Time to Reevaluate
Not only do intelligent systems provide tactical response capabilities, they provide a bridge between strategic planning, policy and security operations. As security systems become enterprise in scale, wide-scale strategic deployment of intelligent systems provides enterprise-level benefits, including enterprise-wide security metrics management, cost control, and continuous process improvement.
Just 10 years ago it was often a significant challenge just to get an ID badge system to “talk to” an access control system and share a common database, or interact with a human resources database. Today that kind of integration is commonplace. But that doesn’t mean we get to rest on our laurels. The business assets and critical business processes we must protect are quickly changing. Add to that the trend toward enterprise-wide management of security, and we now must reevaluate the role of technology in supporting our management of security functions.
A November 2005 Booz Allen Hamilton report titled “Convergence of Enterprise Security Organizations” examines the nature of recent business changes and their impact on security practitioners. The report was commissioned by the Alliance for Enterprise Security Risk Management, a coalition formed in early 2005 by ASIS International, the Information Systems Audit and control Association (ISACA), and the Information Systems Security Association (ISSA) to deal with the convergence issues commonly affecting the members of all three organizations. The report identifies five distinct business imperatives (shown in Figure 1 on p.24) that require us to change our thinking about security management and technology.
As the convergence report explains, the increasing complexity of businesses raises the complexity of security. Business assets are now increasingly information-based and intangible, creating a greater need to integrate physical and information security throughout the enterprise.
In the face of this increasingly complex security picture, businesses continue to pressure security teams to reduce both costs and risks. A policy-based approach to security risk management—one that is visible to and approved by senior management—is increasingly important. In the face of many changes, a risk-based approach keeps security focused on what is most important, rather than what is most recent.
Is there a way to take advantage of security technology and information technology to make the job of managing security operations easier and more effective? There is, if we change our thinking about what comprises security technology.
Changing Our Concept of Systems Integration
Systems integration has traditionally meant integrating electronic security systems, corporate directory or human resource systems (for obtaining employee names and deactivating access upon employee dismissal), and payroll systems (for security card-based time and attendance).
While the security industry was busy getting its systems to work together, the IT industry was making progress in the enterprise with business workflow automation. We as security practitioners have thought of systems integration as connecting systems, when in fact we should be thinking of it as connecting processes or workflow.
The U.S. federal government realized that fact and captured high-level workflow requirements in its Federal Information Processing Standards 201 document (FIPS 201). This document defines the process by which government agencies should securely identify and enroll personnel into an identity management system and how they should issue and manage security ID cards.
The key idea is that secure processes are required in order to have secure systems. In integrating systems, we should strive to support our security processes and procedures. Although systems are often purchased first and security processes are designed around them second, it should really be the other way around.
Today’s systems are highly flexible and capable and have a plethora of features. One way to choose the right system is to select the one that best supports the intended security processes and procedures.
Integrating Obsolete Processes
Thinking of process first requires us to take a new look at how we do things. If we continue doing things the same way we have always done them—even after deploying the latest technology and systems—are we really getting the security improvement and return on investment we should be getting?
We must clearly define and actively manage the processes of security or we will continue to have security gaps. This is not to say that we haven’t been doing the job at all. Security departments have long used standard operating procedures and post orders, usually a collection of paper documents in a binder, to define the activities of their personnel. But that’s no longer the way most other departments operate.
The workflows of most business processes have been defined and captured in corporate workflow systems, with significant benefits. Business consultant Michael Atherton, in his acclaimed article, “Workflow Automation—The Correct Recipe for Success” in the September 2002 issue of Darwin magazine (www.darwinmag.com), explains that workflow automation prioritizes tasks; higher-priority processes are accomplished more quickly because personnel can see each task’s priority in their task list. As one person completes a high-priority task, the subsequent task in the process becomes visible to the next person. If the task is not completed within the designated amount of time, it is escalated, making it harder for employees to drop the ball. Personnel calendars ensure that tasks are not sent to people who are out of town or on vacation when alternate personnel are available.
Don’t security practitioners deserve the same kind of support from information systems that the rest of the organization has been getting? Of course they do. But the traditional stovepipe isolation of security, the lack of outside understanding of the full scope of security operations, and the relatively small size of security departments compared to other parts of the organization, lead IT departments to exclude security operations when planning workflow automation.
On top of all that, there is another factor. What would we actually say to someone who asked what security workflow we would like to automate? Most of us are not prepared to answer that kind of question. In order to step fully into the 21st century and take advantage of what emerging security and information technologies have to offer us, we must first take a step back from our security operations and examine them from a new perspective.
Concept of Operations
Dr. Gerald Kovacich and Edward Halibozek provide an excellent examination of the role of the chief security officer and of the concept of operations for a corporate security department in the first three chapters of their book Security Metrics Management, and also in their book The Manager’s Handbook for Corporate Security. In Security Metrics Management the authors identify the common drivers for various corporate security functions and provide an example workflow diagram for a security operations process. Although we tend to think of this as security planning, it is really better described as business planning for security operations. Identifying the drivers for the security functions and defining the processes to accomplish those functions are not simple procedures but are nonetheless critical.
Faith Varwig, principal and founder of Faith Group LLC, has been consulting on aviation security and information technology for more than 17 years and specializes in Concept of Operations (CONOPS) development for airport security operations. Varwig explains, “All too often capital development projects get lost in the physical and technical aspects of the program. The desire is to deliver the best technical solution at the lowest cost. Many times the ‘cost’ measurement is limited to the physical aspects of the program and doesn’t take into account the ‘people’ cost. Positive attributes of the program will be stymied if the facility does not have the people and processes in place to effectively support their intended operations.”
Security Workflow Automation
Don’t undervalue the documentation of security operations processes. A few years ago I learned of a situation in which a team of employees were preparing for a business workflow automation initiative. They had mapped out their current departmental business processes on large sheets of paper in groups of two to three from each department. When the owner/president glanced at the sheets, he stated, “That’s not how I want to run my company!” He didn’t realize they had simply written down what the company was already doing.
Undocumented processes can drift over time, especially with personnel changes. Thus undocumented security operations processes are themselves a security vulnerability point.
Let’s examine the security operations side of a hypothetical new hire process, comparing operations for a typical integration scenario and a scenario based upon workflow automation. Unlike some forms of physical automation, workflow automation is not intended to replace the value-added work that people do. Instead it enhances the process to let people concentrate more on the value-added work portions of their jobs.
Scenario 1: Typical Integration
• HR department selects applicant for hire, enters new hire into HR system and sends paper notification to security to perform a background check.
• Security manually orders the background check by the usual security firm.
• Security manually receives background check results, manually forwards to HR.
• HR hires person and enrolls him in the HR system.
• Access control system automatically gets name of new hire from HR system.
• Temporary access privileges are assigned manually until new hire’s training and security orientation are complete.
• Security orientation is scheduled manually.
• Security trainer delivers security orientation.
• Security waits to be told when the new hire’s remaining training and orientation are completed.
• Full security privileges are assigned manually.
Scenario 2: Workflow Automation
• HR enters new hire into HR system, including photo.
• HR system automatically notifies the security workflow system of the new hire.
• Security workflow system automatically orders the security services firm to perform the background check and sends the new hire’s information via secure e-mail.
• Outside security services firm completes the background check, clicks “Reply” to the ordering e-mail message, and returns the background information via secure e-mail.
• Security workflow system automatically receives the background information, notifies the security manager to review it.
• Security manager reviews the background information, clicks the “Background Check Okay” button.
• Security workflow system sends the background information and security approval to the HR system, where an HR manager is automatically notified and activates the new hire’s employee status.
• HR system automatically schedules the new hire for training and orientation and notifies the security workflow system of the new hire’s status.
• Security workflow system automatically assigns temporary access privileges for access during training week.
• New employee shows up, retrieves photo ID badge from the self-service kiosk, and reports for training and orientation.
• Training and orientation are completed and the trainer signs off on that step in the HR system.
• HR system automatically notifies security workflow system that training and orientation have been completed.
• Security workflow system automatically upgrades the new hire’s security privileges based upon his role in the organization.
In the second scenario, human attention is required only for decision and approval points. The HR and security workflow automation systems track progress automatically and handle the interactions and hand-offs between departments with no delays.
A good workflow automation system makes it easy to set policies that establish performance requirements and then track performance. For example, the system can alert if a background check is not finished within a pre-set period of time. If background checks are to average $100 or less in cost, the system can track and report on that also. Additionally, the system can record these performance metrics and provide reports on them by facility, region or enterprise.
Options Available Today
Until recently, no system existed for automating security operations, which is why the founders of Quantum Secure developed one, called SAFE.
Although the systems integration example above is hypothetical, the workflow automation capabilities described are not. SAFE can even automate tasks for multiple facilities across disparate brands of security systems. Although it is possible to use in-house or outsourced IT resources to automate much of security operations workflow, Quantum Secure has gone beyond the traditional scope of workflow automation to include built-in support for key security elements such as cardholder identity management, corporate risk assessment and Sarbanes-Oxley compliance, and to provide integration support for major brands of access control and security monitoring systems.
Lenel Systems International Inc. recently released IdentityDefender, a complete system for issuing ID cards in compliance with FIPS 201. “The advantage of IdentityDefender is that the system automates the workflow and removes human error from the equation,” said Erik Larsen, product manager of identity solutions at Lenel.
The Federal Systems Division of ADT Security Services has also released an end-to-end FIPS 201 solution (yet to be named), which was being demonstrated for NIST and several federal agencies as this article was being written.
Another area where workflow automation can play a critical role is incident response. In addition to SAFE, two systems that can automate incident response tasks are Proximex’s Surveillint and SWN Communications’ SendWordNow service.
Which systems or services will be of greatest value to you depends upon the size and scope of your security operations and the level to which you would like to automate security operations and incident response. Both SAFE and Surveillint can integrate with SendWordNow. Such technology capabilities mean that systems integration requires significantly more planning and preparation than in the past, including a well-thought-out security concept of operations.
21st Century Systems Integration
Security operations workflow automation is new to the security industry. Among all the new products being introduced, these have by far the greatest potential to improve the quality of security operations. This class of technology frees those with security management responsibilities to work on improving how work is done and helps to improve their sphere of control not just within the security department, but also outside of it.
James Connor, senior manager of global security systems for Symantec Corporation, remarked, “In the world of emerging technology we have been conditioned to wait for new applications and then ask what they will do for us. We then proceed to limit ourselves to the framework of our technology’s limitations. That leaves us ill-prepared to deal with the new breed of rules-based systems, which allow us to define what we want them to do.”
Connor continued, “Understanding what is vital to your organization and developing strategies to impact the business through the use of these new tools will be our next great frontier for security. This is a very exciting time to participate in the security profession as we move from a cost center organization to having real and measurable results.”
Thinking about how to use this type of technology? Do you know how workflow is automated in other parts of your organization? If not, that’s a great place to start.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS). Mr. Bernard has provided both strategic and technical advice in the security and building automation industries for more than 18 years. He is also the founder and publisher of “The Security Minute” 60-second newsletter (www.TheSecurityMinute.com). For more information about RBCS go to www.go-rbcs.com or call 949-831-6788.