©2007 security executive council. all rights reserved... © 2014 the security executive council....
TRANSCRIPT
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Companion to Measures and Metricsin Corporate Security
by George K. Campbell
An SEC Customizable Senior Management Presentation Tool
• Sample metrics from Measures and Metrics in Corporate Security• Presentation application recommendations• Charts are customizable• Includes faculty coaching notes on how to use the sample metrics
effectively
Series 1
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
These metrics samples are directly related to the Security Executive Council's publication, Measures and Metrics in Corporate Security, second edition,and are a logical outgrowth of that book inasmuch as a variety of graphical presentations (e.g., charts and graphs) are the desired outputs of a proactive metrics program.
These provide either ideas or a template for you to use to communicate as managers and advisors on risk. They were designed so you can easily plug in your program data and customize the terminology, company name/logo, etc. Note that the data in these samples are placeholder numbers and do not represent benchmark results; however, they correspond to genericized presentations that have been used in real companies and were found to resonate with senior management. Included in the PowerPoint notes section are application advice and usage notes by Council Faculty (select View > Notes Page). Double click on many of the graphs to see the embedded Excel spreadsheet in order to quickly change the placeholder data to your own.
Why are these useful? It's about communication and risk. As security executives, managers, and professionals, we are paid to be effective risk managers. The risk inventory confronting our diverse corporate environments has substantially broadened and deepened in the past several years. Our counsel is increasingly sought in board rooms and before audit committees who are now held to higher standards of objective oversight. How do we communicate with these executives and others on the governance team? Present what you have learned, convince with facts, and influence. "Brief me" means just that. Be brief and lead your audience to a conclusion. We believe that with the wide variety of corporate security measures and metrics samples included in this presentation, you will be inspired to look for new ways to convey the value and impact of your security program.
Introduction and Instructions
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
There are many places to uncover and measure data, which include:
• Survey or audit findings
• Data gathered in security or IT system logs or incident follow-up
• Random awareness polls taken at employee entry points or company events
• Scorecards: Feedback to business units on periodic reviews of security effectiveness
• Incidents attributable to security deficiencies this period vs. last period
• Case volumes compared to case cost by quarter
• Losses vs. recoveries
• Customer feedback exercises
• Risk assessments: Vulnerability/effectiveness tests of specific security measures
• Data on contributing causes and effectiveness of proposed solutions from incident post mortems/lessons-learned analyses
• A current status measured against an industry standard or internal objective, performance against planned objectives
• A selected comparative measure across multiple benchmark partners
• Tracking the impact of security measures against a specific trend to assess mitigation results
• Plotting frequency (vertical) and severity (horizontal) for multiple incidents with common findings from post mortems to demonstrate need for changed policy or practice
• Comparisons of internal business processes using selected data that may contribute to risk exposure and show how each unit compares to each member of the sample
• Calculating percentage to completion, budget burn to plan, etc.
Sources for Finding Program Data
• Cost/benefit and cost/effectiveness calculations for security measures
• Comparison of like statistics from insurance and risk organizations, law enforcement, industry, professional associations and others
• Specific security cost per selected measure (employee, square foot, dollar of revenue or sales, etc.)
• Investigative findings, cost of incidents from initial investigation to recovery
• Six Sigma failure modes and effects analysis
• Security device probability of detection/other data from sensor manufacturers or independent laboratory test data
• Assessments against stated capabilities of contracted success rates of vendor services or products
• Anticipated impacts of a new security measure revealed in a risk-mapping exercise
• Frequency of requests for security services this period vs. last
• Uptime or downtime of critical processes
• Time calculations of response resources to calls for service
• Rate data: Us vs. them or this period vs. past
• Number of incidents year-to-year or quarter-to-quarter
In color-coded dashboards or graphs, the scoring mechanism (i.e.,ranges for red, yellow and green status) is up to you based on your data and how you define program success (green), shortcomings (yellow) or failure (red) and to what degree. Be consistent once you establish a measure of progress or degradation.
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Financial PerspectiveHow do we look to shareholders?
What goals and measures in safety, security, integrity or
other safeguards are perceptible to shareholders?
Innovation & Learning Perspective
Can we continue to improve and create value?
What goals and measures arecalculated to improve securityat reduced cost and thereby
add value?
Customer PerspectiveHow do our customers see us?
What goals and measures will contribute to customer
satisfaction and our ability to deliver value to them?
Internal Business Perspective
What should we excel at?
What goals and measures in our key protection programs
demonstrate best-in-class practices?
Vision&
Strategy
Security’s Balanced Scorecard
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
(* Based upon Internal Audit reports for the most recent fiscal year)
Business Unit ComplianceWith Organizational Policy*
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Critical Asset Risk
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Survey of Security Policy AwarenessConducted Q2/05, 397 Responses = 62% Response Rate
0 10 20 30 40 50 60 70 80 90 100
Internet Use
Safe/SecureWorkplace
Access toCorporate Systems
ConfidentialReporting
InformationProtection
Sales Div. (N=247) Admin.Svcs. (N=94) Exec. Group (N=56)
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
*(Based on vulnerability tests conducted during the period 3/15/13-4/30/13)
Percent probable:
Probability of Loss*
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
98 of 112CRITICAL BUSINESS PROCESS RISK ASSESSMENTS WITH APPROVED RESOLUTIONS
% UPDATED & TESTED BUSINESS CONTINUITY PLANS WITH ASSOCIATED REMEDIAL ACTIONS
% OF INFORMATION SECURITY POLICY COMPLIANCE REVIEWS WITH NO POLICY VIOLATIONS
This Year Last Year
64 of 106
85%
78%
77%
31%
97%
58%
% OF SECURITY INCIDENTS THAT EXPLOITED EXISTING VULNERABILITIES WITH KNOWN SOLUTIONS
29%9%
% AUDITED COMPLIANCE WITH APPLICABLE BUSINESS INTEGRITY REGULATIONS
Organizational Integrity Dashboard: Our Critical Business Processes
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Annual In-source Vs. Outsource Review
$50
$100
$150
$200
$250
$50
$100
$150
$200
$250
$300 $300
A CB DOutsourced Vendors Outsourced Vendors
Security Security W X Y Z
Investigations Information Security
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
How Secure Are We: This Year vs. Last
0 20 40 60 80 100 120 140
This Year Last Year
Business continuity tests successfully competed.
Security risks proactively identified and mitigated
Hi-risk business processes outsourced without a comprehensive risk assessment
Notable security-related audit findings involving critical business processes
Unanticipated cyber attacks resulting in business interruption
Insider misconduct cases resulting in termination and/or prosecution
+
+
+
(-)
++
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Security Technology Returns on the Investment
(Security technology enables fewer security personnel)
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Risk Ranking Business Units
Business unit
Head count
Site risk(1-5)
Internal incidentsInvolving Trusted Insiders
Current risk
analysis & plan
High Riskbusiness processes
(1-5)
Risky hires
Businessinterruption with impact
Level of Info.
security risk(1-5)
Overall risk score
Alpha 505 2 10 yes 5 3 3 5?
Beta 1,176 4 85 no 3 54 0 1?
Gamma 203 3 4 yes 2 0 1 2
?
Delta 1,459 5 113 no 4 21 17 2?
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Tracking Trends
$0.16$0.17$0.18$0.19$0.20$0.21$0.22$0.23
Q12004
Q3 Q12005
Q3
75
100
125
150
Q12004
Q3 Q12005
Q3
Security cost per sq. ft. trends down Headcount per security employee trends up
$0$25$50$75
$100$125$150
Q12004
Q2 Q3 Q4 Q12005
Q2 Q3 Q4
Security cost per employee on a consistent downward trend
Go
od
Go
od
Go
od
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Key Findings from Incident Post Mortems
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Master Control System Uptime Reliability(Most recent 30 day rolling average with trend line -99.9% uptime objective)
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Health & Safety Dashboard
0
20
40
60
80
100
2003 2004 2005
Life Safety Inspections H&S Policy Awareness Testing
Calls to H&S Hotline # First Responders Trained
H&S Crisis Plan Testing # Employee Days Lost to H&S Issues
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
3 5
22 41
119
15
17
Sales Division
Research Dept.
Fabrication & Assembly Div.
Administrative Svcs. Division
Customer Support Div.
Internal HR Recruiting External Staffing Agency
2005Hires
230
35
769
81
178
1293
58
0
4
87/31% 197/69%Recruits with Adverse Backgrounds
AJAX Corp. 2005 Recruiting Analysis:
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Laptop Thefts: Charting a Solution
BadgeAwareness Program
AccesslimitationsImposed atkey entries
Commenceticketingunsecuredlaptops
Cable locksInstalled
Security commencesseizing unsecured laptops
Key arrestsmade
Public/PrivateCommunications
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Employee SafetyAnnual Evacuation Drill
16
22
43
20
33
14
31
0
15
0
5
10
15
20
25
30
35
40
45
Min
ute
s
Site 1 Site 2 Site 3 Site 4 Site 5 Site 6 Site 7 Site 8 Site 9
Test Objective
Failed to participate
New FloorWarden
Corporate Locations
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Quarterly Accident Rates
0
10
20
30
40
50
60
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
Injuries-non-machinery Injuries- machineryVehicle accidents Days of worker absencesWorkman's Comp claims Injuries- non-employeeWorkplace Violence incidents
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Calls for Security Services - 2006
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Workplace violence protocols and training
implemented
Improved intervention
techniques reduce confrontations
New protocols result in improved
notification andreduced instancesof confrontation
Area of Risk Contributing Cause Mitigating Actions Measures
Increased frequency and severity of
workplace violenceIncidents
For past year 42%involved spousal
conflicts withrestraining orders
Post mortems indicate poor
coordination and training of HR and Security personnel
Security not informed
of pending terminations
34% on night shift& involved alcohol
New policy encourages notification of HR of
restraining orders
Engagement by HR/EAP on late shift.
Managing AggressiveBehavior training for
1st line supervisors
No alcohol on-premisespolicy issued
Increased reporting and reduced number
of cases involving restraining orders
Reduced night shift cases involving
alcohol
Joint HR/SecurityIntervention Team
formed
Lessons from Workplace Violence Incident
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Response Times for First Responder Services
Goal
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
There is a logging process to record the source, time and duration of all user logins
Approved standard access definitions have been established & are verified for all applications
User IDs are suspended until reset after three unsuccessful attempts to enter a password
Scheduled reviews of continued need for 3rd party access privileges are in place
There is an automated process to for disabling IDs for terminated users and inactive IDs
All system users are required to enter two forms of unique identification to access applications
Accountability is clearly established for assigning & maintaining a list of all user IDs
Information Identification Dashboard
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Policy distributed and acknowledged by all employees
Attempts to access blocked internet sites 14 days prior and 14 days after advertisement of policy prohibition
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
© 2006 Security Executive Council ALL RIGHTS RESERVED.
Executive Protection Engagement
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
Six Sigma- Failure Modes & Effects Analysis for 4 Potentially Consequential Security Incidents*
20 4 6 8 10
Laptop theft- unencrypted customer data w/disclosure
Order system sabotage- by unvetted 3rd party vendor with access privileges
Workplace violence-Failure to acknowledge violent history
Severity = 8Probability = 7.5Detection Ability = 8
SCORE
480
Severity = 5Probability = 8
Detection Ability = 4
160
Severity = 8Probability = 7
Detection Ability = 8
Severity = 8Probability = 2
Detection Ability = 2* Based on vulnerability tests
conducted Q3-4/06
448
Undetected break-in-Failure of alarm system @ CEO residence
32
©2007 Security Executive Council. All Rights Reserved.
.
.
© 2014 The Security Executive Council. All rights reserved.© 2014 The Security Executive Council. All rights reserved.
The Security Executive Council is an international professional membership organization for leading senior security executives spanning all industries, both the public and private sectors, and the globe. Our members seek innovative issue solutions and documentation of model core security programs. The Council utilizes professional staff and a distinguished faculty of former CSOs and content experts to develop, based on member requirements, strategic services and products for the entire membership. Unlike typical peer-to-peer organizations, the Security Executive Council does not depend on member volunteers; members are involved in projects only to the extent they desire to be. Our vision is to deliver cost effective solutions to our members that are unavailable from any other source.
Title: Companion to Measures and Metrics in Corporate Security, Series 2 by George K. Campbell
Industry Applicability Concept Validation by:
•Edward G. Casey: SEC Emeritus Faculty, Security Executive Council; Former corporate affiliation: Procter & Gamble•Greg Halvacs: CSO, Cardinal Health, Inc.; Security Executive Council Member •Richard A. Lefler: SEC Emeritus Faculty, Security Executive Council; Former corporate affiliation: American Express•Mark Lex: Director, Global Security, Abbott Laboratories; Board of Advisors, Security Executive Council•Lynn Mattice: VP Global Security and CSO, Boston Scientific Corporation; Board of Advisors, Security Executive Council•G. Randolph Uzzell: SEC Emeritus Faculty, Security Executive Council; Former corporate affiliation: Burlington Industries
Editor: Kathleen Kotwica, Vice President, Research & Product Development, Security Executive Council
Design: Jayne Marcucella, Operations and Production Specialist, Security Executive Council
Your feedback is important to us. If these worked well for you, we'd like to hear it. If there are other measures or metrics you'd like to see in visual form or you have other suggestions or comments, please let us know at [email protected].
Contact Bob Hayes, Managing Director, Security Executive Council at +1 202 730 9971.
COBIT 5 Introduction 28 February 2012. COBIT 5 Executive Summary © 2012 ISACA. All rights reserved.2
© Integromics, 2006. All Rights Reserved | EXECUTIVE PRESENTATION Global Solutions for Life Sciences