Corporate Security Frameworks

Company policies are the internal “laws” or rules of the company. They dictate how the company will act in a given situation. They are the foundation of most areas of the company such as finance, public relations and, very importantly, security.

Generally, the security director or manager is the leader in security policy development. The security director must understand corporate management and policy making; he or she must establish the method of policy creation, ratification, socialization and maintenance. These are the tools which will be used to support the policy program.

The security leader must forge security policies that align with the mision, vision and values of the corporation. She/he should have considerable experience in this area to ensure the success of the security function in the corporation.

Personnel Security is an important key to workplace efficiency. Personnel who understand that their employer is concerned about their welfare in all work-related matters are more productive. Employers who make this investment reap real rewards from a happier, more stable workforce and benefit from reduced liability related to the workforce.

Personnel security considers such things as:

• Workplace harassment (both from within and outside the company)

• Executive protection measures and training

• Employee safety

• Security measures outside of work resulting from work-related activities

• Mitigation for liability which could accrue to an employer if incidents occur

Physical Security ensures the valuable physical assets of the company are protected and used towards attaining corporate goals. It is a way to make sure that employees are safe at the worksite, that valuable assets are available to get the job done and that losses are quickly observed so that preventative measures can be applied.

Physical security can take many forms:

• The physical enclosures around all assets

• A financial audit program to eliminate fraud

• A workplace vulnerability identification program and policy that matches operational activities

• An appropriate background–check system for all employees

• The reception and visitor program and policies

• A regular threat and risk assessment

The foundation of physical security is the threat and risk assessment (TRA). It identifies all assets, reviews protective measures, vulnerabilities, threats and calculates risk. 

At Primoris Associates, the senior consultant is a Certified Protection Professional of ASIS International and has experience in all matters of physical security as a corporate director of security.

Every day, Information Technology (IT) reminds us how it has pervaded our lives more than any other technology in history. While this technology continues to grow in functionality and complexity, security has still not taken its rightful place. As its complexity grows, it is more and more difficult to be confident that IT systems will deliver the three pillars of their design function: Confidentiality, Integrity, and Availability of information. IT security is about the protection of systems which handle your valuable information. Information security is about the protection of information in all its forms.

To accomplish satisfactory security of the important information your company handles daily, a number of practices must be properly applied:

• A Threat and Risk Assessment (TRA)

• IT security standards such as the ISO 27000 series

• Agreeing on accepted practices and making them known through an Acceptable Use Policy

• Training of all employees

• IT incident handling

• Audits and reviews

Much about information security is not about technology. The IT network in your company is a tool which can be used to do many things. It is up to you to decide what will be permitted. Policies, awareness, and information security measures are required to reap the benefits of an extensive IT system and avert the hardship it can also bring.

Primoris Associates consultants are senior experienced people who have worked with large corporate IT systems in government and the private sector. They are capable of delivering information security measures that meet the corporate strategies and culture of any organization. 

Every company has Essential Infrastructure or Critical Infrastructure. This is the subset of its infrastructure without which it could not continue its operations. This would be the sterilized operating room for the surgeon, the brake system on the bus for the bus driver, or the sales database for the on-line retailer. Without these things, business comes to a sudden halt.

As with any sensitive or critical asset, special care must be taken to protect these through a standard process:

• A threat and risk assessment to identify the infrastructure and threats against it

• An initial mitigation of identified threats

• A plan to deal with residual threat

• The plan must written, trained, tested, resourced and unified

• Continuous updating and vigilance

Many companies do not make the effort to identify these important assets. At Primoris, we believe that a company is only as good as its ability to continue its business at all costs.

NERC – The principal consultant of our company contributed to the international team that wrote the Critical Infrastructure Protection Standard – CIP 002-009. This is the North American Electric Reliability Council’s permanent cyber protection standard for critical infrastructure controlling bulk power systems. He is an expert in the knowledge and delivery of these requirements.

Additionally, he was on the Government of Canada Federal Task Force which created Canada’s Office of Critical Infrastructure and Emergency Preparedness (OCIPEP), now Public Safety Canada. He has a deep understanding of all matters related to critical infrastructure protection.

Effectively dealing with threats from the operational environment can not occur with out reliable information. Security practitioners continually monitor this environment and develop human networks to gather and share important information. Primoris has created security intelligence programs that even reach into local government authorities. This is a particularly sensitive part of the security plan which must be done well.

Please take this test:

If all your business functions were stopped tomorrow, which would you start first? Which would you start second? You have just conducted an elementary criticality assessment, one of the foundation pieces of a Business Continuity Plan (BCP).

At Primoris Associates, we do it more methodically. 

Business Continuity is a key part of any business. It is your road map of what to do when things go wrong. Business Continuity is a superset of Critical Infrastructure Protection, another key plan in any business.

The approach to BCP is relative simple but it does require effort:

• Identification of critical business functions

• Identification of threats and risks to these functions

• Conduct of a business impact analysis

• Having the business owners of the functions make plans for how they could continue if affected

• Having the company make corporate-level continuity plans

• Write, train, test, resource and unify the plans (WTTRU)

• Keep them up to date through periodic reviews and drills

Primoris Associates is experienced in developing business continuity plans for all types of business and governments. It takes a standards-based approach to this using such tools as CAN/CSA – Z731-03 (2014), a standard of the Canada Standards Association.

As well, businesses may require many other plans depending on their operating environments:

• Evacuation plans

• Special insurance plans

• Disaster recovery for physical and information technology

• Critical Infrastructure Protection

• Aeronautical/nautical emergencies

• Pandemic

It is inevitable that security practitioners will be involved in internal investigations or police investigations. This is a critical business activity which must be performed well. It may involve having the in-house security personnel conduct investigations, hiring outsiders to conduct investigations, or assisting local police in investigations. Whichever the case, the security function must develop the skills and experience to handle this. At Primoris, we have policing experience and corporate investigation skills to assist you in developing this activity.

Employees cannot comply with security unless they are aware of it. Making them aware sometimes involves only e-mail or an intranet posting. But, sometimes this will not sufficiently induce the behavior change required for a good “culture of security” in an organization. Training is often the only way to achieve these important objectives.

We have explained the difference between training and awareness elsewhere on this site. The main factor is accountability.

Training – Key Benefits

• Delivery of precise security information to all employees for which they can be held accountable

• Testing and certification for better corporate accountability

• Close contact with employees can identify other concerns for the company

• Employees see training as an investment in employees

• Corporate and employee accountability

Products:

• Training needs identification

• Training development

• Delivery

• Testing and Certification

• Long-term maintenance

Key Areas for Training

• Employee orientation

• New, complex, company policies

• Regulatory requirements from industry

• Legally required to meet laws or standards

• Health and Safety practices

• Key safety concerns, e.g.: emergency evacuation procedures

• Solve identified performance or security problems

Primoris Associates Inc. is experienced and capable of delivering the full range of training products required in industry.

Corporate Training Tip

One challenge in delivering effective corporate security training is getting the engagement of a busy employee audience. Often, employees attend training because “the boss sent me” or “this was better than that budgeting meeting.”

Many people respond to the WIIFM motivator – What’s In It For Me? One way that to get good attendance and engagement is to give employees something they can take home – security information for their personal lives. Make it a security department policy that you will *always* do this in every training course or awareness piece.

For example, are you training on information security? Near the end of the session, explain to employees how identity theft works. Tell them how to minimize their risk at home. Tell them that you recently saw a crosscut paper shredder at Staples in the Northwest Mall on sale for 60 bucks.

When employees know that there is something in it for them, they will be much more enthusiastic about attending your sessions or reading your awareness posters. Cost to you – minor; return to you – major. Make it your commitment to them and they will be committed to you and your security goals.

Workplace Health and Safety is not just for construction sites.  Aside from legal requirements, there are many valid reasons for workplace health and safety programs in the office and corporate setting.

1.  Although few daily hazards are present, having a system of review and documentation of workplace injuries creates a legal paper trail which is valuable in any subsequent legal actions. A review process also promotes good employee relations regardless of the environment.
2. Provincial laws typically require that all employers consider workplace violence “a hazard” and often require threat assessments. 
3. Employers should establish an emergency response plan for responding to an emergency that may require rescue or evacuation.
4. Simple hazards in the office can lead to major problems, e.g.: tripping hazards, cutting hazards, etc.

Measures are not difficult to implement. They are valuable and will be seen as valuable by all. However, many employers are unaware of these codes and are in continuous violation of them.

At Primoris, we have delivered these programs to corporate Canada. Setting up a WH&S committee, documenting incidents, conducting quarterly workplace inspections and workplace violence prevention training are all valuable investments in corporate well-being, productivity and security.

As with any business program, corporate security frameworks should be reviewed occasionally to ensure that goals are being met and the program is effective and efficient.

This is why reviews and audits are important. Though the idea of an audit may make some wary, audits can be as simple as internal reviews and reporting by business units. They can bring about security awareness. They are useful in preparing for more advanced or sophisticated external audits.

In short, an in-house program of audits and reviews is a valuable tool to ensure your security investments are working for you. Strong compliance can be a valuable marketing tool, both internally (with the Board) or externally (with customers or stakeholders).

Primoris Associates personnel has experience in designing and delivering all forms of security audits.

Modern companies operating in risky environments (extraction, construction, environment) gain great benefit from applying corporate social responsibility (CSR) practices. Indeed, governments are requiring companies to maintain these practices in order to maintain government operating permits.  Many guidelines and standards can be applied.  

Examples are: Voluntary Principles on Security and Human Rights; UN Declaration on Human Rights and the UN Policy on Police Use of Force. Primoris Associates has experience in designing and applying frameworks which corporations in special environments can hold up as industry standard.