The CSO found a solution from Vigilos—the Vigilos Enterprise Security Management (ESM) software platform. This platform had the capability to manage nearly any security system regardless of its ability to integrate with other products. With this kind of tool the CSO would be able to connect all of the field offices remotely and purchase security components as necessary to fit the needs of each location. This provided the leverage to purchase best-of-breed or commodity equipment as needed to meet the requirements. It also allowed the CSO to leverage existing systems and incorporate them into the central management system. The ESM system could incorporate rule-based controls and event-based responses to security incidents into real-time monitoring as well.
The central guard station at the home office became the centralized security management station for the entire operation across the state. Existing guard staff was trained in the use of the new systems. Because the CSO didn’t need to comply with proprietary system requirements in purchasing new equipment, each component could be purchased based on business requirements, technical capabilities and price. Each field office installed Pelco CCTV equipment and DMP panels for card access. Panic buttons were installed in such areas as credit union teller stations. Vigilos rule-based management then allowed remote control of all of the equipment.
The Vigilos system’s capabilities allowed the CCTV system and card access systems to replace the burglar alarm systems and monitored surveillance. CCTV cameras were programmed to act as motion sensors on an event-based rule set that triggered an alert in the central office. Each rule could be customized to address the specific needs of that security component. This allowed the CSO to remove all of the former proprietary alarm monitoring contracts.
The DMP panels worked with the access cards already being used at the home office, so no duplication of effort or consumable stocks was necessary to provide card access controls to the remote offices. All of this was possible without any increase in staff. The project was completed at less than 10 percent of the original projected cost.
Once the field offices had been upgraded, security could replace the proprietary systems that were in place at the home office. However, since there was no pressing need to change the existing equipment due to the seamless functional integration of the centralized monitoring functions, they could replace components based on a regular maintenance cycle. As equipment needed to be serviced or replaced, newer components would be installed to be managed by the Vigilos system. When a sufficient number of these migrations occurred, the proprietary head end would be decommissioned and replaced with the fully functional Vigilos system. There were no service outages and no unexpected migration impacts as a result of this approach.
Compartmentalizing Info Security
The existing information security program was deemed appropriate for controlling the risks it was designed to address. The risk assessment did determine, however, that the risks to the information had increased both in scope and variety. The CSO conducted a gap analysis to determine what controls needed to be enhanced or initiated to deal with new threats. Many of these new issues were born of the latest regulatory requirements, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.
The principle gap uncovered by the risk assessment was that the network was essentially a cohesive single environment. The company needed to compartmentalize the contents of the network into more discreet entities that could be managed along risk management lines rather than organizational lines. Specific higher-exposure environments, such as the human resources department and the finance department, needed internal network separation. In each case they were physically separated with servers co-located in a single network rack in the data center. The racks were locked with keys issued only to the managers of those departments so that all access to the servers had to involve the appropriate management directly. They also needed a strong application gateway (layer 7 protection) and were logically separated using a Cyberguard Firewall.
Security established compartmentalized perimeter access areas known as DMZs (demilitarized zones). The DMZs were protected in various manners commensurate with their risk management objectives, including the use of an F5 Reverse Proxy Firewall in some cases, and a CISCO PIX Statefull Inspection Firewall. In each case, the DMZ was constructed to establish a zone where the information contained within had similar risk management objectives to facilitate management, monitoring and control of that information.