Session 15771 handout 147 0 - the Conference Exchange · 2007. 9. 18. · •Kaizen (continuous incremental improvement) •Lean ... Services Digital Cert Services Physical Security

September 24, 2007 ASIS International 2007 Conference

Convergence:

Taking the Office of CSO from Cost Center to

Bottom Line Contributor

September 24, 2007 ASIS InternationalConference

Today’s Speakers

Moderators:

Laurie Aaron – Quantum Secure

Ray O’Hara, CPP – Vance

Panelists:

Robert Bastida – Oracle – Traditional Security

Derrick Wright – Baxter Healthcare – Traditional Security

Edward Levy – Pfizer - Traditional Security

Leslie Holbrook – Pfizer – Logical/Information Security

Sreenivas Kancharla – Symantec – Information Security


Business Business Business Business

Drivers Drivers Drivers Drivers

Strategic Strategic Strategic Strategic MilestonesMilestonesMilestonesMilestones

Tactical Tactical Tactical Tactical

MilestonesMilestonesMilestonesMilestones

Operational Operational Operational Operational

Milestones Milestones Milestones Milestones

IdentifyIdentifyIdentifyIdentify

Converged State

Convergence Roadmap


Convergence

• Convergence Initiatives that produce cost savings– People, Processes and Technology.

• Business Drivers

• Environment before convergence

• Environment after convergence

• Anticipated and actual results


Who does what?

Traditional Security (Physical Security)

Logical Security

Information Security


Who does what?

Traditional Security (Physical Security)That part of security concerned with physical measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, and theft.


Who does what?

Logical Security consists of software safeguards for an organization’s systems, including user ID and password access, authentication, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.


Who does what?

Information Securityis the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. The terms information security, computer security and information assuranceare frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.


Convergence

FirewallsCorporate Investigations

PasswordsIntelligence

Business ContinuityComputersTravel security

Trade ComplianceIT SupportCrisis Management

Privacy ComplianceNetwork Provisioning

Executive Protection

AuditsNetwork Infrastructure hardware

Electronic Security Systems

Information Security

Logical SecurityTraditional Security

See the latest research on Convergence at http://www.aesrm.org


Taking the Office of CSO from

Cost Center to Bottom Line

Contributor

Robert Bastida

Senior Director Global Security


Background

• World’s Largest Enterprise Software Company

• $18 Billion Revenue

• 275,000 customers

• 145 countries

• 500 + offices world wide

• 78,000 employees


Physical Security Systems OverviewRegional approach

• 60 + PACS world wide

• Systems stand alone and networked

• Multiple Third Party monitoring

• Little integration of camera, intrusion detection or access control systems

• Multiple card formats

• Manual provisioning and deprovisioning


Where we want to be

• Centrally managed

• In house regional monitoring

• Systems integrated and networked

• Single card format

• Automated provisioning and deprovisioning

• PACS integrated with HR system and Network provisioning system


Anticipated results from convergence

• Reduction in costs

• Reduced headcount

• Automation

• Single identity

• Global policy and compliance reporting





Contributor

Derrick Wright

Security Manager

Cherry Hill, NJ


Baxter Cherry Hill Security

Contributions to Bottom Line

Two primary contributions:

• Employee work time gained through process improvement

• Competitive differentiation supporting new business

We achieve these contributions within the context of the

related business drivers which many departments apply.

This is “security within the context of the business”.



Security Drivers

We have three categories of Security Drivers:

• Risk Management Drivers

• Laws, Regulations and Best Business Practices Drivers

• Corporate Decision Drivers (Business Drivers)

There are overlaps between categories. For example, given the high

level of DEA/FDA regulation for pharmaceutical manufacturing, there

are corporate decisions and management directives relating to

compliance.



Business Drivers

Our key Business Drivers that impact Security are:

• Compliance

• Risk Management

• Fiscal Responsibility

• Kaizen (continuous incremental improvement)

• Lean (Lean Manufacturing – reduce costs, improve efficiency/effectiveness)

• Business Development

These drivers are what other departments are doing. We apply them, too.



A Key StrategyApplying all of our security drivers, we develop security strategies.

A key strategy – Deploy an enterprise security system

that enables:

• Centralized Physical Identity Management

• Role Based Access / Clearance Management

• Self-Service Administration

• Real-time FDA/DEA compliance enforcement for access

across diverse Physical Security and Corporate Data Infrastructures

(including multiple brands of physical access control systems)


Process improvement and automation: $162,716

• Cost reductions for on-boarding and off-boarding

• Change management cost reductions (lost cards, temporary cards,

access changes, disable cards for vacation, etc.)

• Cost reductions for compliance enforcement, auditing and reporting

• Employee productivity regained by shortening processes and

eliminating waiting times (hours and days)


Annual Cost Savings




Contributor

Ed Levy

Director Headquarters and Global Security Operations


Company Profile• Founded in 1849 in Brooklyn, New York, U.S.

• Headquarters in New York City

• Lines of business: – Pharmaceutical Human Health

– Animal Health Medicines and Vaccines

• World’s largest research-based biomedical and pharmaceutical company

• World’s largest animal health company and leader in annual R&D investment

• 89,000 employees worldwide

• Operates in more than 100 countries

• $48.4B Revenues (2006)• $7.6B R&D (2006)

• $11B R&D therapeutic areas

• $1.7B in Pfizer Inc philanthropic contributions


People & Process Convergence• Business Resiliency is the overarching goal

• Incorporates all disciplines to achieve objectives

– Physical Security - Crisis Management

– Logical Security - Business Continuity

– Personnel Safety & Security

– Compliance Management

– Information Management

• Governance structures

• Standardization

• Decision processes

• Language barriers


Results• Efficient and effective technological solutions

• Seamless system interface

• Uncompromising to user needs

• Built-in integrity applications

• Regulatory compliance

• Cost benefit

• Life cycle management (training and maintenance)

• Human & System integration

SecurityPerformance

HumanPerformance

EquipmentPerformance

= X


Technology Convergence

Leslie HolbrookDirector Worldwide Business Technology


Remote NetworkAccess

Access Control

Digital Signature

Two-factor Logon

Cross-site Access

Cashless Vending



Access Control

Digital Signature

Two-factor Logon

Cross-site Access

Cashless Vending



Access Control

Digital Signature

Two-factor Logon

Cross-site Access

Cashless Vending

Technology

Engineering

Technology

Infrastructure

Line IT

Physical

Security

Physical

Security

Site

Services

Digital Cert

Services

Physical

Security


Operating frequency: 125kHz Read range: up to 24"

-physical access-time & attendance

Operating frequency: 13.56MHz Read range: ~1" to ~4.5 "

-biometrics-logical access-handheld / wireless-cashless vending

Contact chip-digital credentials-applet storage-password wallet



Results

Wet Signatures cost average = $30

Pfizer issues approx. 15K signatures per month

____________________________________________

Operational Cost savings due to digitizing signatures with card/chip technology estimated @ $450K/month

Convergence: Taking the Office of CSO from Cost Center to Bottom Line Contributor

Sreeni Kancharla, Sr. Manager Information Security

Sep 20, 2007

Description or Diagram

• Symantec has facilities in 40 countries accessed by 17,000+ employees and contractors

• Prior PACS landscape includes Lenel, GE, Mirror3 and homegrown systems disconnected to ERP & Corp. IT Applications

• Prior key Security Operational process consumed most resources.

– Physical security (SOX) compliance process

– Global PACS Identity & Credential Mgmt Process

34

Physical Access Mgmt & SOX Compliance Process – Prior to Convergence

Access Control DisasterRecovery

RemedyRemedyRemedyRemedyPeopleSoftPeopleSoftPeopleSoftPeopleSoft

VDSVDSVDSVDS SymPeopleSymPeopleSymPeopleSymPeople

Contractor Contractor Contractor Contractor Management Management Management Management IT Infrastructure & SecurityIT Infrastructure & SecurityIT Infrastructure & SecurityIT Infrastructure & Security

Access Control Visitor Mgmt

Batch UpdateBatch UpdateBatch UpdateBatch UpdateManual Email Manual Email Manual Email Manual Email

UpdateUpdateUpdateUpdateManual Email Manual Email Manual Email Manual Email

UpdatesUpdatesUpdatesUpdates

Manual Email Manual Email Manual Email Manual Email

UpdatesUpdatesUpdatesUpdatesManual Email Manual Email Manual Email Manual Email

UpdatesUpdatesUpdatesUpdates

Manual AuditsManual AuditsManual AuditsManual AuditsReports

SOX Compliance

Manual AuditsManual AuditsManual AuditsManual Audits

Secure access to facilities in 40+ countries supporting 30,000+ employees, contractors, and vendors.

Physical Access Mgmt & SOX Compliance

Process – Post Convergence Strategy

PolicyPolicyPolicyPolicy----Based Automated Based Automated Based Automated Based Automated Physical Access Mgmt & CompliancePhysical Access Mgmt & CompliancePhysical Access Mgmt & CompliancePhysical Access Mgmt & Compliance

• Policies Manage New hire, Background checks, Change in Policies Manage New hire, Background checks, Change in Policies Manage New hire, Background checks, Change in Policies Manage New hire, Background checks, Change in

employment, and Termination across physical securityemployment, and Termination across physical securityemployment, and Termination across physical securityemployment, and Termination across physical security

• Enforce identities, roles and access levels of all personnelEnforce identities, roles and access levels of all personnelEnforce identities, roles and access levels of all personnelEnforce identities, roles and access levels of all personnel

• AutoAutoAutoAuto----capture Data Center IT Tickets from Remedy, HR changes capture Data Center IT Tickets from Remedy, HR changes capture Data Center IT Tickets from Remedy, HR changes capture Data Center IT Tickets from Remedy, HR changes

form PSFT, and update Lenel, GE, VMS, LDRPS, SymSecureform PSFT, and update Lenel, GE, VMS, LDRPS, SymSecureform PSFT, and update Lenel, GE, VMS, LDRPS, SymSecureform PSFT, and update Lenel, GE, VMS, LDRPS, SymSecure

• Common Repository for SOX Audits & ComplianceCommon Repository for SOX Audits & ComplianceCommon Repository for SOX Audits & ComplianceCommon Repository for SOX Audits & Compliance

• Policies for Facility Usage monitoring, Employee SelfPolicies for Facility Usage monitoring, Employee SelfPolicies for Facility Usage monitoring, Employee SelfPolicies for Facility Usage monitoring, Employee Self----Service Service Service Service

request, Anomalies, exceptions, Approvals, etc.request, Anomalies, exceptions, Approvals, etc.request, Anomalies, exceptions, Approvals, etc.request, Anomalies, exceptions, Approvals, etc.

Reports

Case MgmtSymSecure

Access ControlAccess Control

Access ControlAccess Control

Visitor MgmtVisitor MgmtDisasterRecoveryDisasterRecovery

IT Infrastructure & Security



IT Infrastructure & Security RemedyRemedyRemedyRemedy

SymPeopleSymPeopleSymPeopleSymPeople


37

Technology Convergence


39

EIAM Infrastructure

TibcoPS 8.9 Pub

Pub/Sub

ProvisioningEngine

AccessManagement

RegionalServer1

RegionalServer3

RegionalServer2

Directory Services

Appropriate access defined via business processes & rules

User privileges are replicated from Master PACS (GE & Lenel) to regional servers for local building access

GE Lenel

Quantum Software

•New technologies that is managing Identity in PACS, and unifying audits and reporting.

Overall Results

• Operational & Financial Impact

• Prior to converged automated solution 15 people world-wide managed disjointed processes such as - Card Issuance (new hire provisioning), termination (de-provisioning), access privilege assignment, changes in role / access privileges, etc.

• Reduced headcount to 8 to manage system. (Redistributed work load and some reduction in headcount)

• Compliance auditing and reporting from manual to automated

• Net estimated savings in the $100,000 + per yr.

40

Overall Results

41

Results of Symantec PACS SOX automation project

Overall Results

42

• The overall results of our collaboration on key security decisions with the establishment of working relationships. Defining clear roles and responsibilities was a critical foundation for the deployment of these new strategic automation tools.

• The ability to automate and connect previously disjointed proprietary systems is now available and can bring dramatic ROI, in the PACS environment.

• Symantec has found convergence to be as profitable as it is important to the fundamental enhancements it can bring to both security organizations.

© 2007 Symantec Corporation. All rights reserved.

THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.

Thank You!

Sreeni Kancharla

[email protected]

(650) 527-7405


Speaker Biography

Taking the Office of CSO from Cost Center to

Bottom Line Contributor


Speaker Biography

Mr. Robert Bastida is the Sr. Director of Corporate Security at Oracle, USA. For the past eight years, Mr. Bastida has focused on physical security in the

protection of critical infrastructure, assets and personnel for Oracle. Mr. Bastida manages security operations globally protecting 78,000 employees in over 145 countries.

Mr. Bastida’s background includes ten years in the public sector as a police officer for the city of South San Francisco and as an Investigator with the County District Attorney’s office in San Mateo, California. Mr. Bastida has sixteen years experience in the private sector in various corporate Security leadership rolls. Previously with the Bechtel Corporation, a global engineering and construction company. Mr. Bastida graduated from Sacramento State University with a degree in Criminal Justice.

Mr. Bastida currently serves on the Governor’s High Tech Crime Advisory Committee representing California software manufactures, and chairs the International Electronic Security Group, which represents nineteen of the top global security directors in the high tech industry.


Speaker BiographyMr. Derrick Wright is the Security Manager for Baxter Healthcare in Cherry Hill,

New Jersey. Mr. Wright has been a security practioner for 17 years in a highly regulated pharmaceutical manufacturing environment. His focus has been on security management, training, audits, risk analysis, security architecture and administration, as well as business and management consulting.

Mr.Wight has recently deployed a converged strategy at Baxter Healthcare in Cherry Hill, which has created operational efficiencies and aligned the Security Department with the business goals of the organization.

Mr. Wright is a Convergence Council Member of the Open Security Exchange (OSE) where he provides insight and direction for their working group activities. Mr. Wright has a Bachelor Degree from West Chester University, is a Certified Protection Professional (CPP) - Board Certified in Security Management.


Speaker Biography

Mr. Edward M. Levy is the Director of Headquarters & Global Security Operations for Pfizer Inc. Mr. Levy oversees all aspects of safety and security for the Worldwide Headquarters in New York City and the Global Security Operations Center, where he is responsible for global travel security and crisis management. He retired from the US Army at the rank of Lieutenant Colonel with over 21-years of active service as a military police officer, serving in key command and staff positions in the United States and Europe. Ed Levy holds a BS from Western Carolina University and a MPA from the University of Oklahoma. He is also a graduate of the FBI National Academy and obtained the academic title of Assistant Professor while serving at the United States Military Academy.


Speaker Biography

Ms. Leslie Holbrook is Director, Worldwide Business Technology for Pfizer Inc. where she is responsible for the Risk Management application portfolio, consisting of solutions for physical security, business continuity, and environmental health and safety. Ms. Holbrook has been in IT for over twenty years, and during the last six has focused on demographics and identity management processes as they pertain to both Physical and Information Security, developing overarching solutions for a converged environment. She holds a BA from Smith College.


Speaker Biography

Sreeni Kancharla is Senior Manager, Information Security, at Symantec Corp., responsible for information security strategy, architecture and technology. In his role he supports the CISO in achieving security goals. He has over 12 years experience in Information Security architecting and implementing Trust Management, Threat management, Identity and Access Management, Risk Management, Information Assurance, and Security Convergence. Sreeni has spoken on various security topics at industry conferences including RSA, CSO media and ISC West. He is a guest lecturer at SJSU teaching MBA/MIS class on Information Security, Security Risk Management, and Information Assurance. Mr. Kancharla holds MS degrees in Computer Science and Information Systems, and is CISSP certified. Mr. Kancharla recently passed the CISM in June 2007.


Moderators

Ms. Laurie Aaron is the Sr. Director of Strategic Sales for Quantum Secure Corporation. Quantum Secure is an innovative young company, providing software solutions which strongly align with many convergence initiatives facing today’s corporate enterprise. A strong proponent of the concept of converging Physical security with Information Technology and Info Security,

Ms. Aaron is recognized as a thought leader in the convergence arena. She is a founding member of the Open Security Exchange (OSE), a non-profit industry organization developed to accelerate the convergence of physical security with Information Technology. She has been keenly involved with the OSE since it’s inception in 2003 Ms. Aaron has over 12 years experience in the physical security industry, previously holding Sales Management rolls at Software House-Tyco, Ingersoll Rand and HID.

Mr. Ray O'Hara is a Senior Vice President for Vance International Inc., a Garda company, and is responsible for bringing integrated, enterprise security solutions to clients using the company's full line of investigation and security consulting services. Mr. O'Hara has more than 30 years of expertise in corporate security and law enforcement, most recently as Founder and President of Ray O'Hara and Associates, a consulting firm specializing in business solutions. Mr. O'Hara's experience also includes the oversight of client matters in Europe, the Middle East, Asia, Africa and South America for a large, international security and investigations firm. In addition to his operationalresponsibilities, Mr. O'Hara established and managed workplace violence and Sarbanes-Oxley related training programs.

Mr. O'Hara previously served as the Secretary of the American Society for Industrial Security (ASIS) International Board as well as the president of the ASIS Professional Certification Board, Chair ofthe International Investigations Council and a member of the Substance Abuse Standing Committee. He also chairs the Alliance for Enterprise Security Risk Management of the three leading Security Organizations, which include ASIS International, ISACA and ISSA. Mr. O'Hara is board-certified in security management by ASIS International and is considered a Risk Vulnerability Expert with experience in analyzing and categorizing business vulnerabilities, homeland security initiatives, terrorism and political threats. In addition to consulting with organizations involved in developing, analyzing and implementing the International Maritime Organizations Maritime Security guidelines.

Documents

Session 15771 handout 147 0 - the Conference Exchange · 2007. 9. 18. · •Kaizen (continuous incremental improvement) •Lean ... Services Digital Cert Services Physical Security