The Manager's Handbook for Business Security

The Manager’s Handbook for Business Security is designed for new or current security managers who want build or enhance their business security programs. This book is not an exhaustive textbook on the fundamentals of security; rather, it is a series of short, focused subjects that inspire the reader to lead and develop more effective security programs.

Chapters are organized by topic so readers can easily—and quickly—find the information they need in concise, actionable, and practical terms. This book challenges readers to critically evaluate their programs and better engage their business leaders. It covers everything from risk assessment and mitigation to strategic security planning, information security, physical security and first response, business conduct, business resiliency, security measures and metrics, and much more.

The Manager’s Handbook for Business Security is a part of Elsevier’s Security Executive Council Risk Management Portfolio, a collection of real world solutions and "how-to" guidelines that equip executives, practitioners, and educators with proven information for successful security and risk management programs.

• Chapters are organized by short, focused topics for easy reference
• Provides actionable ideas that experienced security executives and practitioners have shown will add value to the business and make the manager a more effective leader
• Takes a strategic approach to managing the security program, including marketing the program to senior business leadership and aligning security with business objectives

New security managers, current security managers who are in transition from public to private or one corporate profile to another, and business executives with an interest in or responsibility for corporate security

Acknowledgments

Introduction

Our Vision for the Value of This Publication

1. Understanding the Business of Security

Introduction

The Security Program Review

Build the Business Case for Crafting a Measurably Effective Security Program

Highlights for Follow-Up

2. Security Leadership: Establishing Yourself and Moving the Program Forward

Introduction

Leadership Competencies

Keys to Organizational Influence and Impact

The Next Generation Security Leader

Highlights for Follow-Up

3. Risk Assessment and Mitigation

Introduction

Assessing Viable Threats

Vulnerability Assessment

Board-Level Risk and Security Program Response Research

A Risk Quantification Process

A Risk Management-Based Concept of Operations

Highlights for Follow-Up

4. Strategic Security Planning

Introduction

Strategic Security Program Focus

Eight Key Strategic Issues

The Security Planning and Program Development Process

Business Alignment and Demonstrating Security’s Value

Highlights for Follow-Up

5. Marketing the Security Program to the Business

Introduction

The Essentials

A Marketing Strategy

Brand Recognition

The Mission Statement

Policies and Business Practices

Applying Standard Security Practices to Business Objectives

Highlights for Follow-Up

6. Organizational Models

Introduction

Baseline Elements

Program Characteristics

What Organizational Model Works Best in Your Company

Alternative Organizational Models

Consolidated Service Model

Seriously Explore the Potential Advantages of a Security Committee

Unified Risk Oversight

Access Is the Fundamental Essential

Highlights for Follow-Up

7. Regulations, Guidelines, and Standards

Introduction

Typical Regulatory Elements

How Many Security Regulations Apply to Your Company?

The Legislation, Regulations, Voluntary Compliance, and Standards (LRVCS) Breakdown

The Security Professional’s Role

The Implications of Noncompliance

Highlights for Follow-Up

8. Information Security

Introduction

Critical Importance of Information Security

Core Information Assurance Requirements

Information Has Value

Information Moves at Warp Speed

Key Assessment: What Is the State of Control?

Organizing the Information Security Program

Information Security Infrastructure and Architecture

Day-to-Day Operational Security

Cyber Incident Response Planning

Highlights for Follow-Up

9. Physical Security and First Response

Introduction

Your Objective: An Integrated Solution

Physical Security at a Glance

Alignment with the Threat

Security Operations

The Quality of First Response

All Space Is Not Created Equal

Physical Security as a Force Multiplier

Equipment Removal and Value of Risk Assessments

Security Riding on the Corporate Network

A Note on Convergence

Highlights for Follow-Up

10. Security Training and Education

Introduction

Objectives of Security-Related Training and Education

Training Options

In-House Training

Certificate Programs

Academic Programs

Development Plan

Contractors and Vendors

Training Business Units in Security-Related Responsibilities

Tracking Training Administration

Highlights for Follow-Up

11. Communication and Awareness Programs

Introduction

Strategies

Tactics

Security Awareness Approaches

Tailoring the Message

Highlights for Follow-Up

12. Safe and Secure Workplaces

Introduction

Predictability of Risk

The Policy Framework

Workplace Violence Policy

Protecting Key Executives and Key Individuals

Highlights for Follow-Up

13. Business Conduct

Introduction

Know Your Adversary

Corporate Hygiene

Learning from Business Conduct Cases

High-Level Policy or Guideline Statement

Checklist for Conduct of Internal Misconduct Investigations

Highlights for Follow-Up

14. Business Resiliency

Introduction

Your Focus

High-Level Policy or Guideline Statement

Track Business Continuity Readiness

NFPA Standard 1600

National Response Framework

Regulatory Requirements

Highlights for Follow-Up

15. Securing Your Supply Chain

Introduction

An Example of the Elements of Supply Chain Risk Oversight: Customs Trade Partnership Against Terrorism, Shipment Guard (C-TPAT) Security Criteria for Importers

A Focus on Supply Chain Security Has Multiple Benefits

Highlights for Follow-Up

16. Security Measures and Metrics

Introduction

What Are Measures and What Are Metrics?

What Are the Key Objectives for Our Metrics?

Why Measure? What Are the Benefits of Measures and Metrics?

Roles and Responsibilities

It’s about Communication and Risk Management

Where Do I Find the Data for My Measures and Metrics?

Business Alignment—Demonstrating Value to Management

Pitfalls to Avoid

Five Metrics You Might Consider

Conclusion

Highlights for Follow-Up

17. Continuous Learning: Addressing Risk with After-Action Reviews

Introduction

After-Action Review (AAR) and Incident Post-Mortem

Know Your Audience

Outline for the Incident Post-Mortem Management Plan and Briefing

Highlight for Follow-Up

Appendix A. Risk Review Elements

Business Risk Environment

Policy Framework

Threats

Location Risk

General Data

Business Continuity Incidents

Internal Risk

Information Security

Hazardous/Dangerous Material Issues

Base Building Risks

Owned Properties

Contractors

Background Investigation

Data Management

Business Continuity Planning

Emergency and Crisis Management

Security Awareness

Appendix B. Security Devices, Equipment, and Installation Labor Costs

Appendix C. Request for Proposals for Contract Security Services at [Specific Company Location(s)]

Introduction

Instructions to Bidders

Proposal Contents

Selection Criteria

General Conditions of the RFP

RFP Timeline

Appendix D. Workplace Violence Incident Response Guideline

Introduction

Workplace Violence Prevention Program Template

Some Critical Elements to Consider In Determining Dangerousness

Appendix E. Code of Business Conduct and Ethics Template

Company Assets

Compliance with Laws and Regulations

Confidential Information

Conflict of Interest

Dealing with Public Officials

Environmental Protection

Equal Employment Opportunity

Financial Records

Gifts, Gratuities, Favors: Giving and Receiving

Insider Trading

Intellectual Property Rights

Political Contributions

Workplace Safety

Reporting Violations and Policy Enforcement

Certification

Appendix F. Corporate Incident Reporting and Response Plan

Planning Philosophy

Corporate Emergency Plan

Corporate Emergency Response Team

Appendix G. Considering the Essentials: Questions for People and Program Development

Focus

A Suggested Approach

About the Contributing Editor

About Elsevier’s Security Executive Council Risk Management Portfolio

Index