An Overview Of Corporate Security Policies

According to a survey of facilities professionals conducted last year 77 percent of companies have formal, written security policies, while 52 percent review and/or modify these policies at least once per year. How these policies are developed and who's creating them, however, can vary based on factors such as the size of the company, its core business, and its corporate culture. Corporate re-engineering has had a domino effect on security policy. Security is not a revenue-generating function, so it becomes an area that can be cut. Management functions are combined and companies may no longer have a security director or manager. That function might end up with the facilities director. They have experience with fire-and-life safety systems and HVAC, which are largely code-driven, but they may not be experienced in access control, surveillance, and perimeter protection, which are more 'active' systems in that they're used every day. Thus, depending on the level of in-house expertise, those with a seat at the table when policy is created can come from the facilities department, human resources, legal, information systems, and administration, in addition to industry consultants. A lot of consultants are strong on the engineering, technical side. Others are focused on operations and security management. A lot of firms are combining these to become full-service banks. A lot of customers are interested in knowing what other customers are doing, what new ideas are out there. Industry-wide 40 percent of businesses now use a consultant when developing policy. Different strokes There are a number of other variables at work regarding security policy. Policies and procedures are honed by the culture of the organization they are going to be applied to. In smaller, less structured companies, in terms of formal policies, there may be a cultural change needed when having employees badge in and when companies begin asset tracking. For example in small, start-up software engineering companies, people may have been able to come and go into labs as they wanted. When these small firms departmentalize, this cross-company access might be restricted, perhaps causing some uneasy feelings. Moreover, mergers and acquisitions also can form a rocky marriage in terms of security policy, if one entity's procedures are markedly different from the other's. Not surprisingly, policy review also may differ based on the type of company in question. Larger companies tend to have more review. In organizations where security is with someone who has multiple responsibilities, the policy can become etched in concrete. It could be years before it's reviewed. And when it is, it's in reaction to an incident. Overall policy is reviewed not often enough. It's treated as a distasteful, time-consuming task, even in companies with separate security departments, where staff time often is eaten up by the day-to-day business of providing security and managing outside vendors. It's a good thing to annually review and take stock of where you are, but even more significant is an "as-needed" security review that occurs every time facilities, conditions, or culture changes within a company. We differentiate between policy and procedure, and how and to whom they're articulated within a company. Policy manuals are often distributed to department heads and supervisors. With subordinate employees, higher emphasis is placed on procedures through meetings, posters, and written materials. There's a different level of accountability. Protecting mind and body Forming corporate security is a collective activity, in large part because of the variety of facilities in question. The company operates manufacturing, laboratory, and office facilities, that can require varying approaches to security. Policy is a joint venture that combines 'hardware,' such as surveillance cameras and badges, and 'software,' such as people's behavior and habits. The security strategy is structured around two issues: physical security and information security (i.e., the protection of intellectual property). They're equally important. Physical security revolves around employee badging with picture ID and access control systems, badges for visitors, who must be escorted anywhere in the facility, surveillance cameras, patrols, and training sessions on topics such as workplace violence. Moreover, various departments ranging from administration to human resources, patents, and laboratory facilities, use the company intranet as a communication vehicle to state individual security procedures of importance. There is no cookie-cutter security model, meanwhile, in our increasingly information-oriented workplace, protection of intellectual property has become a huge issue. Employee orientation covers information security, and employees understand this the first week they come to work. Information security can home in on issues that may seem to be minutiae but can compromise competitive position. For instance, we have visitors coming through so we can't have posted proprietary information that's easily discernible. When employees travel, we tell them to be careful with papers, disks, and laptops. With the threat of industrial espionage and the amount of money the company invests in R&D (Research and development) and new products, public discussion of trade secrets is discouraged, particularly on airplanes.