Successful Security Management - Research Paper Example

Successful Security Management Introduction Security is associated with risk and uncertainty. The ment ‘Successful security management in any organizational context must be driven by an agenda to enhance the financial viability of the organization’ is based on the fact that risk is all pervasive and therefore, the financial viability of an organization depends upon avoiding risks at all stages by resolving uncertainties. Risk is not completely unavoidable in a business organization and security planning is essential to create secure environment. Perception of risk at various levels varies according to the awareness among the people at different levels. Since security is a mission to protect the people, property and the business, an integrated approach in policy making is essential for successful security management. A formal security frame work in an organization incorporates various security controls which need continuous review for an efficient functioning of the security system. A good security management model envisages security standards for effective practice which increases confidence level of the various stakeholders of the organization. The structure for security management in an organization should be established with clear-cut authority and clarity in reporting system since coordination during the times of exigencies and emergencies will be very crucial. This ensures proper communication at all levels, improves coordination and avoids delays Concept of risk and security Talbot & Jackman (p. 10) state, “The term “security” can of course be a much broader term. For example, if we consider security as a “state of being protected from hazards, danger, harm, loss of injury,” it also includes elements of protection from natural disasters and concepts of organizational resilience.” Security management is closely related to risk management. Risk could emanate due to various factors, such as accidents in work place, damages due to acts of god, eruption of fire, wars, political and communal violence, theft and loss of confidential information and business secrets. Combination of one or more factors may lead to loss of financial resources and bankruptcy. Also, risks involve health and safety of people and property. Liberalization and globalization drive in various countries have actually increased the risk profile of the projects and businesses considerably due to innovations in information technology and telecommunications and pose threats to the lives of industrialists and politicians. Industrial espionage which is aided by sophisticated communication gadgets is on rise in various countries. Gill (2008, p. 4) states that the security world is full of dedicated and very highly skilled individuals, but the world in which they work has yet to find the right structures to ensure that minimum standards are maintained for all those practicing its skills. Therefore concerted actions on the part of the management by establishing an appropriate security management structure for following the best management practices to ward of the risks and enhance the security level are essential for successful security management. Security Management Success in security management is difficult to measure, because the factors concerning security are uncertain in nature. However, prevention is better than cure. Keeping this concept in view, every activity related to the business need to be brought under the purview of security management for analysis of the attendant risks which includes even travel programs of the top executives and board members, since their health and safety is important for managing the affairs of the company. Therefore, what is relevant is dictated by the event’s impact on people, property and business operations. Identifying risks, making assessment and classifying the risks are the important preliminary steps in risk management. Activities more prone to risks deserve critical analysis. Risks from the perspective of different functions vary differently. For example financial risk is different from risk to health or safety in workshop. But, the impact of huge financial failure may affect thousands of employees in a business. In financing functions, budgetary control system and auditing are considered to be the primary tools in security risk management. The degree of importance attached to various types of risks varies. Therefore, classification of the risks should be on scientific basis. Quantitative techniques can be used for making predictions with regard to the chances of risks anticipated materializing. If all the attendant risks are accounted for, appropriate action to prevent such risks can be planned for, effectively. This strategy will avoid the risk associated with the task, reduce the risk level or mitigate the sufferings arising on account of risk. Continuous monitoring of risks for its impacts as well as risk parameters will improve the security level and indicate the efficiency in risk management process. For example, when the number of accidents in shop floor compared to the previous years or industry average is reduced or losses have been prevented by removal of a particular clause in the contracts with the customers, these benefits could be attributed to the efficiency in security management. Therefore, the overall impact of risk avoidance measures could be quantified reasonably. Additionally, the implementation of the risk avoidance strategies creates awareness among the employees, because risk is mostly associated with ignorance. Therefore, training to employees on risk management plays an important role in the overall perspective. Success in security management lies in proper classification of risks, implementing the risk avoidance measures and educating and training the people on security measures and this could be measured based on the achievements and results. Security in industrial set-up Security in an industrial setup is mainly concerned with health and safety of the people and properties, though information has become an important element in the evolution of security management due to its potential to harm the business operations. Silijander, R. P. (2007, p. 10) states that there are four risk procedural steps in the risk management process, Hazard Identification and Analysis, Treatment Techniques Selection, Implementation of the Treatment Techniques and Monitor the program results and prevents direct and indirect losses. The industrial units are vulnerable to attacks due to various external factors such as competition, terrorism and other unforeseen disasters. According to Sennewald & Tsukayama (2006, p. 4) the investigative process “seeks answers to the basic questions – What, who, where, when, how and why…“ Security measures implemented in the industrial establishments ensure preparedness at all times to meet these challenges. Using gloves and helmets or taking precautions in handling hot materials by the employees or restricting the movement of unauthorized people near the working places are examples of some of the security management principles in dealing with the risks. Button (2007, p. 181) observed that in undertaking their work security officers are faced with a variety of occupational hazards. Many industrial establishments move very little beyond these basic principles to adopt a comprehensive risk management strategy. Siljander, R. P. (2007, p. 7) states “many businesses did little to protect themselves from the threat of crime beyond locking their doors…Rather they placed heavy reliance on public law enforcement to prevent a crime…” Comprehensive security frame work focuses on compliance, prevention, preparedness and mitigation. Mainly, failure to comply with the regulations is the primary reason for accidents. Compliance ensures security and prevents damages/losses. Financial Security Management Compliance with the established regulations, whether statutory or internal, needs to be monitored in any business setup on a continuous basis to prevent not only accidents as in the case of industrial establishments, but also misuse of authority or misuse of corporate funds in the case of financial functions of an enterprise. This has been exemplified in the Enron Scandal. Hanson (2002) says, “The board of directors was not attentive to the nature of the off-books entities created by Enron, or to their own obligations to monitor those entities once they were approved. The board did not pay attention to the employees because most directors in the United States do not consider this their responsibility.” This clearly illustrates nonexistence of management with regard to financial security of the business. The subprime crisis in the U.S. could be attributed to the lack of proper security management system in the financial sector as a whole. “The justice department filed a civil complaint in New York seeking recompense for some of the massive losses suffered by quasi-government controlled mortgage finance firms Freddie Mac and Fannie Mae following the collapse of the ill-fated housing boom” (Rushe, 2012). This complaint against Bank of America indicates, the risks involved in the operations have not been analyzed with due care. This is due to lack of a good security management system with efficient control measures. Failure of the control system to treat the risk properly in security management in the case of banks and financial institutions affects not only the particular banks and the financial services sector, but the entire economy. This situation made the world focuses its attention towards security management system in financial services sector. For the security management purposes, there are several security control measures adopted apart from budgetary control and auditing. If the risk is inevitable, and there is no way out, ways and means to control its impacts through advance planning should be considered by way of mitigation. During the recent financial crisis, many banking companies got themselves entangled into exotic derivatives. McGriff (2012) states, “Thirty percent of those derivatives are held by just three banks: JP Morgan Chase, Citibank and Bank of America.  The number one bank, JP Morgan Chase Bank has 43 trillion dollars in derivative exposure – more than the entire GDP of the entire world economy!  Chase is in a precarious position.  It lost billions in bad loans to companies like Enron, Tyco, Global Crossing and countries like Argentina.  This sets up a spiral.  The bank’s Standard & Poor’s rating keeps dropping.” The management’s policy towards the ‘acceptable level’ in assuming risks may vary from company to company. But, the quantum of exposure to derivatives indicates lack of fundamental grip over the risk management, consequently security management. Transfer of risk is a form of reducing the risk level in security management. Security Management Model Risk Evaluation Since the risk is inherent in the business, the companies which want to diversify their portfolio based on the risk-reward calculations commensurate with their ability to take risk get the financial assets transferred to them. Re-insurance in the insurance sector is the best example for transfer of risk. Information Security Management In the normal circumstances the security control measures include access control, logging and locking of the systems, password protocol, video monitoring, and general monitoring over the movements of people to avoid unauthorized entries. The introduction of innovative products by the financial service sector including banks and insurance companies are based on the latest information telecommunication technologies. Mobile telephony has increased the speed of convergence in technologies. Therefore, security management in the financial services industry would not be complete without taking into account these developments. In fact these two areas are seamlessly integrated, and hence the financial services cannot be isolated for any meaningful study. The basic concept of the various security management models undergoes changes depending upon the industry with increase in layers in presentation. However, in the case of information technology, it will portray Data, Application, Presentation, Segment, Data Link and Network in tune with the technicalities involved for clarity and better understanding. ISO/IEC 17799: This standard “establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization” (ISO, 2005). This contains best practices of control objectives and controls in various areas of information security. (Please see Annexure I). Financial and Information Security Management Introduction of online trading facilities by the leading stock exchanges and internet and mobile banking by the banks have necessitated the industry to heavily invest in infrastructure related to information technology and telecommunications. Highly skilled employees in hardware and software should be appointed for efficient running of the systems. Since the company’s money and public money are involved in shares, stocks and securities including derivatives, excellent control system should be in place. Apart from access through passwords and change of passwords which are preliminary controls, the system calls for graded access. The financial limits are fixed for different categories of employees for authorizing them to enter into transactions within their limits. Similarly, depending upon the sensitivity and risks involved in keeping the same person with the same responsibility for a longer period in a particular position, people are transferred to other sections of the organization. In this case, the frauds or mismanagement, if any committed by the earlier person, but covered successfully because of his connections with the outsiders, will be revealed by his successor in his own interest and for safety. It is also important that in the case of financial products, the matters related to security aspects should undergo thorough analysis in the light of the developments in technology to avoid misuse of these instruments or data by others. Also, the data related to the customers, such as their phone numbers, email ids, addresses, details of the nominees or letter of authorities given to the brokers or other third persons are confidential. The security system and its controls should ensure that such information about the customers is protected. After dematerialization of shares and securities, the responsibilities of the depositories have increased considerably. The securities are now transferred to the stock exchanges or to the customers’ accounts with their depository participants electronically. Therefore, tracing the origin of the mistakes and taking remedial actions to rectify the mistakes will be very difficult. The FBI has issued tips to the public to protect them from various forms of internet fraud under different categories which includes tips for avoiding credit card fraud. In the cases of credit card fraud, the banks are also affected apart from its customers. Therefore, the banks are under obligation to introduce necessary changes and educate the public to protect its customers. Robertson (2011) states, “The U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash, according to Global Card Fraud, from a recent issue of The Nilson Report..” The mistakes once happened cannot be rectified easily since in most of the cases the control systems of the counterparts won’t allow retrievals. If it is possible, the procedure will be tedious and at the cost of reputation of the management. The statutory requirements call for strict discipline where the interests of the investors are concerned. Legal systems in many countries including the developed one are not conducive for claiming the damages or bringing the culprits under law. Also, in the cases where cross border transactions are involved, the different legal systems make it more difficult. In the normal course, the checks and balances available in the prevailing systems prevent chances for mistakes. The mistakes are reduced to almost zero level in the areas discussed. However, if there are manipulations by the outsiders either with or without the cooperation of the company officials, the controls in place may not be adequate considering the methods that could be employed to circumvent the control procedures by the techno-savvy manipulators. Therefore, designing a foolproof system and upgrading the system with the latest developments in technology and change of parameters constantly to frustrate the intended manipulation is a challenge to the software engineers of the companies or the software providers. Under these circumstances, the skills required by the employees to function effectively in the changed environment have to be improved. Suitable training programs need to be introduced to increase their security consciousness for effective functioning. This training is required at all levels because, if everybody is aware of the functioning and procedures, chances of misuse of the systems by some vested interests could be avoided. NIST Special Publication 800-12, The Computer Security Handbook acts as a reference guide and “provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major technique or approaches for each control, and important related considerations” (NIST, 1995). This basic document is supplemented with the changes and new issues through Computer Systems Laboratory’s CSL Bulletin series. Conclusion Success in security management depends upon the efficiency in control mechanisms introduced and it continuous evaluation for its usefulness under the changed circumstances. Comparing the performance with the industry performance reveals whether the company lags behind the industry in security management. If the performance of the industry is better compared to the industry average, the company can’t be complacent about its performance. Keeping the best performer in the industry as an example, the company needs to fine tune its strategies and control measures. However, it is also important that its performance compared to the previous years is consistently improving over a period of time. This could be achieved only with the continuous review of the controls for revising them in tune with such changes. By adopting these strategies, the companies could be successful in security management in the long run. Bibliography Button, M, 2007, Security Officers and Policing, Ashgate Publishing Limited, Hampshire, England. Federal Bureau of Investigation, Common Fraud Schemes, viewed 18 November 2012 Gill, M, 2008, Theory and Practice of Asset Protection, Security Supervision & Management, 3rd Edition, Ed. Davies, SJ & Hertig, CA, Amorette Pedersen, Oxford, UK. Hanson, K, 2002, Lessons from the Enron Scandal, Interview, Santa Clara University, viewed 18 November 2012 ISO, 2005, Information technology – Security techniques – Code of practice for information security management, viewed 18 November 2012 McGriff, D, 2012, Derivatives, Fascism and the Almighty Dollar, The Tribulation Network, viewed 18 November 2012 NIST, 1995, An Introduction to Computer Security: The NIST Handbook, viewed 18 November 2012 Robertson, D, 2011, U.S. Leads the World in Credit Card Fraud, states The Nilson Report, viewed 18 November 2012 Rushe, D, 2012, US sues Bank of America for $1bn over hustle mortgage fraud scheme, The Guardian, viewed 18 November 2012 Sennewald, CA, & Tsukayama, J K, 2006, The Process of Investigation:  Concepts and Strategies for Investigators in the Private Sector, 3rd Ed., Butterworth-Heinemann Siljander, R P, 2007, Introduction to Business and Industrial Security and Loss Control: A Primer for Business, Private Security, and Law Enforcement, 2nd Ed., Charles C Thomas Publisher Ltd. Illinois. Talbot, J & Jakeman, M, 2009, Security Risk Management: Body of Knowledge, Wiley & Sons. Annexure – I ISO/IEC 17799:2005 Best practices of control objectives and controls: areas of information security management. security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; compliance. Read More