Upload
honeywell-process-solutions
View
328
Download
0
Embed Size (px)
Citation preview
2015 Honeywell Users Group
Europe, Middle East and Africa
Workforce Management: Introducing a Policy Rules Engine
to Industrial Security
Adrian Fielding, Honeywell
Damian Vassallo, RightCrowd
2 © 2015 Honeywell International All Rights Reserved 2
Ensuring Safety & Security of your Workforce
Integrated Protective Solutions
• Honeywell’s Integrated Protective
Solutions deliver Safety Shutdown,
Fire & Gas, Physical and Cyber
Security holistically across process
facilities.
• Together these solutions ensure that
process, plant, people and environment
are safer and more secure than ever
before.
• They include independent yet interrelated
layers of protection to prevent, detect and
mitigate potential safety and security risks
and threats.
3 © 2015 Honeywell International All Rights Reserved
• Workforce Management: Introducing a policy rules
engine to Industrial Security, Damian Vassallo
RightCrowd and Adrian Fielding Honeywell
• This presentation will explain the emerging workforce
assurance space and the methodologies for
implementing an attribute based access control system
• The conversation will focus on defining attributes and
policies that a rules engine could enforce; i.e. near real
time condition based access control
• When incorporated as part of an over-arching industrial
security program, organizations can leverage powerful
and robust business process that aids and improves
business performance
Abstract
5 © 2015 Honeywell International All Rights Reserved
Workforce Assurance
Process
Structure
Reaction
Mental Model
Purpose
Improve the visibility and
productivity of the business by:
• Mitigating physical security, safety
and compliance vulnerabilities.
• Automating and standardizing
people processes to improve
productivity.
• Enabling the better management of
our people and their costs in real-
time.
Resource Management
Improve throughput
$ per hour / $ per person
Link Org Management to Business
Function
6 © 2015 Honeywell International All Rights Reserved
Link Org Management to Business Process
THIS IS CHANGE
Purpose
• Collaboration between different areas of the company –
HR, Finance, Operations, Compliance
• Assurance across the spectrum of Logical and Physical ‒ Logical – HR, Payroll, Active Directory, Task Applications
‒ Physical - Networks and Facilities (Data Centres, Vaults,
Industrial Sites)
7 © 2015 Honeywell International All Rights Reserved
Purpose….
• Security events ‒ Location data, when "root" account is accessed (console of a
server)
• Authorization to grant access ‒ Non-repudiation (Who is the Owner?)
‒ Multi-Level approval – link to Org Chart and Area Owners
‒ Separation of duties
• Validation checks differ ‒ Internal v 3rd Party contractors or visitors
Link Org Management to Business Process
8 © 2015 Honeywell International All Rights Reserved
Outcome
• Risk Reduction - Certainty that a task has been carried
out
• Process Automation – Less manpower has achieved
cost efficiency
Link Org Management to Business Process
9 © 2015 Honeywell International All Rights Reserved
Throughput
• Limit access to those who are approved, authorized,
accredited and accounted for ‒ Background checks
‒ EHS (Compliance/Certifications)
‒ Appropriate commercials
• Seamless Interdepartmental process ‒ Chain of Approval / Delegation
• Immediacy ‒ One touch Termination (Logical and Physical)
‒ Employee, Contractor or Visitor
Resource Management
10 © 2015 Honeywell International All Rights Reserved
Outcome
• Compliance – Full audit trail of data
‒ What was it changed from
‒ What was it changed to
• Reporting – information packaged in real time ‒ map to specific requirements and for specific users
Resource Management
11 © 2015 Honeywell International All Rights Reserved
Mitigate Risks to Business Interruption
• Converge with DVM to increase / improve security
performance
• Plan for peak periods and flow of workforce
(Shutdowns)
• Correlate multiple data feeds ‒ Asset information to Personnel information
‒ Pre-emptive – Business Continuity/Evacuation Plans
Business Improvement
Ensuring / Insuring Brand Reputation
• Timeliness responding to emerging / ongoing crises
• Sophistication to IT Security
• Advanced Persistent Threat / Insider Threat
12 © 2015 Honeywell International All Rights Reserved
Conclusion
NO SILVER BULLET
• Workforce Assurance requires clear approaches to
logical and PHYSICAL security ‒ Something you Own
‒ Something you Know
‒ Something you Are
• Prepare for aggression at a Cyber Level ‒ What are the sources and where can they be mitigated
• Situational Awareness of Assets and People ‒ Visibility and Value
‒ Trust
13 © 2015 Honeywell International All Rights Reserved
Logical / Physical Maturity Curve
Workforce Assurance Maturity Model
1. Unaware 5. Pervasive4. Strategic3. Focused2. Tactical
Leve
l of
Ma
turi
ty
Total lack of
awareness
Spreadsheet
Information
One-off
report
requests
No Business
sponsor
Security in
charge
Limited
users
Data
inconsistency
and ad hoc
systems
Specific focus on
a business need (e.g. attribute based
management or
fatigue management
or contractor
mobilization)
Funding
from
business
units on a
project by
project
basis
Specific set
of users are
realising
value
Business
Objectives
drive
Workforce
Assurance
with
Performance
Management
Strategies
Deploy an
enterprise
metrics
framework
Governance
policies are
defined and
enforced
Establish a
balanced
portfolio of
standards
Information is
trusted across the
company
Workforce
Assurance is
extended to
suppliers,
customers and
business partners
Workforce
Assurance
analytics
are
inserted
into and
around the
business
processes
Unsupported Structures
Accessing Business Improvement TM
aiding with Health, Safety and Security
decisions to support workforce
assurance compliance reporting
14 © 2015 Honeywell International All Rights Reserved
Experiences from CXO
CSO
• Corporate Security – Reduce Risk / Establish Standards
• Automate Security Policy and Procedures
COO
• Who is working for me today?
• Are they known, authorised, accredited and accounted for at all times?
CFO
• Contractor Reconciliation (Plan v Actual) hours
• ROI of Mobilization expenditure
CIO
• Logical and Physical Identity Management
• Interoperability between systems
CEO
• Zero Harm
• Licence to Operate
15 © 2015 Honeywell International All Rights Reserved