Harland Clarke Rechecks Risk Management

New security program adds more systematic processes for evaluating, prioritizing and mitigating risk

With the security processes and risk matrix in place, Petrie's group has all the tools it needs to make security investment decisions as they arise throughout the year. For instance, it recently discovered through its monthly vulnerability scans and spot checks of its image recordings that one of its VHS-based security recording systems was malfunctioning, affecting 20 to 30 cameras that were attached to it.

One option was to upgrade the entire system to digital; another was to switch out some systems from other locations, as the age of the system made it impossible to find an exact replacement. A controls review indicated that from a cost/benefit standpoint, it made better sense to spend the capital on a replacement digital system, especially because this would enable several locaÂtions in the future to be connected over the Internet to a single operations center. Costs were estimated in the millions of dollars.

The group submitted its results to the executive management team, which agreed that the VHS system posed an unacceptable risk based on the current business model and that replacing it with a digital system would mitigate that risk, both from a quality and a security perspective.

The entire process took about four months, from approaching the executive management team to implementing the first camera replacements. Although going digital represented a 20 percent to 30 percent increase in initial one-time costs over analog VHS, cost savings included physical storage cost reductions and a 20 percent reduction in maintenance costs year over year. It also helped that the camera system was used to monitor the company's quality processes as part of the technical controls portion of the production process, which do have an ROI and an impact on the bottom line.

In a second instance, a Verizon scan revealed vulnerabilities in a production facility: operating systems on its manufacturing line equipment that were not patched adequately. Several months earlier, Harland Clarke had been aware that patches were being offered by the software manufacturer but had made the decision not to implement them because of the possibility of causing a system outage or other negative impact on performance.

Now, however, the scan was reporting that an existing worm had been modified that heightened the risk. This caused the group to revisit its previous decision by running some penetration tests over a 30-day period to determine residual risk and calculate the cost of mitigating the problem. In parallel, it presented the new finding to the executive management team.