When the famous Chicago bank robber Willie Sutton was asked why he robbed banks, he simply replied, “That’s where the money is.” While that’s still true, the security director of a financial center now has to protect much more than just the cash, particularly due to the continuing trend towards a consolidated and converged security model. In this article we will consider one financial center that went outside the box to develop an efficient, creative, and cost-effective set of security solutions.
A Complex Institution
Our case study involves a financial center in Washington State with multiple tenant companies that serve customers in various ways and work under different business models. These companies, although separate corporate entities, share a common founder and consider themselves an alliance of firms.
The primary facility incorporates approximately 185,000 square feet of usable space. The building houses a bank branch, an insurance company lobby and a separate credit union lobby on its ground level. Each of these companies also does business in a number of additional branches and field offices around the state. Some of these offices are substantial in size. One 22,200-square-foot facility houses a large insurance operation and a bank branch, and another office of 84,030 square feet houses a credit union lobby and an insurance operation.
Each of these companies does business only in Washington State. The companies have some shared customers, but most of the customers have independent business dealings with only one of the allied companies. The insurance company—the largest company both in size and financial strength—owns the real estate.
In effect, all forms of security are handled for the insurance company by the CSO. Each of the tenants decides whether to provide its own security or to contract all or part of it to third parties. In some cases, the tenants contract out to the insurance company for security services.
This financial center had an established security program in place in 2001. The main building had a security guard station and a CCTV program to monitor the perimeter. A well established information security structure used a variety of products and techniques to protect the information in the network.
But 9/11 caused executive management to conduct a review of their existing program. We’ll examine their review and the ways the CSO addressed their newly discovered vulnerabilities.
Know the Risks
First, each company needed to conduct its own risk assessment to determine its needs. Each firm considered the level of security expertise available within its own resources. The insurance company had experienced staff with expertise in many aspects of security, including physical security, information security, safety management and contingency planning. The other companies had various levels of expertise in physical security, some background in information security, adequate background in contingency planning, and almost no background in safety management.
Determining Each Firm’s Needs
The firms made a number of decisions based on the results of their risk assessments.
The bank decided to continue to contract with an independent third-party vendor for lobby and branch security. The contract included the typical set of bank branch security controls—CCTV, teller alarms, bait money, dye packs, suspicion buttons to take snapshots of customers of concern, and monitored burglar alarms to protect the vault and cash. The bank would rely on the insurance company’s security staff to provide external monitoring of the premises, in particular an external ATM machine, and for building access controls. The credit union would contract with the insurance company’s security department for all of its security program elements, both for its main office and for a secondary branch.
The main office houses a data center maintained and operated by another alliance company that provides data processing services to a number of financial institutions. This firm also decided to contract with the insurance company’s security department for services including card access controls, CCTV, live monitoring of premises and response protocols based on business-defined security events. The insurance company recognized a need for a number of additional security functions, such as 24x7 guard services, monitoring and response to building premises-related security issues, access controls, CCTV monitoring, burglar alarms and alarm responses, and provision of requested security services to the other alliance companies. The main office already had many of the necessary components, but none of these services were being provided in the remote and field offices. In addition, the company needed safety programs, an emergency operations center, workplace violence prevention and response programs, and investigations as needed. The information security controls also had to be considered.
While the scope of the security program was being substantially expanded, there was little funding available to accomplish it. The center needed to find a cost-efficient means to accomplish all of this.
Shifting the Safety Focus
The CSO reviewed the existing safety program for adequacy under the revised risk assessment results. The existing program was developed to comply with safety regulatory requirements within Washington State. They already had a safety committee structure, an established safety manual, and all of the necessary documentation to comply with regulatory needs.
However, the risk assessment made clear they would need more personnel trained in first aid and emergency response to meet increased threats due to the events of 9/11. So a number of the existing safety staff trained to achieve instructor certificate levels for first aid, CPR, and automatic external defibrillator (AED) use. With their own certified instructors, they could offer more training classes to staff members, doubling the number of qualified staff.
They contracted with ZEE Medical for first aid supplies, focusing on establishing more robust first aid kits than typical for office buildings. The security department provided each floor with a custom-built emergency search and rescue kit. The safety staff was trained in SAR approaches and bomb searches to be able to respond to building-wide emergencies.
The new safety plans included protocols for responding to weapons of mass destruction events. To prepare for that response, the company needed equipment such as emergency wash-down stations and training in decontamination, building HVAC emergency shut down procedures and use of radiological dosimeters. The security department updated building evacuation plans and conducted drills.
The alliance companies determined that all their contingency plans were adequate under the new assessment, but they were updated to include WMD and terror impacts.
Physical Security Programs
Providing CCTV and security officers to all the field and remote offices presented a significant challenge. These offices were spread over a wide geographic area, and there was no single provider of security guard services that could handle coverage for all of them. In addition, none of these offices had CCTV systems. Most had commercially available monitored burglar alarm systems in place, but again, they were from multiple vendors.
If the companies expanded the main office solutions out to the field offices using the existing set of vendors and systems, it would cost them more than $2 million. That money wasn’t available, so the CSO had to get creative.
Breaking Proprietary Bonds
The CSO analyzed the available options and consulted with a number of potential vendors. Instead of throwing lots of human resources at the problem, he purposed to use technology to meet the challenges. The existing systems at the home office were proprietary, and the CSO needed to find a way to integrate them to better manage the costs. He wanted to use commodity security equipment, but he’d have to have a robust management tool as well.
The CSO decided to use the wide area network, over which all of the offices were connected, to provide security connectivity. Then the management of physical security systems could be brought together in a centralized monitoring station. By centralizing the monitoring of these sites, the CSO could reduce the management costs for on-site staff. When this project began, there were few vendors with products that could easily be “plugged in” and managed remotely by a non-proprietary system. A new solution needed to be found.
The CSO found a solution from Vigilos—the Vigilos Enterprise Security Management (ESM) software platform. This platform had the capability to manage nearly any security system regardless of its ability to integrate with other products. With this kind of tool the CSO would be able to connect all of the field offices remotely and purchase security components as necessary to fit the needs of each location. This provided the leverage to purchase best-of-breed or commodity equipment as needed to meet the requirements. It also allowed the CSO to leverage existing systems and incorporate them into the central management system. The ESM system could incorporate rule-based controls and event-based responses to security incidents into real-time monitoring as well.
The central guard station at the home office became the centralized security management station for the entire operation across the state. Existing guard staff was trained in the use of the new systems. Because the CSO didn’t need to comply with proprietary system requirements in purchasing new equipment, each component could be purchased based on business requirements, technical capabilities and price. Each field office installed Pelco CCTV equipment and DMP panels for card access. Panic buttons were installed in such areas as credit union teller stations. Vigilos rule-based management then allowed remote control of all of the equipment.
Migrating Offices
The Vigilos system’s capabilities allowed the CCTV system and card access systems to replace the burglar alarm systems and monitored surveillance. CCTV cameras were programmed to act as motion sensors on an event-based rule set that triggered an alert in the central office. Each rule could be customized to address the specific needs of that security component. This allowed the CSO to remove all of the former proprietary alarm monitoring contracts.
The DMP panels worked with the access cards already being used at the home office, so no duplication of effort or consumable stocks was necessary to provide card access controls to the remote offices. All of this was possible without any increase in staff. The project was completed at less than 10 percent of the original projected cost.
Once the field offices had been upgraded, security could replace the proprietary systems that were in place at the home office. However, since there was no pressing need to change the existing equipment due to the seamless functional integration of the centralized monitoring functions, they could replace components based on a regular maintenance cycle. As equipment needed to be serviced or replaced, newer components would be installed to be managed by the Vigilos system. When a sufficient number of these migrations occurred, the proprietary head end would be decommissioned and replaced with the fully functional Vigilos system. There were no service outages and no unexpected migration impacts as a result of this approach.
Compartmentalizing Info Security
The existing information security program was deemed appropriate for controlling the risks it was designed to address. The risk assessment did determine, however, that the risks to the information had increased both in scope and variety. The CSO conducted a gap analysis to determine what controls needed to be enhanced or initiated to deal with new threats. Many of these new issues were born of the latest regulatory requirements, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.
The principle gap uncovered by the risk assessment was that the network was essentially a cohesive single environment. The company needed to compartmentalize the contents of the network into more discreet entities that could be managed along risk management lines rather than organizational lines. Specific higher-exposure environments, such as the human resources department and the finance department, needed internal network separation. In each case they were physically separated with servers co-located in a single network rack in the data center. The racks were locked with keys issued only to the managers of those departments so that all access to the servers had to involve the appropriate management directly. They also needed a strong application gateway (layer 7 protection) and were logically separated using a Cyberguard Firewall.
Security established compartmentalized perimeter access areas known as DMZs (demilitarized zones). The DMZs were protected in various manners commensurate with their risk management objectives, including the use of an F5 Reverse Proxy Firewall in some cases, and a CISCO PIX Statefull Inspection Firewall. In each case, the DMZ was constructed to establish a zone where the information contained within had similar risk management objectives to facilitate management, monitoring and control of that information.
Tips to Live By
There are many ways to address upgrades. The answers you develop for your organization will probably use different components than those listed here. However, there are some key points to focus on.
- Base your security program on a risk management and risk assessment that is both understood and supported by management.
- Determine what security program elements are necessary to satisfactorily address those risk management objectives.
- Thoroughly review available products and services that could be used as elements of the program.
- Understand the expense levels involved, not just for implementation, but also for ongoing support. Always keep in mind the existing investment in technology and whether it can still address your needs.
- Think outside the box. Don’t accept the standard answer; be creative and form your own program by using all the options available to you. In the case highlighted here, the tried and true method would have cost 10 times the solution that was installed.
- Be willing to use quality commodity components.
- Be willing to invest in training your staff. Factor in the cost of training and the cost of outside providers of service over the long haul.
- Use good project management skills to coordinate your conversions and monitor your success factors.
- Don’t assume something is still effective just because it's still working.
If all appears to be going well, then you have clearly overlooked something. Carefully examine your safety and security plans, and be creative in solving new problems.
Eduard L. Telders is the director of enterprise information security at T-Mobile. Since 1981 he has served in physical security, information security, corporate contingency planning and safety programs in the banking, insurance and financial industries. He is active in a number of security trade groups and associations for both physical and information security, and he is a contributing technical editor for ST&D.
