Harland Clarke Rechecks Risk Management

New security program adds more systematic processes for evaluating, prioritizing and mitigating risk

To reflect security's new central role in the business, the company also changed its organizational chart. Previously, security was a decentralized function that was governed by the CIO and the plant managers. Now, as CISO, Petrie reports not to the CIO but to the company's chief security officer, who also owns physical security and incident management. The CSO, Pat Patterson, who was a former FBI special agent in charge, reports to the senior vice president of administrative services (as do human resources, general counsel, the compliance officer, the privacy officer, partner support and partner reporting), who reports to the executive management team.

And to make security more of a business function, it was also important, Petrie says, to develop a program that was made up of repeatable, auditable and measurable processes. To that end, Harland Clarke chose a standard—ISO 17799/27001—that would serve as a baseline for developing its security controls and budgets. The standard stipulates 10 domains that define best practices for several areas, including business continuity planning; system access control; system development and maintenance; physical and environmental security; compliance; personnel security; security organization; computer and operations management; asset classification and control; and security policies. Each of these domains is also connected by governance guidelines such as Cobit, as well as financial industry guidelines proposed by the Federal Financial Institutions Examination Council.

Business Focus

Next up was linking security spending and risk management decisions with business goals. To do this, Harland Clarke had to establish some new processes for identifying threats, understanding vulnerabilities and determining which risks it was willing to accept and which it needed to mitigate.

One of these processes is its annual business impact analysis, a three-month-long endeavor conducted by a third-party provider (which Petrie declines to identify) that reviews the company's risk management processes and identifies vulnerabilities or threats to the company's existing controls as they pertain to the goals of the company's five-year operating plan.

For instance, in its contact center, the analysis might look at the controls that ensure call center employees know when calls are being recorded and the controls that protect those recordings from a regulatory perspective and ensure those controls don't negatively impact call answer and handling time. Or it might review the controls surrounding the development of new marketing campaigns. "Because we're getting consumer information, we need to look at how to protect that, and once controls are in place, how that would affect the flow of the marketing campaign, which in turn will determine acceptable risk levels," Petrie says.