, and investigations were the daily bread of the typical pre 9/11 security executive. The daily bread of the typical IT director was protecting networks, privacy issues, backups, and restorations. Two separate universes operating as independent organizations run by completely separate departments. Convergence of these two separate universes after 9/11 has significantly changed the security industry. An enterprise’s cyber space and IT security and it’s physical security are now inalterably interrelated. This issue of Standard Wire will outline the key steps of implementing an integrated security management system reflecting the management of risk in these converging universes. This will be done by answering these five key questions:

  1. What is convergence?
  2. What are the key characteristics of an Integrated Security System (ISS)?
  3. What are the key steps to a successful ISS implementation? Interview with Mike Lemons, Vintara’s Director of Security Engineering
  4. How can an ISS be quickly and cost effectively implemented?
  5. How can Vintara help?


First: What is Convergence?
Convergence means the integration the enterprise’s security infrastructure, enabling interoperability between physical and IT security technologies. This integration and interoperability occurs at four distinct levels:

Examples of Physical and IT elements of convergence include:

Physical SecurityIT Security
Controlled AccessPassword Aging
Pass CardsVirus Protection
Biometric ScannersUser Authentication
24x7x365 Video SurvellanceNSCA Certified Firewalls
24x7x365 GuardsClustered Servers
24x7x365 Activity LogsDenial of Service Protection
Logged Visitors' listsRedundant Fail-Over
Fire Protection, VESDA & FM200 Hot Swappable Components
Continuous Power SupplyOffsite Data Backup


Second: What are the key characteristics of an Integrated Security System (ISS)?

  1. Current and clearly understood enterprise security policies dealing with both domains of physical and IT security.
  2. A well-defined overall responsible security organization, integrating the physical and IT domains with flexibility and well-defined roles, i.e., each player has both responsibility and authority
  3. “Direct Sight” of physical and IT assets by classification and location
  4. Immediacy of information
  5. Real time access within a central repository of information
  6. Extensive “ad hoc” query capability
  7. ISS is a key aspect of any new systems development and maintenance
  8. Clear planning for business continuity

SPECIAL FEATURE

Third: What are the key steps to a successful implementation?

Mike Lemons: Vintara, Director of Security Engineering

Mike has over 15 years of experience ranging in the areas of quality management, consulting, support services, security, and documentation. As a Quality Engineer for Solectron he decreased the average pre-manufacturing set-up time for Solectron’s 6,000 employees from 18 hours to 2 hours per employee. Mike has developed, implemented, and installed CAD/CAM enterprise solutions at major facilities world wide. He has managed teams of software engineers, professional service engineers, and pre-sales engineers on Fortune 500 accounts including Agere, Honeywell, Solectron, Jabil, Sanmina/SCI, and Eaton to develop custom solutions. His Process Skills include ECO, ECR, QMS, Document Control, PLM, Sarbanes-Oxley, ISO 9000, ISO 17799, C-TPAT, and Security Management Systems.  Mike has a BS degree in Industrial and Manufacturing Engineering from Cal Poly, San Luis Obispo, CA

Regarding convergence and the implementation of an ISS, Mr. Lemons stated:

“Given we understand what convergence means and what are the critical characteristics of an Integrated Security System, the daunting task of developing and implementing an ISS can be distilled in several key steps. Bear in mind, any such implementation should utilize a Plan-Do-Check-Act (PDCA) methodology with a particular focus on the enterprise’s regulatory environment. The eight key steps to a successful implementation are:

  1. Identify the individual risk areas both generic and unique to the organization
  2. Specify the requirements necessary to establish from the initial design the security controls for the organization’s specific and unique environment.
  3. Identify the security processes that best suit the organization, based on its needs and size.
  4. Relate those security processes to the risk areas of the enterprise that must be addressed

  5. Document and set-up the processes of the ISS
  6. Establish controls for the overarching management of all communication, documents, and records affected by the ISS. These controls will specifically include incident reporting, escalation, and investigation tracking. These controls must include the creation, approval, and update cycle of the ISS to demonstrate adherence to the Enterprises goals.

  7. Establish clear criteria that ensures senior management oversight of and involvement in the ISS as well as the competence of all personnel to fulfill their roles within the ISS.
  8. On-going management to ensure the effectiveness with key reporting via Security dashboards of enterprise defined metrics.”

Fourth: How can an ISS be quickly and cost effectively implemented?

The key to an effective and rapid implementation of the ISS is to automate and streamline the security processes as much as possible. The enterprise needs the ability to manage information, equipment, personnel, and incidents happening globally within a centralized database. Automated security systems can actively or passively gather information, spot trends, complete investigations, and drive necessary procedural and policy improvements. An ISS is dynamic, real-time, and global data with real-time access to global performance data from one central location. An ISS provides Directors with the ability to manage key performance activities and drill down to the situational information.

Fifth: How can Vintara help?

Vintara’s Enterprise Security Portal (VESP) gives an enterprise the ability to manage information, equipment, personnel and incidents happening globally within a centralized database. With VESP manages the information, spot trends, tracks incidents and investigations, while driving necessary procedural and policy improvements. VESP is a complete software solution and security portal. The platform successfully handles the convergence of physical security and IT security, moving clients from a localized static and reactive environment, to one that is dynamic, real-time, and global with real-time access to global performance data from one central location. VESP fosters closer internal communication within the organization by providing all stakeholders with an easy-to-use interface. Dashboards allow stakeholder to manage key performance activities and drill down to the situational information.



VESP modules include:

Strategic Planning

Execution

  • Implement the necessary processes, training, and activities to foster compliance
  • Timely incident reporting and escalation
  • Integrated incident and investigation tracking
  • Track Projects and Action Items
  • Maintain records on employee security clearances, access permission, and vehicles
  • Manage access control, security vehicles, equipment, and guard services

Assessment

  • Creates Internal audit plans, score, and review on-line
  • Documents incidents to lead to process improvement
  • Auto-Generate Surveys to gather information and show progress
  • Identify best and worst by Location, Department and Owner

Improvement

  • Actively improve an organization’s compliance through real world Investigations
  • Document, Assign, Solve, and Review all Investigations through a strong methodology

Policy

  • Central Global Policy Database
  • Defines roles for electronic sign-offs
  • Automated e-mail Notifications
  • Distribute throughout the organization quickly and automatically
  • Version Controlled Change Management
  • Track who clicked “I have read and understand”

Review

  • Dashboards empower active management review meetings
  • Assigns actions items directly from the meeting
  • Review security performance with global transparency

          Contact Steve Anderson at sanderson@vintara.com or (510) 808- 2562 or

Visit at http://security.vintara.com