June 2002 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers.
                                    Powered by NCMS.

This month – Where to Begin: Integrating Security in Your Company
What to look for in your company’s strategy for combining physical, operational and information security

Accompanying Resource Page for this Story 

Editor's Preface: 

**Howard Kunreuther, codirector of the Risk Management Decision Processes Center at the Wharton School of the University of Pennsylvania, said flatly: "If you don't take steps to prevent losses and have backup systems and kinds of things that would help you recover, you could be in deep trouble . . . even if there is no disaster."

This month’s Mfg.Trust feature illustrates the first steps your company can use to integrate its security efforts and why it is important to do so. If you see efforts like this underway where you work, congratulations, you are among the fortunate! If not, you might use this material to inspire others to think about the issue.

Don’t be fooled into thinking that this sort of planning is just for big companies. Dr. Kunreuther has it right in his quote above. If you don’t have a plan, you’ll be caught by surprise and get in deep trouble – sooner or later. You’ll find constructive ideas in this feature that help you think about strengthening your company’s plans. You’ll find this month’s recommendations combine business, technical and human factors and suggest an integrated approach. (This is not new. NCMS has championed this theme since we started IMIA.)

Security planning is a big topic. There is much more to be said about integrating security than we can cover in one short article. We will continue on this theme, covering planning pitfalls to avoid, best practices, and implementation in our members-only Corner.Office feature later this month.

Our guest contributor this month is Carl Allen, President of InfoCore Associates. InfoCore has partnered with NCMS to produce a training series on Enterprise Security for which Carl is the principal instructor. A comprehensive e-learning instruction set on this topic is available at http://products.ncms.org under training and education.

Don’t forget that there is also an extensive page of links and resources available to you free at http://trust.ncms.org, under the Publications Index tab. These resources exist for this and every other Mfg.Trust feature.

John Sheridan (johns@ncms.org )

** As quoted in the Philadelphia Inquirer article entitled “Security Planning Increasingly Requires Attention of CEOs,” April 1, 2002.

 WHERE TO BEGIN: INTEGRATING SECURITY IN YOUR COMPANY

Companies plan for enterprise security to protect their intellectual property (IP) and physical assets. Well executed plans can reduce legal liability; provide privacy; and collect audit trails for use in disputes and fraud cases. Good security practices preserve the availability of your resources, your integrity, and your confidentiality to enhance the bottom line.

So, how do we begin? A strategy and a basic plan would be a good start.

A Strategy

Three factors will shape the enterprise security strategy: business, technical and people/organization.

Business factors are driven by industry direction and competitive forces. In the past decade that means globalization and time to market. This tends to place crucial company intellectual property in the hands of suppliers who may or may not view ethics the same way you do.

Technical factors are important too. The availability of a myriad of new technologies based on inexpensive PCs, extensive networks and improved standards, drives our security choices. We are now presented with inexpensive choices that were not even choices, far less inexpensive, only a decade ago.

But (we assert) people and organization are the most important element in your strategy. Critical business functions such as finance are increasingly being performed by people who are not your employees. “Employee” no longer implies lifetime commitment. Yet, most employees, most of the time, are acting faithfully in the best interests of their company and need to be motivated to continue doing so. Draconian security measures are not motivating.

Starting to Plan

Plato’s command, “Know thyself.” has at least two useful extensions into security planning. Planning starts with a baseline that clarifies what we have and how we behave.

In a large organization no one person will know “what we have.” A group effort is required to inventory, assess, understand and outline the IT architecture & network configuration, to validate the physical security procedures, and to examine the operational and business process for security.

A small organization may never have articulated a policy that describes “how we behave.” A basic security policy is not a plan. (This distinction itself is a longer story. See the resources page.) You can begin by calling the right people together to review or establish a draft of a basic security policy. Who are the right people? The first priority is to obtain executive management support. Earning that support demands a balanced, rational plan that shows good promise of efficient success, and describes success in terms of the business. (That’s what these NCMS training courses are about!) In addition to executive support, it is critically important to have legal, financial, HR, and production management supportive of the planning process, perhaps involved in a steering group. These are the areas most impacted by policy and planning.

Given clear ideas of “what we have” and “how we behave,” creating, implementing, and maintaining a successful plan becomes possible. Having established this inventory and basic security policy, the next steps are to perform business & IT risk analysis, and then to manage the dynamics of change. We’ll address these topics in future articles.

Your Action List

Don’t panic if this sounds like a lot of difficult work! You are not the first to take on this task. There are excellent guides and best practices available to help. Some are listed in the extensive resources page at http://trust.ncms.org, under the Publications Index tab, for this June 2002 Mfg.Trust feature.

Links:

Links have been moved to the Resources page.

If you liked Mfg.Trust, please forward it to a colleague in your company!

For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send e-mail to johns@ncms.org 

To unsubscribe please send a blank e-mail message to listmanager@ncms.org with the subject line "unsubscribe mfgtrust".