Planning and Executing Enterprise Security Management
White Paper
Planning and Executing
Enterprise Security Management
Introduction
__________________________________
The emergence of Enterprise Security Management (ESM) comes from many areas:
* Compliance regulations setting security goals and measurements
* Mission criticality
* The increasing threat environment which drives the workload of security staff
The core issue, in both public and private sectors, is whether we devote enough or too many resources to enterprise security.[1] Part of the answer must come from economic analysis. What are the costs, both historical and potential, of security breaches? How frequently can attacks be expected? Can these factors be quantified precisely, so that business firms and other organizations can determine the optimal amount to spend on security and measure the effectiveness of that spending?
One might ask, is it required to economically justify security expenditure? Why justify security expenditures at all? What caused the move to justify security expenditure? When is “good” good enough?
MathCraft has worked with a number of customers to identify the benefit of its solutions. This insight is captured in cases and example so that prospective users of these solutions may more readily establish the value to their organization.
Planning and Justifying the Enterprise Security Solution __________________________________
Planning and preparation are critical to a successful implementation of an enterprise security
management solution. Based on today's environment, the major preparation steps include:
1. Understanding the business objectives and how they drive security needs
2. Pinpointing the major security "stakeholders" within the organization and defining their ….major requirements
3. Projecting the security implications of strategic business initiatives
4. Identifying the resource and process bottlenecks that are reducing the efficiency and ….effectiveness of the security function
5. Preparing the ROI case for an ESM investment
6. Specifying the key features of an ESM solution
Items 1-3 are very specific to the organization but in general are based on the list of environmental factors listed in the Introduction section (above). Steps 4-6 are largely under the control of the security group.
ESM expenditures are increasingly coming under greater and greater scrutiny. Security departments are both struggling and trying to manage the risk associated with their growing budget needs. Since security investments are competing for funds that could be used elsewhere, it’s not surprising that CFO’s are demanding a rational economic approach to such expenditures.
Identifying and Calculating the Need for Enterprise Security Management __________________________________
A customer ready for MathCraft’s solutions typically is experiencing these problems:
* Extreme data overload from security processes required of the organization
* Inefficient incident response due to poor tools and incomplete information
* Incomplete reporting that often consumes several days per month to supply the lines of business and senior management with the security summaries they need.
Each of these issues not only reduces the amount of protection that an organization experiences, but they also have a specific economic impact. By capturing the dollar value of solving these problems, a clear and pragmatic ROI calculation can be done with the benefit of MathCraft’s improved security result as an added bonus. For examples of ROI calculations that are relevant to the overall ESM solution, see APPENDIX 2.
Finding the Right Solution
__________________________________
Sorting through the claims and comparisons of ESM software packages can be confusing and time consuming. As a result, many organizations develop a checklist, or Request For Information process that is intended to generate a short list of options that will be investigated in more detail. Consequently, it is difficult to generalize a complete solution set that will apply equally in all circumstances. However, MathCraft has worked with many large organizations to define and implement MathCraft software and as a result can draw some conclusions about which areas are most important:
Enterprise Capabilities. Scalability and ease of deployment are important attributes of the solution. A well-crafted security management solution should deploy within a matter of days and produce immediate results. It is no longer acceptable for enterprise-class solutions to require large amounts of consulting fees for installation and customization.
Information Segmentation The goal of a successful security management solution is to provide the right information to the right personnel for the right purpose in a timely manner, no less and perhaps even more important, no more. Relevant to this agenda is securing information by limiting its dissemination to those who really have a need to know. A centralized knowledge repository is the most effective means of assuring this mandate with a sufficient rules and roles basis to accommodate this goal.
Complete Process Coverage. The position of a security analyst covers a wide range of activities,
hence the security management software should map to those job functions. Comprehensive ESM software begins with the management of 100% of the security needs within the day to day operations of the enterprise. Through integration with other information systems, it should facilitate security into the very fiber of the enterprise operations creating timely events for effective decision support. These events should be persisted in a relational database providing a full range of display options providing flexible views into security status that individual operators need. It is important that both the security staff and the organization at large can easily summarize and report on the security activity across the organization.
APPENDIX 1. The ESM RFI Starter Kit __________________________________
Security management has come to be exponentially more complex. Increasing laws and regulations have defined goals and measurements for the security function. Now you have a global security infrastructure populated by many types of security assets from various data sources. To deal with the resulting data overload from isolated databases you need centralized, enterprise-class security management software.
Here's a starter list of requirements compiled from major corporations, government agencies, and service providers who have surveyed the market, tested the options and successfully implemented an ESM software solution. This investment has set their course for increased protection, improved staff utilization, and better reporting regarding their security functions leading to more fiscally efficient operations.
1. An architecture that can scale to handle constantly increasing workloads
2. Reliability and high availability
3. Integration with enterprise information systems
4. Complete reporting infrastructure with both an authoring system and pre-configured reports
5. Rapid installation with immediate results
6. Ease of Use
For more information about how MathCraft satisfies these requirements in addition to many other features and benefits for both the security function and organization at large, visit www.MathCraft.com.
APPENDIX 2. ROI Cases
__________________________________
Scenario One: Fortune 500 Company Effectively Manages 10's of Thousands Cleared Individuals
Fortune 500 company with over 40,000 employees and 400 locations wanted to deploy a single, centralized, enterprise security management solution to increase efficiency and productivity, ensuring a competitive advantage in the national security market. With over 100 cleared locations and a diverse list of customers, nonnegotiable requirements included a solution that was web based, could conform to the integrated business enterprise, reduce costs, increase efficiency by reducing redundancy, centralize the information on a common platform and integrate with other enterprise applications, HR and contracts.
Access Commander satisfied all of these requirements. In addition, they desired a data warehouse of information for better information sharing to allow for better data mining, which in turn would be used in pursuing new customers and to better serve their customers. Again, Access Commander promised to be the obvious, and frankly only, choice.
After implementing Access Commander, their results speak for themselves, and without question would not have been achievable without Access Commander. The majority of their security staff uses the same application, managing 10’s of thousands of cleared individuals. They have a better handle on thousands of classified contracts and an impressive central repository to manage 100’s of thousands of classified documents. Both incoming and outgoing visit requests are managed more effectively. They've also achieved a higher quality of reporting to their management and their customers.
As they continue to expand their use of Access Commander, they have realized even more beneficial applications of the tool than originally promised. An excellent example of this is the mapping of business processes to data captured, which has allowed their organization to achieve new efficiencies by improving workflow. Process improvement is achieved by being able to track metrics, and Access Commander has proven to be a superior tracking tool. With the support of the technical support and management teams at MathCraft, they are excited to be a part of the growing security community using Access Commander and to be actively involved in its continuing evolution.
With greater security control than before, the manpower savings associated with using MathCraft’s software solutions continues to result in a savings exceeding over $750,000 per year.
Scenario Two:
“Access Commander is the backbone of our Security Department. We use it to track all security actions and essential data for Business Development. This is a tool that increases our effectiveness while cutting cost. Access Commander allows key individuals prompt access to information in a timelier manner. Its UDFs (User Defined Fields) are instrumental to specific data collection in our security department.
Metrics on personnel with clearances, ongoing clearance actions and timelines are available at the click of a button. Access Commander has allowed us to digitize all of our Form DD254s and personnel security files. We have optimum protection of Personally Identifiable Information (PII) thanks to Access Commander. Its bar coding capability allows effective management of classified materials and mass inventory. Access Commander has single handedly elevated our Defense Security Service (DSS) and Department of State (DoS) inspection ratings.”
If it takes 30 minutes of our senior security analyst's time to resolve each incident, then the daily savings would be 4 hours per day or over 800 hours per year. Depending on the hourly rate of the security specialist, the yearly savings
can exceed $75,000.
Scenario Three: MathCraft Facilitates More Efficient Use of Security Personnel’s Time
Upon assuming the position of Director, Corporate Security, and conducting a companywide review of our current Security Program, it became apparent that we needed to establish a systematic, standardized and integrated approach to better manage the numerous security requirements established by the National Industrial Security Program Operating Manual (NISPOM). Given the small and dispersed nature of our company, I could think of only one security management tool that would meet my needs and that was Mathcraft’s Access Commander. Following the deployment of Access Commander as the corner stone of our entire security program, all of our evaluated facilities received a “Commendable” rating during their annual Security Program Review.
Access Commander's on-line capability allowed us to implement a central authority and central management with dispersed customer service philosophy that meets the needs of the Facility Security Officer (FSO).
The deployment of Access Commander, the security management tool of choice for our company, has greatly improved our Security Program. This software is versatile, customizable and efficient. Mathcraft’s continued customer service and support is without question the best I’ve seen. There is no issue large or small, technical or simplistic, that is not addressed in an earnest and professional manner by the company leadership and support team. I can say without hesitation that my final remarks regarding the use of Access Commander as a valuable tool for any security professional would be incomplete without a highly knowledgeable team of professionals standing by to meet the needs of their customers. The folks at Mathcraft have the team, and they always exceed expectations for quality customer support.
Annual Cost Savings in security personnel requirements are greater than $230,000.
Summary
MathCraft delivers cost savings and improved security results in many different areas. Those that are highlighted in this document can lead to a payback for a MathCraft implementation of 4 months or less. Each organization will have its own set of values to fit into the model but in every case the improved financial performance and increased security produce a compelling Return on Investment.
yourself out of business”.