Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
September 24, 2007 ASIS International 2007 Conference
Convergence:
Taking the Office of CSO from Cost Center to
Bottom Line Contributor
September 24, 2007 ASIS InternationalConference
Today’s Speakers
Moderators:
Laurie Aaron – Quantum Secure
Ray O’Hara, CPP – Vance
Panelists:
Robert Bastida – Oracle – Traditional Security
Derrick Wright – Baxter Healthcare – Traditional Security
Edward Levy – Pfizer - Traditional Security
Leslie Holbrook – Pfizer – Logical/Information Security
Sreenivas Kancharla – Symantec – Information Security
September 24, 2007 ASIS InternationalConference
Business Business Business Business
Drivers Drivers Drivers Drivers
Strategic Strategic Strategic Strategic MilestonesMilestonesMilestonesMilestones
Tactical Tactical Tactical Tactical
MilestonesMilestonesMilestonesMilestones
Operational Operational Operational Operational
Milestones Milestones Milestones Milestones
IdentifyIdentifyIdentifyIdentify
Converged State
Convergence Roadmap
September 24, 2007 ASIS InternationalConference
Convergence
• Convergence Initiatives that produce cost savings– People, Processes and Technology.
• Business Drivers
• Environment before convergence
• Environment after convergence
• Anticipated and actual results
September 24, 2007 ASIS InternationalConference
Who does what?
Traditional Security (Physical Security)
Logical Security
Information Security
September 24, 2007 ASIS InternationalConference
Who does what?
Traditional Security (Physical Security)That part of security concerned with physical measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, and theft.
September 24, 2007 ASIS InternationalConference
Who does what?
Logical Security consists of software safeguards for an organization’s systems, including user ID and password access, authentication, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.
September 24, 2007 ASIS InternationalConference
Who does what?
Information Securityis the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption. The terms information security, computer security and information assuranceare frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
September 24, 2007 ASIS InternationalConference
Convergence
FirewallsCorporate Investigations
PasswordsIntelligence
Business ContinuityComputersTravel security
Trade ComplianceIT SupportCrisis Management
Privacy ComplianceNetwork Provisioning
Executive Protection
AuditsNetwork Infrastructure hardware
Electronic Security Systems
Information Security
Logical SecurityTraditional Security
See the latest research on Convergence at http://www.aesrm.org
September 24, 2007 ASIS International 2007 Conference
Taking the Office of CSO from
Cost Center to Bottom Line
Contributor
Robert Bastida
Senior Director Global Security
September 24, 2007 ASIS InternationalConference
Background
• World’s Largest Enterprise Software Company
• $18 Billion Revenue
• 275,000 customers
• 145 countries
• 500 + offices world wide
• 78,000 employees
September 24, 2007 ASIS InternationalConference
Physical Security Systems OverviewRegional approach
• 60 + PACS world wide
• Systems stand alone and networked
• Multiple Third Party monitoring
• Little integration of camera, intrusion detection or access control systems
• Multiple card formats
• Manual provisioning and deprovisioning
September 24, 2007 ASIS InternationalConference
Where we want to be
• Centrally managed
• In house regional monitoring
• Systems integrated and networked
• Single card format
• Automated provisioning and deprovisioning
• PACS integrated with HR system and Network provisioning system
September 24, 2007 ASIS InternationalConference
Anticipated results from convergence
• Reduction in costs
• Reduced headcount
• Automation
• Single identity
• Global policy and compliance reporting
September 24, 2007 ASIS InternationalConference
September 24, 2007 ASIS International 2007 Conference
Taking the Office of CSO from
Cost Center to Bottom Line
Contributor
Derrick Wright
Security Manager
Cherry Hill, NJ
September 24, 2007 ASIS InternationalConference
Baxter Cherry Hill Security
Contributions to Bottom Line
Two primary contributions:
• Employee work time gained through process improvement
• Competitive differentiation supporting new business
We achieve these contributions within the context of the
related business drivers which many departments apply.
This is “security within the context of the business”.
September 24, 2007 ASIS InternationalConference
Baxter Cherry Hill Security
Security Drivers
We have three categories of Security Drivers:
• Risk Management Drivers
• Laws, Regulations and Best Business Practices Drivers
• Corporate Decision Drivers (Business Drivers)
There are overlaps between categories. For example, given the high
level of DEA/FDA regulation for pharmaceutical manufacturing, there
are corporate decisions and management directives relating to
compliance.
September 24, 2007 ASIS InternationalConference
Baxter Cherry Hill Security
Business Drivers
Our key Business Drivers that impact Security are:
• Compliance
• Risk Management
• Fiscal Responsibility
• Kaizen (continuous incremental improvement)
• Lean (Lean Manufacturing – reduce costs, improve efficiency/effectiveness)
• Business Development
These drivers are what other departments are doing. We apply them, too.
September 24, 2007 ASIS InternationalConference
Baxter Cherry Hill Security
A Key StrategyApplying all of our security drivers, we develop security strategies.
A key strategy – Deploy an enterprise security system
that enables:
• Centralized Physical Identity Management
• Role Based Access / Clearance Management
• Self-Service Administration
• Real-time FDA/DEA compliance enforcement for access
across diverse Physical Security and Corporate Data Infrastructures
(including multiple brands of physical access control systems)
September 24, 2007 ASIS InternationalConference
Process improvement and automation: $162,716
• Cost reductions for on-boarding and off-boarding
• Change management cost reductions (lost cards, temporary cards,
access changes, disable cards for vacation, etc.)
• Cost reductions for compliance enforcement, auditing and reporting
• Employee productivity regained by shortening processes and
eliminating waiting times (hours and days)
Baxter Cherry Hill Security
Annual Cost Savings
September 24, 2007 ASIS International 2007 Conference
Taking the Office of CSO from
Cost Center to Bottom Line
Contributor
Ed Levy
Director Headquarters and Global Security Operations
September 24, 2007 ASIS InternationalConference
Company Profile• Founded in 1849 in Brooklyn, New York, U.S.
• Headquarters in New York City
• Lines of business: – Pharmaceutical Human Health
– Animal Health Medicines and Vaccines
• World’s largest research-based biomedical and pharmaceutical company
• World’s largest animal health company and leader in annual R&D investment
• 89,000 employees worldwide
• Operates in more than 100 countries
• $48.4B Revenues (2006)• $7.6B R&D (2006)
• $11B R&D therapeutic areas
• $1.7B in Pfizer Inc philanthropic contributions
September 24, 2007 ASIS InternationalConference
People & Process Convergence• Business Resiliency is the overarching goal
• Incorporates all disciplines to achieve objectives
– Physical Security - Crisis Management
– Logical Security - Business Continuity
– Personnel Safety & Security
– Compliance Management
– Information Management
• Governance structures
• Standardization
• Decision processes
• Language barriers
September 24, 2007 ASIS InternationalConference
Results• Efficient and effective technological solutions
• Seamless system interface
• Uncompromising to user needs
• Built-in integrity applications
• Regulatory compliance
• Cost benefit
• Life cycle management (training and maintenance)
• Human & System integration
SecurityPerformance
HumanPerformance
EquipmentPerformance
= X
September 24, 2007 ASIS International 2007 Conference
Technology Convergence
Leslie HolbrookDirector Worldwide Business Technology
September 24, 2007 ASIS InternationalConference
Remote NetworkAccess
Access Control
Digital Signature
Two-factor Logon
Cross-site Access
Cashless Vending
September 24, 2007 ASIS InternationalConference
Remote NetworkAccess
Access Control
Digital Signature
Two-factor Logon
Cross-site Access
Cashless Vending
September 24, 2007 ASIS InternationalConference
Remote NetworkAccess
Access Control
Digital Signature
Two-factor Logon
Cross-site Access
Cashless Vending
Technology
Engineering
Technology
Infrastructure
Line IT
Physical
Security
Physical
Security
Site
Services
Digital Cert
Services
Physical
Security
September 24, 2007 ASIS InternationalConference
Operating frequency: 125kHz Read range: up to 24"
-physical access-time & attendance
Operating frequency: 13.56MHz Read range: ~1" to ~4.5 "
-biometrics-logical access-handheld / wireless-cashless vending
Contact chip-digital credentials-applet storage-password wallet
September 24, 2007 ASIS InternationalConference
September 24, 2007 ASIS International 2007 Conference
Results
Wet Signatures cost average = $30
Pfizer issues approx. 15K signatures per month
____________________________________________
Operational Cost savings due to digitizing signatures with card/chip technology estimated @ $450K/month
Convergence: Taking the Office of CSO from Cost Center to Bottom Line Contributor
Sreeni Kancharla, Sr. Manager Information Security
Sep 20, 2007
Description or Diagram
• Symantec has facilities in 40 countries accessed by 17,000+ employees and contractors
• Prior PACS landscape includes Lenel, GE, Mirror3 and homegrown systems disconnected to ERP & Corp. IT Applications
• Prior key Security Operational process consumed most resources.
– Physical security (SOX) compliance process
– Global PACS Identity & Credential Mgmt Process
34
Physical Access Mgmt & SOX Compliance Process – Prior to Convergence
Access Control DisasterRecovery
RemedyRemedyRemedyRemedyPeopleSoftPeopleSoftPeopleSoftPeopleSoft
VDSVDSVDSVDS SymPeopleSymPeopleSymPeopleSymPeople
Contractor Contractor Contractor Contractor Management Management Management Management IT Infrastructure & SecurityIT Infrastructure & SecurityIT Infrastructure & SecurityIT Infrastructure & Security
Access Control Visitor Mgmt
Batch UpdateBatch UpdateBatch UpdateBatch UpdateManual Email Manual Email Manual Email Manual Email
UpdateUpdateUpdateUpdateManual Email Manual Email Manual Email Manual Email
UpdatesUpdatesUpdatesUpdates
Manual Email Manual Email Manual Email Manual Email
UpdatesUpdatesUpdatesUpdatesManual Email Manual Email Manual Email Manual Email
UpdatesUpdatesUpdatesUpdates
Manual AuditsManual AuditsManual AuditsManual AuditsReports
SOX Compliance
Manual AuditsManual AuditsManual AuditsManual Audits
Secure access to facilities in 40+ countries supporting 30,000+ employees, contractors, and vendors.
Physical Access Mgmt & SOX Compliance
Process – Post Convergence Strategy
PolicyPolicyPolicyPolicy----Based Automated Based Automated Based Automated Based Automated Physical Access Mgmt & CompliancePhysical Access Mgmt & CompliancePhysical Access Mgmt & CompliancePhysical Access Mgmt & Compliance
• Policies Manage New hire, Background checks, Change in Policies Manage New hire, Background checks, Change in Policies Manage New hire, Background checks, Change in Policies Manage New hire, Background checks, Change in
employment, and Termination across physical securityemployment, and Termination across physical securityemployment, and Termination across physical securityemployment, and Termination across physical security
• Enforce identities, roles and access levels of all personnelEnforce identities, roles and access levels of all personnelEnforce identities, roles and access levels of all personnelEnforce identities, roles and access levels of all personnel
• AutoAutoAutoAuto----capture Data Center IT Tickets from Remedy, HR changes capture Data Center IT Tickets from Remedy, HR changes capture Data Center IT Tickets from Remedy, HR changes capture Data Center IT Tickets from Remedy, HR changes
form PSFT, and update Lenel, GE, VMS, LDRPS, SymSecureform PSFT, and update Lenel, GE, VMS, LDRPS, SymSecureform PSFT, and update Lenel, GE, VMS, LDRPS, SymSecureform PSFT, and update Lenel, GE, VMS, LDRPS, SymSecure
• Common Repository for SOX Audits & ComplianceCommon Repository for SOX Audits & ComplianceCommon Repository for SOX Audits & ComplianceCommon Repository for SOX Audits & Compliance
• Policies for Facility Usage monitoring, Employee SelfPolicies for Facility Usage monitoring, Employee SelfPolicies for Facility Usage monitoring, Employee SelfPolicies for Facility Usage monitoring, Employee Self----Service Service Service Service
request, Anomalies, exceptions, Approvals, etc.request, Anomalies, exceptions, Approvals, etc.request, Anomalies, exceptions, Approvals, etc.request, Anomalies, exceptions, Approvals, etc.
Reports
Case MgmtSymSecure
Access ControlAccess Control
Access ControlAccess Control
Visitor MgmtVisitor MgmtDisasterRecoveryDisasterRecovery
IT Infrastructure & Security
IT Infrastructure & Security
IT Infrastructure & Security
IT Infrastructure & Security RemedyRemedyRemedyRemedy
SymPeopleSymPeopleSymPeopleSymPeople
Description or Diagram
37
Technology Convergence
Description or Diagram
39
EIAM Infrastructure
TibcoPS 8.9 Pub
Pub/Sub
ProvisioningEngine
AccessManagement
RegionalServer1
RegionalServer3
RegionalServer2
Directory Services
Appropriate access defined via business processes & rules
User privileges are replicated from Master PACS (GE & Lenel) to regional servers for local building access
GE Lenel
Quantum Software
•New technologies that is managing Identity in PACS, and unifying audits and reporting.
Overall Results
• Operational & Financial Impact
• Prior to converged automated solution 15 people world-wide managed disjointed processes such as - Card Issuance (new hire provisioning), termination (de-provisioning), access privilege assignment, changes in role / access privileges, etc.
• Reduced headcount to 8 to manage system. (Redistributed work load and some reduction in headcount)
• Compliance auditing and reporting from manual to automated
• Net estimated savings in the $100,000 + per yr.
40
Overall Results
41
Results of Symantec PACS SOX automation project
Overall Results
42
• The overall results of our collaboration on key security decisions with the establishment of working relationships. Defining clear roles and responsibilities was a critical foundation for the deployment of these new strategic automation tools.
• The ability to automate and connect previously disjointed proprietary systems is now available and can bring dramatic ROI, in the PACS environment.
• Symantec has found convergence to be as profitable as it is important to the fundamental enhancements it can bring to both security organizations.
© 2007 Symantec Corporation. All rights reserved.
THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.
Thank You!
Sreeni Kancharla
(650) 527-7405
September 24, 2007 ASIS International 2007 Conference
Speaker Biography
Taking the Office of CSO from Cost Center to
Bottom Line Contributor
September 24, 2007 ASIS InternationalConference
Speaker Biography
Mr. Robert Bastida is the Sr. Director of Corporate Security at Oracle, USA. For the past eight years, Mr. Bastida has focused on physical security in the
protection of critical infrastructure, assets and personnel for Oracle. Mr. Bastida manages security operations globally protecting 78,000 employees in over 145 countries.
Mr. Bastida’s background includes ten years in the public sector as a police officer for the city of South San Francisco and as an Investigator with the County District Attorney’s office in San Mateo, California. Mr. Bastida has sixteen years experience in the private sector in various corporate Security leadership rolls. Previously with the Bechtel Corporation, a global engineering and construction company. Mr. Bastida graduated from Sacramento State University with a degree in Criminal Justice.
Mr. Bastida currently serves on the Governor’s High Tech Crime Advisory Committee representing California software manufactures, and chairs the International Electronic Security Group, which represents nineteen of the top global security directors in the high tech industry.
September 24, 2007 ASIS InternationalConference
Speaker BiographyMr. Derrick Wright is the Security Manager for Baxter Healthcare in Cherry Hill,
New Jersey. Mr. Wright has been a security practioner for 17 years in a highly regulated pharmaceutical manufacturing environment. His focus has been on security management, training, audits, risk analysis, security architecture and administration, as well as business and management consulting.
Mr.Wight has recently deployed a converged strategy at Baxter Healthcare in Cherry Hill, which has created operational efficiencies and aligned the Security Department with the business goals of the organization.
Mr. Wright is a Convergence Council Member of the Open Security Exchange (OSE) where he provides insight and direction for their working group activities. Mr. Wright has a Bachelor Degree from West Chester University, is a Certified Protection Professional (CPP) - Board Certified in Security Management.
September 24, 2007 ASIS InternationalConference
Speaker Biography
Mr. Edward M. Levy is the Director of Headquarters & Global Security Operations for Pfizer Inc. Mr. Levy oversees all aspects of safety and security for the Worldwide Headquarters in New York City and the Global Security Operations Center, where he is responsible for global travel security and crisis management. He retired from the US Army at the rank of Lieutenant Colonel with over 21-years of active service as a military police officer, serving in key command and staff positions in the United States and Europe. Ed Levy holds a BS from Western Carolina University and a MPA from the University of Oklahoma. He is also a graduate of the FBI National Academy and obtained the academic title of Assistant Professor while serving at the United States Military Academy.
September 24, 2007 ASIS InternationalConference
Speaker Biography
Ms. Leslie Holbrook is Director, Worldwide Business Technology for Pfizer Inc. where she is responsible for the Risk Management application portfolio, consisting of solutions for physical security, business continuity, and environmental health and safety. Ms. Holbrook has been in IT for over twenty years, and during the last six has focused on demographics and identity management processes as they pertain to both Physical and Information Security, developing overarching solutions for a converged environment. She holds a BA from Smith College.
September 24, 2007 ASIS InternationalConference
Speaker Biography
Sreeni Kancharla is Senior Manager, Information Security, at Symantec Corp., responsible for information security strategy, architecture and technology. In his role he supports the CISO in achieving security goals. He has over 12 years experience in Information Security architecting and implementing Trust Management, Threat management, Identity and Access Management, Risk Management, Information Assurance, and Security Convergence. Sreeni has spoken on various security topics at industry conferences including RSA, CSO media and ISC West. He is a guest lecturer at SJSU teaching MBA/MIS class on Information Security, Security Risk Management, and Information Assurance. Mr. Kancharla holds MS degrees in Computer Science and Information Systems, and is CISSP certified. Mr. Kancharla recently passed the CISM in June 2007.
September 24, 2007 ASIS InternationalConference
Moderators
Ms. Laurie Aaron is the Sr. Director of Strategic Sales for Quantum Secure Corporation. Quantum Secure is an innovative young company, providing software solutions which strongly align with many convergence initiatives facing today’s corporate enterprise. A strong proponent of the concept of converging Physical security with Information Technology and Info Security,
Ms. Aaron is recognized as a thought leader in the convergence arena. She is a founding member of the Open Security Exchange (OSE), a non-profit industry organization developed to accelerate the convergence of physical security with Information Technology. She has been keenly involved with the OSE since it’s inception in 2003 Ms. Aaron has over 12 years experience in the physical security industry, previously holding Sales Management rolls at Software House-Tyco, Ingersoll Rand and HID.
Mr. Ray O'Hara is a Senior Vice President for Vance International Inc., a Garda company, and is responsible for bringing integrated, enterprise security solutions to clients using the company's full line of investigation and security consulting services. Mr. O'Hara has more than 30 years of expertise in corporate security and law enforcement, most recently as Founder and President of Ray O'Hara and Associates, a consulting firm specializing in business solutions. Mr. O'Hara's experience also includes the oversight of client matters in Europe, the Middle East, Asia, Africa and South America for a large, international security and investigations firm. In addition to his operationalresponsibilities, Mr. O'Hara established and managed workplace violence and Sarbanes-Oxley related training programs.
Mr. O'Hara previously served as the Secretary of the American Society for Industrial Security (ASIS) International Board as well as the president of the ASIS Professional Certification Board, Chair ofthe International Investigations Council and a member of the Substance Abuse Standing Committee. He also chairs the Alliance for Enterprise Security Risk Management of the three leading Security Organizations, which include ASIS International, ISACA and ISSA. Mr. O'Hara is board-certified in security management by ASIS International and is considered a Risk Vulnerability Expert with experience in analyzing and categorizing business vulnerabilities, homeland security initiatives, terrorism and political threats. In addition to consulting with organizations involved in developing, analyzing and implementing the International Maritime Organizations Maritime Security guidelines.