Sie sind auf Seite 1von 55

STUDENT STUDY DSM 153

GUIDE
INTRODUCTI
ON TO
SECURITY
MANAGEMEN
T
Saito College Copyright Reserved May 2010

OVERVIEW

The aim of this program is to provide graduates with the knowledge and
skills to perform supervisory and management functions within the security
and law enforcement industry in the areas of public safety, asset
protection, security management and technology. Students will learn how
to deliver enhanced investigative services, initiate prevention programs,
and mitigate asset deterioration within their own organizations and those of
their clients. At the senior level, students will develop security solutions
designed to protect their organizations and industry over all. Graduates will
be able to pursue the growing number of supervisory and management
positions being created to focus on corporate due diligence, investigation
and operational intelligence.

Graduates of the program will be able to:

 Reduce employer and the public's exposure to risk through a strong


understanding of risk management and risk assessment in a security
management and technology context.
 Supply positive intelligence to partner agencies and companies.
 Communicate intelligently with personnel in related professions in the
security industry, in the areas of public safety, security management, and
technology, through an understanding of various related bodies and
agencies (e.g., law enforcement, regulatory bodies, and emergency
responders).
 Align security strategies and technologies with clients' corporate
objectives.
 Evaluate security technology alternatives through an in-depth
understanding of the capabilities, limitations, and practical applicability of
the tools and technology.
 Demonstrate the body of knowledge and problem-solving skills
necessary to protect assets.
 Differentiate among the various security roles and their respective
responsibilities at all levels of an organization.
 Implement risk assessment and loss prevention initiatives to mitigate
asset deterioration.
 Prepare and articulate the business case for an investment in
security.
 Enhance the personal safety and skills of an organizations staff and
tactical operators

ORGANIZATION OF STUDENT STUDY GUIDE

PART 1 - COURSE STRUCTURE

 Title
 Objective
 Learning Outcome
 Course Credit Hours
 Teaching/ Delivery Methodology

PART 2 - COURSE CONTENT MATERIAL


 Subject Topics

PART 3 - ASSESSMENT & MARKING SHEME

 Quiz 1 Questions and Answers


 Test 1 Questions and Answers
 Test 2 Questions and Answers
 Assignment Questions
 Final Theory

PART 4 - REFERENCES
PART 1 - COURSE
STRUCTURE
Course Title : Introduction to Security Management

Subject Code : DSM 153

Course Objective : After completing the module the students will be


able to:

 Understand the origin of security system


 The roles and challenges of security system

 Understand security programs and systems

 Understand threats to the system

 Recommend prevention and deterrent methods to the


security system

Learning Outcome : at the end of the program the students will be able to:

 Explain the origin and the need for a security system


 Describe the differences between private security and
proprietary security

 Define security policies

 Analyze security threats in a business environment

 Explain a typical structure of security program

 Discuss the application of the components of a security


program

 Rationalize the need for an effective security program

Course Credit Hours : 3 Credits


(3 x 42 hours)

Teaching/ Delivery Methodology :


 Lecture
 Discussions
 Brainstorming
 Role-play
 Site visit
PART 2 - COURSE
CONTENTS


CONTENTS

Introduction to Security
 Definition of Security
 Need for security in business environment

The Origin of Security

 Introduction to the origin of security


 Development of security through the ages

 Evolution of private security in Malaysia

The Threat Environment

 Cause for concern – The threats


 Need for risk management

Security Management Program

 Establishing a security organization – system and structure


 Role and responsibilities of Security Manager
 Fundamental resources for a security program

Components of Security Management Program

 Security Planning
- Policy & procedure guidelines

 Security Implementation

 Security Review and Control

Future Challenges for Security Management


 Fundamentals of human factors
 Threat assessment
 Integrated risk management
 Quality control
 Security audit and quality assurance
 Contingency planning
 Security systems design and implementation
 Change management strategies
 Performance-Based Regulations and Requirements
INTRODUCTION

Throughout the history of mankind, it is possible to trace the emerging concept


of security as a response to and a reflection of a changing society,
mirroring not only its social structure but also its economic conditions, its
perception of law and crime and its morality. Thus security remains both a
field of tradition and change.

For centuries , people in the community have acted as a security force within the
community. Indeed the “job” of security was not even a job. It was the duty
of all able-bodied man to protect their homes and community. There were
no police to call. Instead, the people acted in self-defence or in-defence of
their community. Therefore it can be seen that, through much of history,
security was seen as the province of people.

The concept of security in an organizational sense has evolved gradually


throughout the history of human civilization, shaped by a wide variety of
social, cultural and institutional patterns. Thus in a business
environment, security is implied to be a relatively managed, stable,
and predictable environment in which an individual or group may
pursue its ends without disruption or harm and without fear of
disturbance or injury .

From a subjective perspective, security is the perception or belief that a valued


structure has sufficient objective security. The subjective meaning of security as
"freedom from anxiety or fear" resonates in the origins of the word. Latin "Se-
Cura," means literally "without care" as in "carefree."

Security as a form of protection are structures and processes that provide or


improve security as a condition. Other organizations define, security as "a form
of protection where a separation is created between the assets and the threat.
This includes but is not limited to the elimination of either the asset or the threat.
In order to be secure, either the asset is physically removed from the threat or
the threat is physically removed from the asset.

Long ago, man has come to realization that, security is one of the basic
foundations for the pursuit of happiness. Without some measure of it, we are
doomed to exist forever in what Hobbes called "a war of all against all." For
most of us, that basic security, whether it be protection from crime in the form of
the police, or from foreign threat in the form of the military, is something that
tends to be seen as a government matter. Increasingly though, private security
companies have begun to feature more prominently in the national and global
security apparatus, dealing with everything from checking IDs at office buildings
to actively participating in military operations overseas. While this seems like a
new development, the origin of security actually goes back to the beginnings of
history itself.

Definitions of security in its broadest context

The state of being free from danger or injury; "we support the armed services in
the name of national security". Security is the degree of protection against
danger, loss, disruption and criminals.

 defence against financial failure; financial independence; "his pension


gave him security in his old age"; "insurance provided protection against
loss of wages due to illness"
 freedom from anxiety or fear; "the watch dog gave her a feeling of
security"
 a formal declaration that documents a fact of relevance to finance and
investment; the holder has a right to receive interest or dividends; "he held
several valuable securities"
 property that your creditor can claim in case you default on your
obligation; "bankers are reluctant to lend without good security"
 a department responsible for the security of the institution's property and
workers; "the head of security was a former policeman"
 a guarantee that an obligation will be met
 security system: an electrical device that sets off an alarm when someone
tries to break in
 measures taken as a precaution against theft or espionage or sabotage
etc.; "military security has been stepped up since the recent uprising"

Ancient Beginnings

In ancient Egypt, Nubian mercenaries were used to augment the expanding


military conquests of Ramses II. Ramses also hired foreign soldiers for use as
his personal bodyguards, creating an early precedent for the use of private
security in order to protect public officials. The use of private security was
expanded in Roman times, where wealthy landowners hired off-duty soldiers to
protect their property from criminals.

The Middle Ages


The modern origins of private security can be found in the changing nature of
order and authority after the fall of the Roman Empire. As the empire crumbled
and a centralized power was no longer there to maintain the peace, landowning
nobles became the primary provider of security. This came in the form of
feudalism where lords granted land usage rights to vassals in exchange for
military aid and counsel in times of danger. Furthermore, in European towns and
villages, there was little in the way of formalized and institutionalized police
forces; instead, individuals and the community as a whole were seen as
responsible for protecting lives and property from criminals. In situations of
danger, any villager could "hue and cry" for help, and all able-bodied males over
the age of 15 would have to intervene or risk public sanction.

The Transition to Modernity

As the Middle Ages gave way to the Renaissance and the early Enlightenment,
burgeoning trade, commerce and exploration began to radically change
European society. Among other things, the increasing levels of urbanization
meant that the traditional communitarian methods for dealing with crime were
now more difficult, leading to periods of chaos and anarchy in many cities. As a
result, magistrates operating as representatives of the king began to more
formally enforce laws and edicts. Along with increasingly public military forces
throughout Europe, the rise of modernity seemed to go hand in hand with a
lessening of private security.

By 1700 the social patterns of the Middle Ages were breaking down, particularly
in England. Increased urbanization of the population had created conditions of
considerable hardship. Poverty and crime increased rapidly. No public law
enforcement agencies existed that could restrain the mounting waves of crime
and violence, and no agencies existed that could alleviate the causes of the
problem.

By the 18th century, it is possible to discern both the shape of efforts toward
communal security and the kinds of problems that would continue to plague an
increasingly urban society for the next decades to come.

In 1737, for instance, a new aspect of individual rights came to be


acknowledged. For the first time , tax revenues were used for payment of a night
watch. This was a significant development in security practice because it was a
precedent-setting step that established for the first time the use of tax revenues
for common security purposes.

Eight years later, Parliament carried out a study on security problems and that
resulted in a program employing various existing private security forces to
extend their scope of protection. Different kinds of police agencies were
privately formed. Individual merchants hired men to guard their property.
Merchant associations also created the merchant police to guard shops and
warehouses. Night watchman were employed to make their rounds. Agents
were engaged to recover stolen properties.

This heterogeneous group, however was too much at odds and were not
effective in addressing crime problems. Eventually parliament’s attention turned
to the reaffirmation of laws to protect common good through the rating of Bill of
Rights of the people by revoking the monarchial control and practices over
decisions of law. However the new development results were far from
expectation. Technically there were much holes in the application of law in
combating crime. This situation perpetuated until late 19 th century through
industrial revolution, thereafter more organized form of security management to
combat crimes evolved.

The Old West

Even with countries across Europe reducing their use of mercenaries to fight
wars and instituting more formal practices of policing its citizens, up until the late
19th century there was still a need for private security. This was especially true
in the American west, where the frontier settlements suffered from a lack of
established law and order. Private companies such as the Pinkerton National
Detective Agency were given certain limited powers by the government in order
to help secure towns and railroads from outlaw gangs. During this time, private
security was sometimes the only security available for citizens.

The 20th Century

By the 20th century, many settlements in the west had become full-fledged
towns and cities with formal police departments. Across the country, this helped
create less demand for private security in terms of dealing with criminals. Private
security was still instrumental, though, in providing security for corporations,
especially in the tumultuous times of the Great Depression, when labor groups
began to challenge working conditions and wages through protests and strikes.

Modern Times
By the middle of the century, private security began to take on its modern form,
being used to deter crime and disturbances at everything from sports stadiums
to shopping malls. Today, though, as transnational threats such as drug
trafficking and terrorism increasingly tax the resources of the state, more and
more roles are being undertaken by private security. Many military bases are
now protected by private security, and private security is once again taking on
mercenary like roles in the wars of Iraq and Afghanistan.

Changing Trends in Security Management

In the corporate world, various aspects of security were historically addressed


separately - notably by distinct and often non-communicating departments for IT
security, physical security, and fraud prevention. Today there is a greater
recognition of the interconnected nature of security requirements, an approach
variously known as holistic security, "all hazards" management, and other terms.

Inciting factors in the convergence of security disciplines include the


development of digital video surveillance technologies and the digitization and
networking of physical control systems. Greater interdisciplinary cooperation is
further evidenced by the collaboration of international professional security
bodies. For example, the creation of the Alliance for Enterprise Security Risk
Management, a joint venture including leading associations in security (ASIS,
American Society for Industrial Security), information security (ISSA, the
Information Systems Security Association), and IT audit (ISACA, the Information
Systems Audit and Control Association).

Evolution of Private Security in Malaysia

The Western colonialists and in particular the British brought with them the
English system of law enforcement and its reliance on collective responsibility to
Malaya then. Constables and night town watchmen were the primary means of
security in Asia until the establishment of full-time police forces in the I800s.

Malaysia, then Malaya started to have their own private security in 1957 after the
independence when the English established the system result of growing
demands and the prestige associated with the professionals. Currently the
Malaysian Private security industry has about 200,000 guards.

The private Security industry in Malaysia which had a humble beginning from the
days of the colonialists, has been transformed from traditional watchman to a
competitive sector backed up by modern technology. It has become an integral
part of the business world where security aspects are necessary to ensure
protection and safety of individuals and assets. There are around 322 companies
engaged in providing different kinds of security, namely guardian services, private
investigation, in-house security, commercial/industrial integrated monitoring
systems, escort services, executive protection etc. The industry generates an
annual turnover of over RM850 million and it is growing at an annual average of
between 10-20% to meet the management needs of combating crime.

The Long Passage

The security industry in Malaysia has come a long way from the days of the
traditional watchman, more fondly remembered as the “jaga” with the image of
“Big, Strong and Friendly” - the days of our Sikh counterparts who single-handedly
stood guard, faithfully ensuring the safekeeping of their employer’s property, to
that of a relatively more organized out-fit of today. The route to this present point
has not been all that smooth. Despite the many problems and obstacles related to
this low-profile, little-understood industry, many resilient companies have
survived.

After independence in 1957, dawned the beginning of the private security


industry on small scale mostly concentrated at townships to take care of the
properties of private property owners and at the residences of British Planters in
rubber estates and tin mining areas. As an agrarian society, at that point of time
the growth was barely discernible. In addition the main focus of the Government
of Federation of Malaya then was to fight against the communist insurgencies.

With the formation of Malaysia in 1963 the changes in the national administrative
scene became more evident. The shift in the proprietary and administration of
Public Organizations and Private Industries into the hands of the locals from the
British Colonialists and the internal security threat from the communist insurgents
being reduced to jungle warfare, the government then had a better grip of itself
and began exploring various avenues for national development. At the onset of
seventies many development programs embracing industrialization enabled the
shift from an agrarian based society towards an industrial based society.

This gave the impetus for the emergence of national industrialization policy
where many industries producing manufactured goods and services had their
humble beginnings. Along with these developments the private security industry
began its growth at a modest pace and the government saw the need to regulate
the industry which was about to traverse through a rapid growth process due to
industrialization. Therefore in 1971 the “ Private Agency’s Act 1971” was enacted
by the Parliament to regulate the industry.

In the eighties the rapid process of industrialization with foreign investors influx
and its impact on the national economic fabric paved way for the expansion of the
private security industry. Though the private security industry expanded to cater
for the various sectors of the economy, its growth was not directed in a well
structured manner to cater for the professional demands of the industry itself and
the actual needs of the clients

Category of Security
There is an immense literature on the analysis and categorization of security.
Part of the reason for this is that, in most security systems, the "weakest link in
the chain" is the most important. The situation is asymmetric since the defender
must cover all points of attack while the attacker need only identify a single
weak point upon which to concentrate.

Types of Security

The under mentioned list explains the range and degree of importance security
plays in human lives.

IT realm Physical realm Political

 Application  Airport security  National security


security  Port security/Supply  Human security
 Computing chain security  International
security  Food security security
 Data security  Home security  Public security
 Information  Hospital security
security  Physical security
 Shopping centre security
 Network security
 Infrastructure security

Monetary

 Financial Security
WHY SECURITY PROTECTION IS ESSENTIAL

Introduction

More importantly protection of life, property and assets, in a business


environment is a necessity than a desire. Losses due to all causes continue to
represent a problem for business and industry. Essentially, security involves the
enforcement of crime prevention and control measures or activities within an
organization. It is the orderly and predictive identification, abatement and
response to criminal opportunity. It is a managed process which fosters the
elimination of the emotional crisis response to criminal losses and the timely
identification of exposures to criminality before these exposures mature to a
confrontation process.

The proper application or enforcement of protective measures to minimize loss


opportunity promises the capability not only to improve the net profits of
business but also to reduce to acceptable levels the frequency and most
disruptive acts, the consequences of which often exceeds the fruits of the crime.

In the past security was fairly straight-forward. Images of bank guards or fences
topped with barbed wire accurately represented the extent of security solutions
in most instances. That was yesterday. Today, the demands placed
on security professionals have moved far beyond guards and barriers.
Effective security requires a comprehensive "systems" approach that protects all
assets of a company.
Defining Organization’s Assets

In general, a company's assets may be broken into three (3) main areas. These
include:

People - Employees, customers, and others who may visit a site


Materials - any materials used in a company's processes
Property - both physical and intellectual
We'll look at each of these in more depth.

People
It is often said that people are a company's most important asset. A
company's employees, after all, are responsible for coming up with the ideas for
goods or services which bring success to an enterprise. Employees design,
engineer and manufacture the product. They manage these operations, track
costs and revenues, and provide a sense of overall direction for the business. All
of these individuals are valuable assets to a company.

In addition, customers, contractors, vendors, and other visitors become part of a


company's assets, particularly while they are within the company's physical
plant. People can also be potential threats or liabilities to a company. Both
outside individuals and company personnel who may be intent on injuring the
company in some way — by theft of materials, for example — present significant
concerns to security operations. Example of such "people" threats include,
protesters/demonstrators thieves a disgruntled employee damaging property or
interrupting operations.

Materials
Consider all the materials typically used by a company. The raw material used in
a company's processes must be protected from theft, damage, or any other
problems which would interfere with manufacturing. Finished products are also
part of the company's material assets and should be a major security concern.
In addition, any materials which may be created as by-products of the
manufacturing process are also of concern. Some of these materials (e.g.,
chemicals, gases, lubricants and fuels) may be classified as hazardous
materials and present a special security concern.

Property
Traditional approaches to security have always focused on property, but today
property includes much more than just physical items, and this, of course,
impacts corporate security concerns. Physical property is clearly an asset;
therefore, it requires a plan to protect it. However, there is a whole range of
other types of property, generally described as intellectual property. This can
include: research
computer programs created by the company operational procedures, marketing
and sales data, and certain company policies.

All of these are valuable assets of an organization that require prudent


protection. The challenge for security personnel is to implement effective
protections for people, materials, and property. A successful security operation
must be build on a Systematic Approach to Protection Program which
addresses all of these system-wide concerns. In addition, an effective security
program must be able to address current and emerging threats within the
environment in which a company operates.

THE SECURITY THREAT IN BUSINESS ENVIRONMENT

Introduction - “Good Fences Make Good Neighbors”

The old adage is – “good fences make good neighbors.” That holds true today
for businesses, though the fences in this case are security policies. Strong
security policies coupled with the use of good procedures and practices should
minimize the danger for business risks. Organizations need to recognize the
immediate need to protect their employees, properties and information assets
from emerging security threat from the dynamic environment. This security
threat is significant and should lead businesses to consider deploying security
solutions with a proven ability to detect new and previously unknown risks
emanating

What does Corporate Organization needs?


A successful business works on the basis of revenue growth and loss
prevention. Corporate businesses are particularly hit hard when either one or
both of these business requirements suffer. Security breaches, down-time and
reputation loss can easily turn away new and existing customers if such
situations are not handled appropriately and quickly. This may, in turn, impact on
the company’s bottom line and ultimately profit margins. A container hijack,
computer virus outbreak, or a network breach can cost a business thousands of
dollars. In some cases, it may even lead to legal liability and lawsuits.

The truth is that many organizations would like to have a secure business
environment but very often this need comes into conflict with other priorities.
Firms often find the task of keeping the business functions aligned with the
security process highly challenging. When economic circumstances look dire, it
is easy to turn security into a checklist item that keeps being pushed back.
However the reality is that, in such situations, security should be a primary
issue. The likelihood of threats affecting your business will probably increase
and the impact can be more detrimental if it tarnishes your reputation.
Conversely, if security is accorded adequate priority in the organization, it will
certainly help to maintain a healthy profit margin besides safeguarding the good
reputation of the organization.

The Threat Environment

One of the most important steps in any security management strategy is to


identify the threats to your organization. A threat is defined as an event (for
example, a tornado, theft, virus infection), the occurrence of which can have an
undesirable impact on the well-being of the assets in an organization. The
objectives of protection are to ensure the security and safety of assets in which
the most important objective is the safety of the people in any environment.

Physical security, the most-often overlooked portion of security, has been


brought to the forefront of many organizations in the past decade. The attention
can be credited mostly due to worldwide, multiple catastrophic events in that
same time frame. Although some are man-made, many of the most widespread
and destructive are the result of Mother Nature.

It is the responsibility of all individuals within the organization to ensure that it is


prepared for any physical or environmental interruptions. However, the ultimate
responsibility falls on the top-level leadership to maintain proper levels of
planning, implementing, and oversight. By identifying and understanding the
threats to physical security, organizations can more effectively overcome
interruptions, thereby lowering the organization's risk to unknown events.

Threat Categories

Generally, four categories based on causation threaten physical security:


nature/environmental, supply systems, man-made, and political. Let's take a
more in-depth look at each category with examples.

Nature/Environmental

These include anything caused or created by Mother Nature or the result of


natural occurring phenomenon. Many examples of naturally occurring events
can threaten physical security, including but not limited to the following:

 Hurricanes
 Tornadoes
 Wind
 Earthquakes
 Snow/ice
 Floods
 Humidity
 Static Electricity
 Extreme Temperatures
 Dust/dirt
 Lightning
 Avalanches/slides
 Volcanoes eruptions
 Fire supply systems

These include the critical infrastructure and utilities that most business
organizations depend on for daily operations, including but not limited to power,
water, and communications providers.

Man-Made

Humans are the most common threat to physical security, generally because of
negligence. We spend the most money and effort in defending against these
types of physical threats. Man-made threats consist of a wide array of
possibilities; some examples include hackers/crackers, theft, fire, human error
(hitting the wrong button, unplugging the wrong cord, and so on),
mechanical/electrical malfunction, explosions, vibration, spills, malicious code,
radio frequency interference, fraud, intruders, magnetism, toxic chemicals,
pollution, overloaded electrical outlets, and many more.
Political Events

With governments, politics, and religion comes power struggles that can
sometimes lead to violence. We have witnessed many of these unfortunate
struggles that continue to occur worldwide. Bombings, strikes, terrorism, riots,
espionage, wars, and so on all can have considerable effects on the security of
an organization and its capability to operate normally.

As an example, the recent civil unrest event (April 2010) in Bangkok had a
devastating effect on the nation and the business community where hundreds of
life and millions of dollars were estimated lost due to clashes, fire and rampage.

Emerging Threats

The physical security environment is quickly becoming more complex and more
difficult to protect for several reasons:

 Besides internal and external man-made threats, we are witnessing an


increase in politically motivated attacks. Organizations realizing the
potential damage that can be waged through the Internet have become
highly motivated and profitable.
 Natural disasters have been one of the most disruptive threat agent over
the last decade due to the radical changes in global climatic conditions.
 Corporate espionage is becoming increasingly popular as companies look
to gain an advantage on competitors. Penetrating competitors' IT
infrastructure can be a huge advantage when sensitive documents
regarding upcoming products and financial data can be obtained.
 Terrorist activities have been the other most disruptive threat agent since
the 9/11 attack on the World Trade Center in United States. This event has
brought about a whole gamut of strategy changes in the way the global
business community managed their business security.

As technology evolves and the security landscape changes, security


professionals must stay abreast of the current trends and continually learn how
to adjust their posture to keep their risk levels to a minimum.

Prioritizing Threats

Time and money are always limited resources when trying to create a solid
security posture. Being asked to prioritize security can be a daunting task.
Threats are widespread and they constantly evolve. A common approach to
gaining insight into the most important threats to your organization can be
identified through performing a simple business impact analysis (BIA).

Here is a simple example:


Fig 1. BIA Table.

Note: Rank each impact based on 4 = high to 1 = low. Rank each resource
based on 4 = weak resources available to 1 = strong resources available.

An important thing to remember when prioritizing threats is that the most


probable are not necessarily the most covered in the popular media. Information
security (IS) management polls continue to reveal that insider threat, due to
disgruntled employees or dishonest employees, is the number one risk to the
security of computing resources. Across the board, recent statistics indicate that
72% of all thefts, fraud, sabotage, and accidents are caused by a company's
employees. Another 15% to 20% comes from contractors and consultants who
are given access to buildings, systems, and information. Only about 5% to 8% is
done by external people; yet the press and management focus mostly on them.
By focusing on the most probable threats, you can quickly lower your
organization's risk dramatically.

Bottom Line

Threats to physical security are diverse in nature and if they occur can be
devastating to the livelihood of an organization. Technology continues to
become more integrated into everything we do, particularly within our business
community . The more dependent we become on technology, the more
important it becomes that we take the appropriate actions to make them
resistant to all threats.

Organizations owe it to their employees, customers, investors, and such to take


security seriously and invest in the appropriate technology and people. Those
that do not, put everyone involved at risk for a single incident to cause
irreparable damage to their livelihood. Due diligence in considering physical
threats is a vital responsibility of the entire organization from top to bottom that
should not be overlooked or placed low on the priority list.

References

Hansche, S., J. Berti C. Hare. Official (ISC)2 Guide to the CISSP Exam. New
York, NY: Auerbach Publications, 2004.

Cole, E. (2006). SANS +S Training Program for the CISSP Certification Exam:
Physical Security. Bethesda, Maryland: SANS.
A SYSTEMATIC APPROACH TO SECURITY MANAGEMENT PROGRAM

The Corporate Security program

Globalization has changed the structure and pace of corporate life; the
saturation of traditional markets is taking companies to more risky places. At the
same time, security risks have become more complex, too. Many of the threats,
such as terrorism, organized crime and information security, are asymmetric and
networked, making them more difficult to manage.

There is also greater appreciation of the interdependence between a


company’s risk portfolio and the way it does business: certain types of behaviour
can enhance or undermine an organization’s ‘licence to operate’, and in some
cases this can generate risks that would not otherwise exist. As a
result, security has a higher profile in the corporate world today than it did a
decade ago.

Companies are looking for new ways to manage these risks and the portfolio of
the security department has widened to include shared responsibility for things
such as reputation, corporate governance and regulation, corporate social
responsibility and information assurance.

Against this backdrop, Security Manager’s challenges are many as we entered


the 21st Century. “ A global and technologically connected marketplace presents
a paradigm for the corporate security professional which is different from the
one faced just a decade or two ago. Traditional corporate security programs
once focused on the protection of facilities, equipment and people by physical
security means.

“Today, the protection of corporate assets which once only required


physical security now requires a state-of-the-art asset protection program driven
by the information and information systems which permeate corporations and
the corporate security functions themselves. A lack of effective and efficient
security processes could also mean the loss of the corporation’s competitive
edge. The corporate assets protection program must be flexible with the ability
to rapidly change to meet the corporate needs as they occur. The modern
security manager must approach security in a holistic manner and must think
globally.

A systematic approach to manage the security threats to business environment


is a foremost prerequisite in the development of a security management
program for a corporate organization. As mentioned above the security manager
need to have a holistic approach to ensure the entire security program
encompasses a conceptual model that is highly flexible and adoptable to meet
the challenges of a dynamic threat environment.
The following figure depicts the conceptual model as to how a corporate security
management program can be developed.
Fig. 2 Conceptual Model of a Security Management Program

The Security Program concept in figure 2 above tends to illustrate that the
above is a relational model whose structure helps to develop a holistic security
management program for any organization be it a business organization or a
government installation.

Introduction
In order to establish a sound security management program, we need to
organize it components in a logical manner where the execution of various
processes from the system components provide a seamless operational flow in
the security chain ensuring an effective security posture for the corporate
organization. The ensuing elaborations are made based upon figure 2.
Conceptual Model of a Security Management Program,

Environmental Scanning
In order to establish what are the major potential security issues an organization
may confront can be assessed through environmental scanning activity.
Environmental scanning is a data collection / information gathering process and
technically it is known as intelligence gathering activity. It is aimed at collecting
information about an environment (both internal and external) such as security
threats that may pose serious consequences to business operations and
directly affecting the company profit margin. Ongoing monitoring by security
managers and supervisors, enable data to be collected, processed and
analyzed to be used in decision making in the development and implementation
of security programs in the organization. Generally security threats facing a
corporate organization are characterized by the crime statistics within the
particular area of business operations both within and outside.
One of the reason to use environmental scanning for security threats is in
preparation for a major change such as a new facility, a big shift in policy, or the
emergence of new technology. Most importantly, scanning and gathering data
before entering the planning stage is a useful tool to help identify weaknesses,
opportunities, threats, and strengths. These can be built upon in the planning
stage to create a strong and effective plan to address issues identified
during environmental scanning. Failure to collect information before starting
plans can result in costly mistakes or blunders and missed opportunities.

Threats confronting organizations may take various forms of disruptions


crippling the business operations. Consider the effects of major or unanticipated
changes within a corporation's "culture" — layoffs resulting from downsizing or
mergers, for example. Such change may lead to high levels of anxiety within the
work force. This may result in personnel security issues leading to industrial
relations cases.

On the contrary, disruptions from outside include; disgruntled customers,


vendors, contractors; or persons who may have no prior links to the company. At
the extreme, such disruptions become disasters ranging from bomb threats to
actual bomb detonations or other types of terrorist deeds.

Disruptions can also result from; major accidents poses significant risks to the
company. In most companies, security issues overlap with concerns addressed
by other corporate departments — Human Resources, for example. Such
concerns include employee down-time due to; tardiness, substance abuse,
domestic, violence and psychological problems.

These issues extend beyond security, but there is no question that employees in
these situations are legitimate security concerns. Security professionals also
deal with the improper activities of employees, particularly corporate officers.
Conflict of interest is the number one concern. One example of conflict of
interest is an officer who takes sensitive information to a new job at a different
company.
This activity clearly threatens a company and is a significant challenge to a
security management program. Similarly, violations of established business
standards — in contract procurement, for example — and financial
mismanagement present additional threats, all having a potentially serious
impact on corporate stability.

As you can see, the issues confronting security professionals today are broad in
scope, and these threats have a potentially major impact on a company's
operations. Security professionals must be aware of all potential risks in order to
develop a sound security management program.

Companies that use environmental scanning can move quickly when they
identify a problem or an opportunity. This includes everything from a new
regulation issue by the government that might threaten a company's business
operations to a security issue in an office. The data gathered
in environmental scanning can be processed to develop an organized report to
provide information to management and other stakeholders of the company who
may be interested. Dispensing the information effectively is an important part of
this practice, as data is useless if it never gets into the right hands at the right
time.

From the information gathered from the environmental scanning, corporate


policy-makers require clear, unambiguous meaningful intelligence analyses ,
assessments and early warning about the threat scenario in order to make
effective policy decisions. Moreover, policy-makers expect intelligence gatherers
to assist them with the prioritization of security threats--including those that have
not yet occurred--in order to ensure the most effective allocation of scarce
resources.

CORPORATE SECURITY POLICY


Thus it is very clear that environmental scanning for threat is a prerequisite in a
business organization. The information collected and analyzed gives the policy
makers a proper guidance in developing the company’s security policy.

Introduction

A corporation needs a general security policy. The policy must be developed


and supported by management at all levels of the organization, from the highest
to employees at the operational levels. Critical elements for the development
process of a corporate security plan, as for any other planning process, include
defining objectives, defining policies in support of those objectives, and devising
plans to implement the policies. (Senior management and board of directors are
responsible for defining objectives and policies rests at the highest level; lower
levels of management devise plans and implementation strategies). People at
all levels must be aware of their individual responsibilities.

A. Objectives: Three activities are recommended as a basis of the general


security policy:
o Identify critical systems and processes;
o Create plans for ensuring security and control of such systems and
processes;
o Develop and implement personnel training programs.

The most compelling argument in support of security management from


the corporation’s standpoint is that confidential data may give a
competitive advantage. The firm may lose this advantage may be that is
lost if controls break down, with the consequent possibility of the firm’s
demise if legal requirements have been violated materially.

Each corporation has its own strategic imperatives; objectives for a


corporate security plan will follow, combined with the guidance offered by
applicable legislation.

B. Policies: The board of directors and senior management of a corporation


must set strategic objectives for the management of corporate security;
policies to guide implementation are also a senior level responsibility.
Specific examples of policies change from company to company, but most
include statements like, “This firm is committed to ethical and professional
behavior.” One model for corporate policies is found in the Data
Processing Management Association’s Model Corporate Security policy;
other models are available in various texts including or.

C. Plans: Plans to implement security policies depend on the level of


management involved. Operations management may be concerned with
subjects like physical access to the facility; IT department management
may be concerned with correct use of application systems; human
resources management may be concerned with proper training programs
and career path counseling, and so on. Items which must be included in
any effective set of security plans include:

 Access Controls: identify and authenticate users to protect against


computer crime;
o Data Security Programs: base data security programs on the fact
that a corporation depends on its computer system.
o Data Labeling: safeguarding sensitive data to the degree of control
necessary for defined protection.
o Human Resources Planning: hire properly qualified people and
ensure good employee—management relations and effective
training programs.
o Contingency Plan: plan for problem avoidance and recovery.
o Legal Responsibilities: understand and provide for legal
requirements.

D. Responsibilities

Board of Directors and Senior Management define corporate security


objectives;

Senior Management and Board of Directors define corporate security


objectives, define policies to achieve these objectives, and ensure that
mechanisms for communicating those policies are in place. This may
include tying both compensation and promotion of managers to success in
meeting the corporate security objectives.

Middle Management (e.g., Human Resources Manager, DP Manager,


Plant Management) defines staff procedures to ensure proper policy
implementation;

Employees are responsible for ensuring that elements under their control
are carried out according to policy and procedures to maintain effective
control and security.
We aim for excellence in the protection of the company assets and data.. We
achieve this by:

•Promoting a culture and awareness of security


•Running dedicated programs for our employees in all entities country-wide to
put in place and
maintain the highest levels of both logical and physical security.
•Staying ahead of evolving threats by continuously assessing risks and
vulnerabilities
•Implementing and complying with a managed security system of internal
standards and policies
that surpass regulatory requirements
•Monitoring, auditing and testing the security system

Our security processes are subject to continuous improvement. Every employee


and every site is expected to contribute daily to achieving our objectives of:

•Ensuring our customers’ security infrastructures are never compromised


•Seeking and maintaining external certifications on all production and
personalization sites
•Continuously reducing the levels of any remaining risks

We all play our part in abiding by and supporting the Security policy. No-one
must undermine any of these measures.
Definition of a Policy

A policy is typically described as a deliberate plan of action to guide decisions


and achieve rational outcome(s). The term is not normally used to denote what
is actually done, this is normally referred to as either procedure or protocol.
Where as a policy will contain the 'what' and the 'why', procedures or protocols
contain the 'what', the 'how', the 'where', and the 'when'.

The term may apply to government, private sector organizations and groups,
and individuals. Presidential executive orders, corporate privacy policies, and
parliamentary rules of order are all examples of policy. Policy differs from rules
or law. While law can compel or prohibit behaviors (e.g. a law requiring the
payment of taxes on income), policy merely guides actions toward those that are
most likely to achieve a desired outcome.

In a simple term, policy is a formal, brief, and high-level statement or plan that
embraces an organization’s general beliefs, goals, objectives, and acceptable
procedures for a specified subject area. Policies always state required actions,
and may include pointers to standards.

A Policy attributes include the following:


• Require compliance (mandatory)
• Failure to comply results in disciplinary action
• Focus on desired results, not on means of implementation

• Further defined by standards and guidelines

A Procedure
• A series of steps taken to accomplish an end goal
• Procedures define "how" to protect resources and are the mechanisms to
enforce
policy.
• Procedures provide a quick reference in times of crisis.
• Procedures help eliminate the problem of a single point of failure (e.g., an
employee suddenly leaves or is unavailable in a time of crisis).

Procedures are equally important as policies. Often the polices define what is to
be protected and what are the ground rules. The procedures outline how to
protect the resources or how to carry out the policies. For example, a Password
Policy would outline password construction rules, rules on how to protect your
password and how often to change them. The Password Management
Procedure would outline the process to create new passwords, distribute them
as well as the process for ensuring the passwords have changed on critical
devices. There will not always be a one-to-one relationship between policy and
procedures.

A Standard
• A mandatory action or rule designed to support and conform to a policy.
• A standard should make a policy more meaningful and effective.
• A standard must include one or more accepted specifications for hardware,
software, or behavior.

A standard is meant to convey a mandatory action or rule and is written in


conjunction with a policy. For example, many organizations should (and need) to
have a policy about the implementation of access control processes. Such
policy should have an accompanying control standard which discusses the
specific procedures that are required, to exercise access control over,
corporation’s top management personnel, employees and staff, and the public
as well.

A Guideline
• General statements, recommendations, or administrative instructions designed
to
achieve the policy’s objectives by providing a framework within which to
implement procedures.
• A guideline can change frequently based on the environment and should be
reviewed more frequently than standards and policies.
• A guideline is not mandatory, rather a suggestion of a best practice. Hence
“guidelines” and “best practice” are interchangeable

Guidelines are not a required element of a policy framework; however, they can
play an important role in conveying best practice information to the user
community. Guidelines are meant to “guide” users to adopt behaviors which
increase the security posture of a facility, but are not yet required (or in some
cases, my never be required).

Intended effects

The intended effects of a policy vary widely according to the organization and
the context in which they are made. Broadly, policies are typically instituted to
avoid some negative effect that has been noticed in the organization, or to seek
some positive benefit.

Corporate purchasing policies provide an example of how organizations attempt


to avoid negative effects. Many large companies have policies that all purchases
above a certain value must be performed through a purchasing process. By
requiring this standard purchasing process through policy, the organization can
limit waste and standardize the way purchasing is done.

As an example, “ The Malaysian Federal constitution under Article 3 states that “


No man shall be punished for an offence until he is proven guilty beyond
reasonable doubt in the court of law”. In the context of policy, the application of
this constitution ensures that the criminal justice system plays a central role in
effecting, justice upon a would be accused. The constitution ensures that the
entire criminal justice system has comprehensive processes within the
mechanism to well interpret the “policy” to bring in the intended effect.

Unintended effects

Policies frequently have side effects or unintended consequences. Because the


environments that policies seek to influence or manipulate are typically complex
adaptive systems (e.g. governments, societies, large companies), making a
policy change can have counterintuitive results. For example, a government
may make a policy decision to raise taxes, in hopes of increasing overall tax
revenue. Depending on the size of the tax increase, this may have the overall
effect of reducing tax revenue by causing capital flight or by creating a rate so
high that citizens are deterred from earning the money that is taxed.

The policy formulation process typically includes an attempt to assess as many


areas of potential policy impact as possible, to lessen the chances that a given
policy will have unexpected or unintended consequences. Because of the
nature of some complex adaptive systems such as societies and governments,
it may not be possible to assess all possible impacts of a given policy.

In a corporate business environment similar circumstances tend to occur when


certain policies are not well thought of before implementation. For example, A
Laptop manufacturing facility issued a security policy stating that all access
control systems within the facility shall be electronics biased and centrally
operated. Imagine, when there is power failure for an extended period and the
facility did not cater for stand-by power supply. The entire facility will go into
chaos for not being able to facilitate the movement of people within the facility to
respective areas of operations because of the various access control systems in
the facility went defunct due to power failure. Hence, it is discernible that policies
when created and implemented must incorporate the element of flexibility to
cater for unforeseen contingencies.

Guiding Principle
Generally policy formulations are guided by principles that may help to facilitate
the security goals of the organization. It normally involves:
• Over-arching statements that convey the philosophy, direction or belief of an
organization.
• Guiding principles serve to “guide” people in making the right decisions for the
organization.
– What policies and standards are needed
– What technologies are needed
– How architecture should be accomplished
• Guiding principals are NOT policies, but serve as guidelines in the formulation
of thoughtful and comprehensive security policies and practices.

Guiding principles are over-arching statements that convey the direction or


belief of an organization. They serve to “guide” people in making the right
decisions (such a technology purchases or architecture direction). They can also
serve as a guide-post on what policies and standards will be needed by an
organization. Guiding principles provide a strong foundation for any
organization. They can be specific to a certain function (e.g. Corporate Security)
or more general such as IT Guiding Principles.

Contents of a Policy

Policies are typically promulgated through official written documents. Policy


documents often come with the endorsement or signature of the executive
powers within an organization to legitimize the policy and demonstrate that it is
considered in force. Such documents often have standard formats that are
particular to the organization issuing the policy. While such formats differ in
form, policy documents usually contain certain standard components including:

 A purpose statement, outlining why the organization is issuing the policy,


and what its desired effect or outcome of the policy should be.
 An applicability and scope statement, describing who the policy affects
and which actions are impacted by the policy. The applicability and scope
may expressly exclude certain people, organizations, or actions from the
policy requirements. Applicability and scope is used to focus the policy on
only the desired targets, and avoid unintended consequences where
possible.
 An effective date which indicates when the policy comes into
force. Retroactive policies are rare, but can be found.
 A responsibilities section, indicating which parties and organizations are
responsible for carrying out individual policy statements. Many policies
may require the establishment of some ongoing function or action. For
example, a purchasing policy might specify that a purchasing office be
created to process purchase requests, and that this office would be
responsible for ongoing actions. Responsibilities often include
identification of any relevant oversight and/or governance structures.
 Policy statements indicating the specific regulations, requirements, or
modifications to organizational behavior that the policy is creating. Policy
statements are extremely diverse depending on the organization and
intent, and may take almost any form.

Some policies may contain additional sections, including:

 Background, indicating any reasons, history, and intent that led to the
creation of the policy, which may be listed as motivating factors. This
information is often quite valuable when policies must be evaluated or
used in ambiguous situations, just as the intent of a law can be useful to a
court when deciding a case that involves that law.
 Definitions, providing clear and unambiguous definitions for terms and
concepts found in the policy document.

An Example of a security policy statement for a Corporate Organization.


CORPORATE SECURITY POLICY STATEMENT

The goal of TOTAL Corporate Security is to protect the company's employees, assets,
information,
integrity and reputation from potential threats. This company commitment is guided
by the basic core values, code of conduct and business ethics which fashion and
influence the way we operate throughout the world. These core values include
6. Security measures and procedures must be submitted to regular inspections,
professionalism, respect for employees and stakeholders and a permanent concern for
validations and
health, safety and the protection of the environment.
verifications by security specialists so as to maintain high levels of security
standards in TOTAL
CORE PRINCIPLES
operations country-wide.
The Group recognizes that secure operations are dependent upon employee
participation, commitment and accountability. All security activities must adhere to the
7. The level of professionalism, knowledge and integrity of staff involved in security
general principles laid down in the Chairman's Charter. Where appropriate these are
matters on
elaborated below to provide the basis by which Corporate Security will shape the
behalf of TOTAL must be tightly controlled and exemplary. Appropriate training
direction and conduct of security.
plans,
recruitment and contracting procedures must be established and implemented.
1. The security and protection of employees must be the overriding priority of all
business activity.
8. All incidents, including security breaches and irregularities must be reported and
recorded. Corrective action should be taken and followed up through the regular
2. Security policies and procedures must be implemented according to the Universal
verifications to improve the overall security standard.
Declaration of
Human Rights, the international and national laws, and the Voluntary Principles on
9. Generally security forces used by TOTAL are non armed guards. However if no
security and
other alternative exists to properly manage the risk, armed guards could be
Human Rights. Respect for human dignity is paramount at all times.
used within the scope of legally and governmentally approved practices.
Armed guards must be selected carefully, trained regularly and supervised
3 Line management must be continually aware of and take responsibility for the
closely.
security aspects of
Its business activities. Security organization and resources must reflect this
10. Mindful of the need to introduce security measures to protect its employees and
commitment.
local
personnel, TOTAL nonetheless makes every effort to minimize the impact of
these measures
on local communities.

As far as possible, security procedures and guidelines reflect the seamless


integration of security
Sample Corporate Security Policies

1. Materials security
Material being brought into the factory premises should be disclosed at the
security and a security gate pass to be obtained before carrying it into the
factory premises. Suspicious materials that come into the factory will be stopped
at the main gate and thoroughly investigated before being sent into the factory.
Material being taken out of the factory should be accompanied by a gate pass
signed by the appropriate authority. The same is to be produced before the
security on leaving the factory premises. Employees found taking out any
material(s) belonging to the factory without a valid gate / security pass are liable
for disciplinary action.

2. Movement Of Vehicles
All personnel bringing their own vehicles should put the security clearance
stickers in a prominent place on the vehicles that is visible to the security staff.
All non personnel vehicles that come into the factory premises will be asked to
park outside the factory premises. All vehicles are liable to be checked by
security personnel while entering and leaving the factory premises.

3. Identity Cards
All employees are provided with an identity card (ID) which, contain employee
particulars. The employee shall carry his ID card on him / her self visibly, at all
times when inside the factory and present it while entering or leaving the factory
or on demand by the security guard, supervisor or the HR department. The ID
cards shall be the property of the factory and should be surrendered to the HR
department on cessation of employment. Loss or damage of the ID card should
be notified to the HR department immediately and a requisition for a duplicate
card will have to be applied for in the Duplicate ID Card Issue Form. If the
employee loses or damages his / her ID card for the first time the ID card will be
replaced by the management free of charge. On loss or damage of an ID card
for the second time a fee of RM50 will be charged.

4. In and out of premises


Entrance and exit from the premises shall be through prescribed gates only and
every employee shall show his / her ID card to the security on duty while
passing through such gates. The gates may be closed during working hours at
the discretion of the management and employees must not leave the premises
during the working hours without prior written permission from the appropriate
authority. An employee who is not on duty shall not remain on the premises
without permission from the manager or his / her authorized official.

5. Visitors security
Visitors entering into the factory must be first verified via the intercom to check if
the person they wish to meet is available and where they are, then the visitor
has to register at the security office and obtain a visitors pass. While leaving, the
Visitor should sign in the visitors register again at the security office mentioning
his time of exit and return the visitors pass duly signed by the person visited
before leaving the factory premises. Visitors are liable to be checked by security
personnel while entering and leaving the factory premises. The visitors are not
to be allowed on the shop floor without the permission of the Local HR head /
Factory manager.
6. Search Of Employee(s)
As deemed necessary; all employees entering or leaving the factory at any time
are liable to be searched whilst within the premises by a person authorized to do
so by the manager. To ensure that they are not in unauthorized possession of
property belonging to the company or of other employees or of any articles
prejudicial to the security of the factory or to other employees. In case of a
female employee the search shall be carried out by another female person
authorized by the management.

7. Business materials
No employee shall take any paper, book, photographs, instruments, apparatus,
documents or any other property of the factory or of the premises nor shall be in
any way pass, or cause to be passed or disclose or cause to be disclosed any
information or matter concerning the operations of the factory to any
unauthorized person, company or corporation without the written permission of
the Factory Manager.

8. Implementation of this policy

If any employee is found doing so he / she would be liable for disciplinary action
or may be suspended / terminated from service.
System Architecture
System architecture involves the construct of a structured security system which
encompasses various functional processes having a sequential functional flow
in the provision of protection for organizational assets and enable resilience
character when the organization is faced with adversities.

The structure in fig.3 below illustrates the inter-connectedness of various


functions that may ensure a stable and predictable operating environment for an
organization.

System management
System Operations
System Review and Control
Future Challenges to Security Management

The first of these is the speed of innovation. Every day, new technologies are
developed that have the potential to change the way we secure physical
property. Macro-economic changes and mergers & acquisitions mean business
environments can change virtually overnight. And changes in society can
represent a major security risk. In such a world, it has become virtually
impossible to determine your future security needs. At the same time, the
lifetime of currently available security devices is becoming shorter. Every few
months, readers and CCTV cameras are replaced by newer versions. Is it really
a good idea to rely on today’s products to cope with future security
requirements?

The third trend is that security management systems are becoming integrated
into the workplace. Not only do they take care of physical access control; the
same badge can also be used by an employee to pay for a meal in the cafeteria
or gain access to the company’s computer network. So whenever a company
decides to cope with new requirements by replacing its system, this can have a
huge impact on the day-to-day running of the organization.

Together, these three trends create what we refer to as the Security


Management Dilemma. New products based on existing technology clearly
cannot provide a satisfactory answer to this dilemma.

Das könnte Ihnen auch gefallen