Issue link: https://securitytechnologyexecutive.epubxp.com/i/690996
20 SECURITY TECHNOLOGY EXECUTIVE • May/June 2016 www.SecurityInfoWatch.com ENTERPRISE RISK MANAGEMENT departments miss. "We had a very formalized and strategic planning process from the beginning and we have held fast to it, doing it every year," Cowie explains. "We have a process of dissect- ing and understanding our environment, doing critical analysis of where those gaps are so we can meet the challenges. We are in the risk business as an organization, so being able to articulate risk to key stakeholders and senior management here is critical. Being a financial company, they under- stand risk, so you can speak their language." Identifying the foundational elements of a pro- active security and risk department, then apply- ing a holistic risk-based model and standards has made Principal's process one to emulate, says Jim Ellis, Assistant Director —Site Security— one of the key architects working with Cowie over the past 11 years. Ellis is responsible for the estab- lishment, implementation and management of a fully integrated, worldwide technical physical security program for the global organization, along with providing technical expertise for the establishment of physical security standards. "We've developed a great relationship with our computer support, information technology, information security, network and storage teams over the years, to the point that they holistically understand what we need from a technology and support perspective — and we understand what they need from us in terms of requesting resourc- es, documenting requirements, and following company policies on application use and network configuration," Ellis says. "We're very proactive with having our systems stress tested in a variety of ways to ensure security and reliability." Integrating Technologies Ellis explains that they were already migrating into the technology arena with 20 applications unique to their department — moving to net- work-based card access controllers and appoint- ing an in-house support person who had come up through the department. They were becoming IT proficient to help support their big push into network-based devices with a camera upgrade. "Our project management resources did a great job of planning with us and taking what we thought we wanted (such as a physically sep- arate or segmented network, redundant paths, and power) and translating them into require- ments that the IT folks then reviewed with us and assured us they could provide," Ellis says. "Now that the company is looking much harder at network segmentation as a best practice, it is nice to know that we were a little ahead of the game in that regard — we already knew that was a benefi- cial design requirement." Ellis adds that the IT team looked at all of the system applications holistically and tested them within the network to make sure they were as secure as possible before the team moved on to the task of migrating to a new application for recording the system's cameras. This became the roadmap not only for the organization's system design but for the later migration to increase lev- els of support, redundancy and upgrades of all the company's global systems. " Years earlier, we learned that we needed redundant storage, so there were some elements that IT already knew we wanted, and they had already designed into the architecture for this new system," Ellis explains. The company upgraded more than 300 ana- log cameras to IP network cameras using encod- ers and then upgraded to IP cameras six months later. Last year, they were able to migrate the few remaining analog cameras to IP in areas where no infrastructure exists, using fiber and IP over fiber encoders. Cowie cites security vendor consolidation as a positive for a company the size of Princi- pal because it makes it easier to execute more Sandy Cowie oversees site and personnel security/ safety and has global business continuity responsibility for the company, including investigations, access control and physical security planning, executive protection, intelligence, emergency management and two global emergency response centers. Photo Courtesy of Principal