Security Strategy: Exxon Mobil Security - Term Paper Example

Running Head: Security Strategy Security Strategy: Exxon Mobil Security Abstract The objective of this essay is to design a physical, personal, and information system(s) security plan for Exxon Mobil with respective rationale for the defined security areas. In addition, preliminary budget considerations for the aforementioned security plan would be proffered. Security Strategy: Exxon Mobil Security In an organization, the role that security and safety assumes is of critical importance in safeguarding all the resources of the organization. Resources mean assets and human personnel, including all systems and processes contained therein. The scope of responsibilities in security and safety includes detection of any kind of intrusion and initiating appropriate actions to ward off and prevent harm or damage to the organization, and identifying, addressing, and raising safety and security problems and concerns. Exxon Mobil, one of the world’s renowned globally traded oil and gas corporation, is expected to install a strategically designed safety and security plan to encompass physical, personal and information systems for the whole organization. Exxon Mobil’s safety mission is to create an incident-free workplace with zero work-related injuries and illnesses. (ExxonMobil, n.d., par. 1) Its official website divulged the organization’s reinforcement of the campaign Security is Everybody’s Business to emphasize the importance that security and safety measures place in the organization’s priorities. The Transportation Worker Identification Credential Program and Chemical Facility Anti-Terrorism Standards are among the contemporary security programs being implemented at Exxon Mobil. (ExxonMobil, n.d., par. 2) A closer look at the security system of Exxon would enable an assessment of security measures that need to be developed and improved to further ensure safety and security at all levels in the organization. The primary objective of this essay, therefore, is to design a physical, personal, and information system(s) security plan for Exxon Mobil with respective rationale for the defined security areas. In addition, preliminary budget considerations for the aforementioned security plan would be proffered. Security System Currently Employed by the Company Physical Security Physical security describes both measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts. (Task Committee 1999) According to O’Sullivan (2003, 1), security planning should encompass the following areas: (1) identification of assets; (2) exposing losses; (3) assignment of occurrence probability factors; (4) assessment of the impact of occurrence; and (5) selection of countermeasures. ExxonMobil Chemical Company has already made substantial investments in ensuring that the company’s premises are properly surrounded by sturdy and secure perimeter walls with well secured gates appropriately manned by professional security guards. The chemical plant is well designed to incorporate several safety and security features such as emergency doors and is installed with several intrusion detection systems which are strategically placed in the company’s premises. Different physical barriers are also used by the company at specific places. Other security installations include security lighting, locking devices, badging systems, and access control devices. Company policies and procedures incorporate explicit entry and exit regulations, especially in restricted areas. In addition, risk management and emergency preparedness measures are set in cases of disasters, hostile threats and terrorism, civil disturbance, significant criminal action, as well as other contingencies which could affect its operations. Personal Security Exxon Mobil ensures the safety of the organization’s personnel through the use of personnel for access control, surveillance, and identification of authorized personnel using both conventional (manual processing) and electronic technology. Manual processing which is still being used in some security areas of the organizations use personnel or people to access control identify authorized staff and undertake surveillance procedures at the best possible means. Exxon still utilizes identification cards, Bundy clock for timekeeping, and security personnel to check on the identity and accessibility of personnel in the organization. As advances in technology have been developed, Exxon is slowly replacing the use of personnel for access control, surveillance, and identification of authorized personnel by electronic technology. Alarm and monitoring systems are appropriately situated in various strategic locations at Exxon Mobil. Morris (2007) averred that “a basic alarm system is divided into three layers: perimeter protection, area protection, and spot protection. Perimeter protection is the first line of defense to detect a potential intruder. Alarm sensors on the perimeter are typically mounted on doors, windows, vents, and skylights.” (p. 88) There are several types of sensors for perimeter protection which are installed at Exxon such as glass break sensors, balanced magnetic switch, and grid wire sensor. Area protection, on the other hand, is utilized to protect the interior premises of an organization. Accordingly, “these devices provide coverage whether or not the perimeter is penetrated and are especially useful in detecting the “stay-behind” criminal”. (Morris 2007: 89) The kinds of sensors used by Exxon for area protection are: dual technology sensors and video motion sensors. Finally, the spot protection alarm is used to detect unauthorized activity at a specific location or spot. The assets most commonly protected under this kind of alarm system are safes, vaults, filing cabinets, art objects, jewelry, firearms, and other high-value property. These are necessarily mounted in restricted areas at Exxon Mobil and in areas classified as having high asset value with high replacement cost such as software and machineries and equipment, among others. Information System At Exxon, some equipment the company uses to store, transmit and receive business information include computers, mobile phones, radio equipment, fax machines, routers, printers and modems among many others. The company has networked its ICT (information and communication technology) systems via the internet, WAN (Wide Area Network) and LAN (Local Area Network). Due to the delicate nature of information available in the organization’s information system, Exxon must ensure all its vital data are transferred and kept secure - away from unauthorized access, modification, destruction, use, disruption and disclosure at any point of their lifecycles. The company uses access controls, power backups, the defense in depth strategy, encrypts data during transmission, antivirus, power and data back-up systems, firewalls, employs a highly competent human resource, passwords, and other computer security software. In a bid to further protect its data, the company also applies the principle of least privilege. Proposed Security Plan for Exxon Mobil Physical Security With a physical security system already in place, Exxon should at least improve the following methods to protect its buildings, grounds and perimeters: (1) implementing stringent policies for access control through stringent checking of proper identifications, (2) strictly limiting and monitoring authority to access to highly safeguarded areas, (3) considering strengthening the foundation of buildings, grounds, and perimeters to ensure protection from collapse and fortuitous events, (4) protecting pathways into the building, and (5) disseminating continuous awareness for the contingency and emergency plan for disasters, unauthorized intrusion, and even terrorist attacks. (WBDG Safe Committee 2009) One of the critical physical security improvement measures is the upgrade of Exxon’s perimeter fence. The security fence upgrade will encompass installation of smart fence systems such as taut wire, acoustical sensors, sub-lethal electrified systems, and fiber optic intrusion detection systems. The rationale and benefits of upgrading the perimeter fence are as follows: (1) to decrease the potential for accidents to occur due to unauthorized entry into those areas. (US Army Garrison – Redstone Arsenal 2004); (2) to prevent substantial material losses as well as possible compromise to the organization’s overall security; (3) to provide medium to maximum levels of security; (4) to ensure low maintenance; (5) to retrofit the existing fencing; and (6) to provide a formidable barrier that is strong, resistant, durable and adapting to the current demands of the times. The costs associated with the upgrade of the physical facilities of Exxon are as follows: (1) the amount of capital outlay needed to strengthen the foundation of buildings, grounds, and perimeters to ensure protection from collapse and fortuitous events, protecting pathways into the building, and upgrading the perimeter fence should be accommodated by the budget of the organization. The total estimated cost for these upgrade is $150,000.00; (2) the security personnel who would be directly involved in maintaining and monitoring the new perimeter fence should be reoriented and trained to support the upgrades needed for this project. Personal Security One of the products of this electronic advancement in the area of security management is biometrics. “Biometrics is the science and technology of measuring and analyzing biological data. In information technology, biometrics refers to technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes.” SearchSecurity.com (2009) These have several applications including time attendance, access control, identification card, security systems, server rooms and data centers. The rationale for slowly replacing manual processing and converting into biometrics are: ease of use, removes proxy punching, prevents identity theft, no recurring costs on cards, better returns on investment and instant reporting. (BioEnable 2007) The electronic system determines whether to grant access to the protected area based on the credential presented and when it is presented. If access is granted, the entry access is unlocked for a predetermined time period and the transaction is recorded. If access is refused, the entry access remains locked and the attempted entry is recorded. The system will also monitor the entry access and declare an alarm if forced open or held open too long after being unlocked. An access control point can be a door, turnstile, parking gate, elevator, or other physical barrier where the granting of access can be electrically controlled. The main advantage of maintaining portions of manual processing to personal access is its cost of maintenance which is considerably less than electronic technology. Especially in developing countries, the cost of labor is relatively cheap than availing of expensive technological developments like what biometrics could accord. The primary disadvantage of this system is its susceptibility to dishonesty through proxy punching. In addition, this system is also prone to identity theft (through the transfer of identification cards) and recurring costs on cards. In addition, with technological advancement, spurious people could devise ways and means to counterfeit identification and access cards and physical access control without being traced by manual procedures. Given the features, functions, mechanics and availability of applications for biometric technologies such as fingerprint scanners, iris recognition systems, and smart cards, it can be deduced that the most viable, fairly economical and more practical from among the three is the fingerprint scanners, which could be immediately applied at Exxon. Other factors are to be considered in selecting a kind of biometric technology. These factors include the environment or organization where the biometric technology would be applied, the profile of the users, the requirements for verification, the level of accuracy, ease of use, incidence of error, and long term stability are all to be taken accounted for. In addition, the costs and capabilities are relevant factors that some organizations figure to be their deciding points. Most organizations still could not afford utilizing electronic technology due to the capital outlay needed to install and utilize the system. The cost, for example, of applying fingerprint scanning is still relatively expensive as compared to the traditional modes of ID badges. Further, upgrading an organization’s communication system would entail an investment in time, money and effort to conform to the ever changing and developing technology that the electronic industry accords. To further protect personnel of Exxon, particularly from various threats, the program on risk management and emergency preparedness must be disseminated continuously through orientations, training, conducting simulated “product spills, fires, explosions, natural disasters, and security incidents” to make all personnel aware of appropriate response. The preliminary budget projected to be spent to convert into biometrics is $30,000 including the security and information technology personnel who would be directly involved in maintaining and monitoring the upgraded biometric system in terms of reorienting and training authorized personnel to support this continuously evolving project. Information System Protection of information and data on the other hand, could be addressed through strengthening firewalls and applying appropriated software and hardware shielding devices to prevent communications and technological intrusion. (WBDG Safe Committee 2009). As part of the risk and security management plan of an organization, the communications system that has not been originally designed to incorporate security devises should immediately opt to upgrade their current system. The purpose for upgrading the information and communications system is to detect and defend against data breach in computer networks. Every organization should devise security controls to safeguard their computer systems. Inventories of authorized and unauthorized hardware and software should be kept. Secure configurations for hardware and software, and for network devices, such as firewalls and routers, should be used whenever possible. Boundary defense is important. Complete security audit logs should be maintained and routinely analyzed. Other protective measures are: application of software security; controlled use of administrative privileges; controlled access based on the need to know; continuous vulnerability testing and remediation; dormant account monitoring and control; anti-Malware defenses; limitation and control of ports, protocols, and services; wireless device control; and data leakage protection. The rationale and benefits associated with upgrading the information and communications system are as follows: (1) it would assist the organization in operating in a safe and secure manner and facilitate the reliable delivery of products and services; (2) it would offer the company access to resources that help them evaluate and elevate their cyber security preparedness; (3) the number of common coding mistakes and bugs would decrease as a result of software and technology vendors adopting more secure software development lifecycles and more prudent secure coding practices; and (4) it would immediately detect and deter unauthorized access to the organization’s computer network. Aside from the benefits of upgrading the information and communications system, there are costs associated with the project, as follows: (1) the amount of capital outlay needed to upgrade both the information and communications system should be accommodated by the budget of the organization – this is projected to be reach $150,000; and (2) the security and information technology personnel who would be directly involved in maintaining and monitoring the upgraded information and communications system should be reoriented and trained to support this project upgrade. Conclusion The essay was able to proffer the design for physical, personal, and information system(s) security plan for Exxon Mobil with respective rationale for the defined security areas. In addition, preliminary budget considerations for the aforementioned security plan were detailed. The current security system employed by Exxon in the areas of physical, personal and information systems was briefly presented to determine the necessary measures to implement in the plan. As identified, since substantial investments have already been set to ensure the safety and security of the organization’s resources, improvements were identified to achieve security objectives. Strengthening the foundation of buildings, grounds, and perimeters to ensure protection from collapse and fortuitous events, protecting pathways into the building, and upgrading the perimeter fence are critical in improving physical security. Converting into biometrics would enhance personal security measure over time. Installing protective measures and upgrading the information and communication systems would help prevent communications and technological intrusion. In addressing the concerns emerging on increased security strategies, the most critical factor to consider is the organization’s awareness to the threats, issues, developments, applications that encompass overall security. Knowledge of one application or devise to counteract security breach might not be enough to completely ensure protection of the organization’s information and communication system. Whatever the determining points that an organization considers in deciding the applications for physical, personal and information systems security, it should be noted that every organization’s goal would be to ensure the effective and efficient conduct of their daily operations and activities while providing for its personnel's security, safety, and well-being as a high priority. All areas (building, grounds, perimeter, access controls and technology) should be appropriately covered to ward off and prevent harm or damage to the organization. References BioEnable. (2007). Biometrics. Bio Enable Technologies Pvt. Ltd. Retrieved 09 February 2010. ExxonMobil. (n.d.). Workplace security. Retrieved 08 February 2010. < http://www.exxonmobil.com/Corporate/community_safety_security.aspx> Morris, C. (2003). “Alarm Systems Fundamentals”. Protection Officer Training Manual, Unit 3. Elsevier Inc. University of Phoenix, SEC420. O’Sullivan, D.A. (2003). “Physical Security Applications”. Protection Officer Training Manual, Unit 3. Elsevier, Inc. Licensed to University of Phoenix, SEC420 SearchSecurity.com (2009). Biometrics. TechTarget. Retrieved 10 February 2010. Task Committee (1999). Structural Design for Physical Security. ASCE. US Army Garrison – Redstone Arsenal. (2004). Environmental Assessment for Upgrading the Perimeter Fence at Redstone Arsenal, Alabama. Retrieved on 11 February 2010. WBDG Safe Committee. (2009). Provide Security for Building Occupants and Assets. Retrieved 11 February 2010. < http://www.wbdg.org/design/provide_security.php> . Read More