Organization of a comprehensive system of enterprise security

The proposed article outlines the views on the application of a comprehensive methodology for ensuring the security of any enterprise, based on years of experience in development and the creation of specialized security structures. So, we will talk about the creation of Integrated Enterprise Security Systems (CSPs).

 

The very name “Comprehensive system of enterprise security” seems, at first glance, rather abstruse and pseudo-scientific … But let’s look at each basic term, from which this name consists.

 

The complex – involves the use for only one purpose various means, methods and techniques.
System – a set of elements interconnected various bonds. Systems are created for a certain time to achieve specific goals.
Collateral – any system for the realization of its goals and objectives must have the necessary resources.

Safety – security of the state of an object from external and internal risks, dangers and threats.

Enterprise – any economic entity market.

 

As we now see, nothing supercomplex the name itself does not represent itself. It is difficult only to implement in practice the understanding of the head of problems related to the security of his business. In the most general form, this problem sounds like this:

 

To create and force a system of interrelated structural elements in the enterprise that adequately responds to emerging risks, risks and threats, and also allows the business owner to estimate the costs for neutralizing them.

 

Is this a real problem? Long experience of the author shows that – quite!

 

A practical example. Volga Region, 2007, a large machine-building enterprise … The introduction of an integrated approach to the operation of the security system at the enterprise for three months reduced the enterprise’s losses by 800 thousand rubles. True, this led to the withdrawal of one’s own will by several leading employees from the sales department, the design department and storage facilities …. Do you have any idea of ​​the reasons for such a radical step?

The author is far from the idea that respected readers have never come across the fact that the enterprises on which they work in one form or another implement the security function. The palette of the methods and methods used in this case is the widest! It can be one security guard in a beautiful shape at the entrance, and the facade of the office building, docked with CCTV cameras, and specially appointed people in strict suits and ties, asking “special questions” for employees …

 

Of course, all of the above elements of the security system have the right to exist. Our task is to make these different elements become parts of a single, stably functioning organism.
So, where do you start?

 

Step One – Evaluate what already exists! 
How to do it? Perform a security audit. This does not require huge financial and time costs. There is no need to invite an “expert group” (usually this is the accepted path), the result of which and the report material will be a thick and solid folder of stillborn provisions and instructions that no one will ever be able to perform. Organize yourself a number of tests in relation to your own enterprise.

Test number 1 – a test for physical penetration. Let a person specially selected for this purpose try to penetrate into the territory of your object (office, building, warehouse) on a regular work day under a fictional legend and stay there as long as possible, without attracting attention and collecting information about the enterprise and employees. Track the reaction time (if, of course, that will be) of your security system for such interference.

Test number 2 – a test for penetration into the network and communication. Now it is not difficult to agree with a specialist in the field of computer technology, who owns “hacker methods”, about organization of his attempts to penetrate into the computer network of your enterprise and download commercially valuable information. Will your employees notice such a virtual trip?

Test number 3 – test for diversionary vulnerability. Unfortunately, at present, attempts to compete with uncivilized methods are not rare, plus terrorist manifestations are not ruled out. Analyze the presence of vulnerable points in the enterprise, the impact on which the enterprise can lead to a complete halt or destruction. Organize an attempt to access these points of a specially selected person, imitating the conduct of sabotage.

 

A practical example. Analysis of the presence of weak points at the assembly plant television equipment showed that there is a device, which disabling via a short circuit may cause the company to a standstill for a period up to two months. Moreover, access to this device was absolutely free. Now, of course, the device is placed in a special room with restricted access and is protected objects.

If you, dear reader, feel difficulty in conducting such tests, then leave this to the professionals. In this case, the test results will be known only to you and in addition you will receive recommendations for “plugging holes” in your security system.

 

Step Two – Identify and evaluate the risks, dangers and threats that exist in relation to specific and your company at this time.

Risk – the risk of a possible failure of committed actions.
Danger – it is possible or real phenomena, events and processes that could harm the company until its destruction.
The threat – it is a danger to the transition stage of possibility into reality, expressed an intention or a demonstration of readiness of some subjects of harm to others.

 

And the risks and dangers and threats are not something once and for all … .With a certain time they are changing and your security system should react precisely on those which are particularly relevant and currently in force. But the object of the greatest attention should be, in the opinion of the author, it is a threat.

 

The third step – to create a comprehensive security software systems for enterprises, including in it all the necessary elements.

What exactly the elements you want to include in KSOBP?
An exemplary embodiment is as follows:

  1. Responsible leader KSOBP
  2. Safety Council;
  3. A specialized structural unit dealing with security issues.
  4. Personnel.
  5. Technical means.
  6. Regulations.
  7. Resources.
  8. Information.
  9. Third-party (attracted) forces.

Consider each of the elements in detail.

  1. Responsible leader KSOBP.

They can be the owner of the company personally, hired CEO or executive director and t.p.Glavnoe to guidance and decisions of the people were binding on all other personnel.

  1. Safety Board.

From the title it is clear that this collective advisory body under the responsibility of the head KSOBP. It includes the heads of all the main structural divisions of the enterprise and, if necessary, attracted force. I must say that there are different views on the need for the existence of this element KSOBP. Often argued that such a board – one more bureaucratic hurdle in the path of solutions within the enterprise and additional burden on the budget.

The author believes that such a body is absolutely necessary, but bureaucratic, he should not be in any case! No need for any periodic meetings of the Security Council to address current issues. For this there are production meetings. But here in the event of any crisis meeting of the Security Council is going to an emergency. Enter it be necessary for the leaders of the post!

The composition of the Security Council issued an order and brought by hand to each uchastnika.Osnovnaya purpose of the meeting of the Security Council – the announcement of the “crisis plan” and a clear incitement to each artist about his actions in the present moment. Themselves “crisis plans” drawn up in advance in accordance with have threats to the enterprise at a given time. Stored “crisis plan” a responsible leader KSOBP, one of his assistants and specifically authorized person (for example, the head of security).

  1. Specialized structural safety division.

No matter how this element is called (security service, the department for internal control, risk management department, etc.). It is important that the company has been a structural unit or specially authorized official, for which security is a major activity.

This refers to all (!) The enterprise personnel. Because the company should not be people indifferently related to security issues.

  1. Technical means.

Their market is huge, countless species. Suffice it to say that in developed countries the technical means to ensure the security of the market growth rate of 40% per year! We are interested in only those who are able to adequately respond to the specific threats arise.

This refers to binding for all personnel legal documents. The main task in the development of regulations – not to harm the functioning of KSOBP.

This material, both financial and human resources to enable KSOBP function smoothly and without interruption.

In this case we are talking about specialized information related to security issues. It must be delivered immediately to the interested consumer, provided it is the introduction of relevant regulations.

  1. Third-party (attracted) forces.

In this worthy cohort consists of representatives of law enforcement agencies (for crisis situations within their competence), as well as experts, consultants, technical specialists.

When you create a comprehensive enterprise security systems arises the inevitable question: what are the principles of operation have to be initially included in the system?
We list the main ones:

  • The activities of the security system should be based on the country’s existing laws. Only this will allow the company to feel the reliability of its existence, and to compensate for the losses incurred with the least risk.
  • Reasonable sufficiency. The degree of threat must cause an adequate degree of reaction. That is, if a person on the head of the village of butterfly, it can be easy to chase, not to beat on the head with a hammer.
  • The key word with the introduction of this principle should be the word “immediately”.
  • The security system should involve all the company owned a variety of resources for responding to threats.
  • Security must not be a tribute to fashion, but should really minimize losses and, with proper formulation business, generate income.

Drawing an analogy between the complex system of enterprise security and the human body, we can assume the following:

 

Responsible leader KSOBP brain
Safety Council properties of the mind
Spets.strukturnoe unit immunity
Staff body
Technical means skin covering
regulations nervous system
Resources the body’s resources
Information blood
outside forces medicine

Do not you think such comparisons may have the right to exist? The question arises: what is the most difficult to establish this in our body? According to the author, in this case we are talking about regulations … It is they who, as the nervous system of the body, must manage the entire scheme of functioning of the structure we created. Imperfect or invalid regulations are able to “bring to mind” any, even the most perfect system.

 

Step Four – Develop criteria for evaluating the effectiveness of KSOBP activities. 
It is also quite difficult question because each system is usually developed its own criteria. One general approach – the criterion must evaluate system response to a specific threat in real time.

Types of evaluation criteria:

• Quantitative (so many cases over a certain period ….);
• Quality (loss decreased by so much, revenues increased …);
• Comparative (compared to last year ….)

 

Step Five – test system created by you.
This was discussed above ….

 

Step Six – take the decision to improve your KSOBP.

As is known, there is no limit to perfection … It is important to remember only that there is a basic economic law of security, which states that “should not be on the security costs to exceed the effectiveness of the implementation of the security system.”

 

The question arises: is it possible to create an absolutely perfect security system that completely eliminates losses of the business? According to the author – no! You can reduce these losses to a level of “acceptable minimum”. Often cited figures that in the retail trade, for example, is 2-2.5% of turnover. In any case, the decision to adopt “minimum acceptable losses” remains the prerogative of the owner of the enterprise.

 

Sergey Kozlov

Business security consultant

National Training Agency