The Manager’s Handbook

Transcription

.

The Manager’s Handbookfor Corporate Security

Other Books by Dr. Gerald L. KovacichInformation Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program: May 1998, ISBN 0-7506-9896-9;published by Butterworth–Heinemann.I-Way Robbery: Crime on the Internet: May 1999, ISBN 0-7506-7029-0;co-authored with William C. Boni; published by Butterworth–Heinemann;Japanese version published by T. Aoyagi Office Ltd, Japan; February 2001,ISBN 4-89346-698-4.High-Technology Crime Investigator’s Handbook: Working in the GlobalInformation Environment: September 1999, ISBN 0-7506-7086-X; coauthored with William C. Boni; published by Butterworth–Heinemann.Netspionage: The Global Threat to Information: September 2000, ISBN:0-7506-7257-9; co-authored with William C. Boni; published by Butterworth–Heinemann.Information Assurance: Surviving in the Information Environment: September 2001, ISBN 1-85233-326-X; co-authored with Dr. Andrew J. C. Blyth;published by Springer-Verlag Ltd (London).Global Information Warfare: How Businesses, Governments and OthersAchieve Global Objectives and Attain Competitive Advantages: June2002, ISBN: 0-84931-114-4; co-authored with Andy Jones and Perry Luzwick; published by Auerbach Publishers/CRC Press.

The Manager’s Handbookfor Corporate SecurityEstablishing and Managinga Successful AssetsProtection ProgramDr. Gerald L. KovacichEdward P. HalibozekAmsterdam Boston London New York OxfordSan Francisco Singapore Sydney TokyoParisSan Diego

Butterworth–Heinemann is an imprint of Elsevier Science.Copyright 2003, Elsevier Science (USA). All rights reserved.No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher.Recognizing the importance of preserving what has been written, Elsevier Scienceprints its books on acid-free paper whenever possible.Library of Congress Cataloging-in-Publication DataKovacich, Gerald L.The manager’s handbook for corporate security: establishing andmanaging a successful assets protection program / Gerald L. Kovacich,Edward P. Halibozekp. cm.Includes bibliographical references and index.ISBN 0-7506-7487-3 (alk. paper)1. Corporations—Security measures—Management. 2. Privatesecurity services—Management. I. Halibozek, Edward P. II. TitleHV8290 .K68 2002658.4'73—dc212002035625British Library Cataloguing-in-Publication DataA catalogue record for this book is available from the British Library.The publisher offers special discounts on bulk orders of this book.For information, please contact:Manager of Special SalesElsevier Science200 Wheeler RoadBurlington, MA 01803Tel: (781) 313-4700Fax: (781) 313-4880For information on all Butterworth–Heinemann publications available, contact ourWorld Wide Web home page at: http://www.bh.com10 9 8 7 6 5 4 3 2 1Printed in the United States of America

This book is dedicated to all the security professionals around the worldwho are protecting the valuable assets of their corporations—sometimes from each other’s corporations.Also, a special dedication to some old friends and security professionalswho are now working for the Big CEO: George Bennett, Bob DeGraff,Larry LeBaron, Mathew J. Whelan, and Jim Gunther.

Crime, like disease, is not interesting; it is something to be done awaywith by general consent, and that is all there is to it.AnonymousThe worth of a book is to be measured by what you can carry awayfrom it.James Bryce

IntroductionxxiPART I: THE OLD AND NEW WORLD OF THESECURITY PROFESSIONAL1It’s a New Century and a New World3Introduction to the New WorldSummary322New and Old Threats to Corporate Assets, andWhat to Do about Them25Introduction to the World of Threats, Vulnerabilities,and Risks to Corporate AssetsThreatsThe Work Environment Has ChangedCase StudyMotivations of Threat Agents, the 44A Short History of Corporate Security andLaw Enforcement47Introduction to the World of Security and Law EnforcementDefinition of Security and Its EnvironmentHistorical Overview of the Origins of Security474849vii

viii456THE MANAGER’S HANDBOOK FOR CORPORATE SECURITYA Short History of Law Enforcement and Its Relationshipto SecurityThe Changing Security and Business EnvironmentSummary545960The Corporate Security Profession63The Need for Corporate SecurityCorporate Security TodayThe Role of the Corporate Security ProfessionalThe Required Skills of the Security ProfessionalWhat Kind of People Are Needed?Why the Corporate Security Professional?Where Is Security’s Place in the Corporation?Summary6367676869707071PART II: THE CORPORATE SECURITY MANAGER73The International Widget Corporation (IWC)75IntroductionIWC Background InformationKey Elements for the CSM to ConsiderGetting to Know IWCIWC’s Business PlansIWC CAPP PlanningIWC Departments of Primary Importance to the CSMIWC Vision, Mission, and Quality StatementsSummary757578787985858788The Corporate Security Manager’s Role91Introduction to the World of the IWC CSMCSM LeadershipManagement versus LeadershipCustomer ExpectationsExecutive Management Expectations of a CSMPlansThe SBP’s Specific Goals for the CSMIWC Tactical Business Plan (TBP)IWC Annual Business Plan (ABP)CSM Expectations of Executive ManagementWorking with Executive ManagementWorking with Corporate PeersDealing with Office Politics919293949597114115116117118119121

Contents789ixRepresenting the Corporation to the CommunityDealing with the News MediaSummary122124125Establishing and Managing a CorporateSecurity Department127Establishing IWC’s Security DepartmentDuties and ResponsibilitiesPlanningStaffing a Security OrganizationBudgetingControllingWorking with Your ManagersWorking with Your EmployeesManaging ConflictDealing with Satellite Offices in the United StatesDealing with Satellite Offices in Foreign LandsCase StudyQuality, Process Improvement, and Metrics Management:Assessing Organizational 2153PART III: THE CORPORATE SECURITY FUNCTIONS161Administrative Security163IntroductionCorporate Security Department ProjectsThe IWC Corporate Assets Protection PlanCorporate Asset Protection l Security185Definition of Physical SecuritySecurity in LayersOuter Layers of ProtectionInner LayersAccess ControlsPhysical Security CostsPhysical Risk AssessmentsPhysical Security for Classified Government ContractsSummary185186187196200205205206206153158

x10111213THE MANAGER’S HANDBOOK FOR CORPORATE SECURITYOutsourced or Proprietary Security?209Outsourcing: A DefinitionGeneral InformationThe Advantages and Disadvantages of aProprietary Security OrganizationThe Advantages and Disadvantages of anOutsourced Security OrganizationCandidate Security Functions for OutsourcingSample Outsourcing AnalysisCase StudySummary209210Personnel Security227IntroductionPreemployment and Background InvestigationsSensitive PositionsConducting Preemployment Background InvestigationsAdverse InformationWorkplace Violence PreventionWorkplace Violence Case StudyWorkplace Violence Prevention ProgramCauses of Violent BehaviorChanges in Behavior or AppearanceCrisis Levels and Recommended ActionsWhat the CSM and Security Managers Can Do toPrevent Workplace ViolenceWhat Employees Can Do to Prevent Workplace ViolenceWorkplace Violence ResponseA Checklist for the Elements of a Good PersonnelSecurity urity Education and Awareness Training247IntroductionDeveloping a Security Education and AwarenessTraining Program (SEATP)Automation and Online Information SharingSummary247Fire Protection273Introduction to Fire ProtectionFire Prevention and 48269271

Contents141516xiVulnerability to FireRisksFire Prevention and Protection Program—The Elements of IWC’s Effective ProgramFire RegulationsOutsourcing Fire Prevention and/or SuppressionSummary275276Contingency Planning287IntroductionContingency Planning ProgramEmergency ResponseCrisis ManagementBusiness 09Introduction to IWC’s Investigations OrganizationManaging the Investigations OrganizationInvestigations Organization Mission, Vision, andQuality StatementsCrime Prevention PrinciplesCrime Prevention Organizational ResponsibilitiesIWC Investigations Organization Duties andResponsibilitiesThe Investigations Organization’s Strategic, Tactical,and Annual PlansCrime Prevention Program and OrganizationCrime Inquiries and Investigative FunctionsSources, Networking, and LiaisonA Crime Occurs—Should You Call Law Enforcement?Summary309312Government Security337IntroductionWhy Discuss National Security as Part ofCorporate Security?IWC and Government Agency ContractNational Security Classified InformationAssets Protection Requirements in the NationalSecurity 339340341342

xiiTHE MANAGER’S HANDBOOK FOR CORPORATE SECURITYAssets Protection Objective in the NationalSecurity EnvironmentResponsibilitiesCollective Assets Protection ControlsThe Appointment of the Corporation’sFocal Point for Government Contract ProgramAssets ProtectionNational Industrial Security Program (NISP)Homeland SecurityNational Infrastructure Protection Center (NIPC)IWC Government Contract Award 49Information Security351IntroductionThree Basic Categories of InformationDetermining the Value of InformationCase Study—A Process for Determining Information ValueThe Protection of Automated Information andHigh-Technology EquipmentIAPS Organization ResponsibilitiesIAPS Management Job DescriptionIAPS Staff Job DescriptionsInformation Assurance and Protection Program (IAPP)Summary351354355358Executive Protection371An Introduction to Executive ProtectionWhy Executive Protection?The Threats and RisksKnow the ProtecteeThe ProtectorAdvance WorkTransportationHome, Office, and AutomobileMail and PackagesIssues and ent Security385IntroductionAdvance Work—Pre-Planning385386359364365366367369

ContentsSecurity OperationsPhysical SecurityInformation SecurityStaff and Executive ProtectionContingenciesSummary20PART IV: THE SECURITY PROFESSION NOW ANDIN THE FUTUREHow to Develop and Maintain a CorporateSecurity Career Development ProgramIntroductionThe Corporate Security Manager’s Career DevelopmentEstablishing and Managing a Corporate SecurityCareer Development 5397402405Security Professionals—What You Can Do toHelp ucational thics and the Corporate Security Professional421IntroductionCodes of EthicsCorporate Ethics, Standards of Conduct,Business Practices, and Corporate ValuesImpact of Ethics on the Corporate AssetsProtection ProgramSummary421424The Future of the Corporate Security Profession431IntroductionIt’s a New Century and a New WorldSummary431431442About the Authors445Index447428429430

This. Page Intentionally Left Blank

ForewordAs the twenty-first century dawns, we see continuing rapid changesoccurring throughout the world economy. Many nations are transitioningfrom industrial-based to information-based organizations. The increasingdependence on information technology, coupled with globalization, hasmade corporate assets more vulnerable to threats from more places thanever before.A global and technologically connected marketplace presents a different paradigm for the corporate security professional from that encounteredjust a decade ago. Traditional corporate security programs were concernedwith the protection of facilities, equipment, and people by physical securitymeans. From fences to guards and badges, standard security tools wereused to ensure that physical assets were protected and kept on companyproperty. Theft of product, property, and tools was the major concern ofcorporate security managers.Today, however, safeguarding corporate assets requires a state-of-theart asset protection program focused on the information systems that havebecome critical corporate infrastructure. Such a program must be flexibleand adaptable to evolving corporate needs. It also must be cost-effective. Afailure to develop potent and efficient security processes can materiallyweaken corporate competitiveness.Corporate security professionals have never been faced with so complex a task. They must support ever more rapid business changes at thesame time they confront ever more sophisticated attacks against corporateassets. They must learn to defend against netspionage, industrial espionage,corporate espionage, hostile nationals, terrorists, fraudsters, and hackers.Given the prodigious challenges that today’s security professionalsmust deal with, this insightful book by Dr. Kovacich and Mr. Halibozekshould provide them with a most welcome additional educational resource.Kent KresaChairman and Chief Executive OfficerNorthrop Grumman Corporationxv

This. Page Intentionally Left Blank

PrefaceThe intent of this book is to provide a state-of-the-art, holistic approach tocorporate assets protection that will be useful to both new and experiencedcorporate security professionals. Methods, processes, and procedures areprovided that can be immediately implemented. We include flowcharts andother practical tools that can be used in a “cut-and-paste” fashion, and thenmodified to meet the needs of your corporate environment and your position in it. So, although our publishers copyright the book, we wrote it withthe intention that you could “legally steal” the charts, checklists, and soforth, and use them as your own—and of course at your own risk.Our approac

The manager’s handbook for corporate security: establishing and managing a successful assets protection program / Gerald L. Kovacich, Edward P. Halibozek p. cm. Includes bibliographical references and index. ISBN 0-7506-7487-3 (alk. paper) 1. Corporations—Security measures—Management. 2. Private security services—Management. I. Halibozek, Edward P. II. Title HV8290 .K68 2002 658.4'73 .