7/28/2019 Ang Kalasag_June 2013_Rev1Final.pdf

1/4

June 2013

Volume 2 Issue 4

Official Publication of

Ang

Whats Up This Month?Whats Up This Month?Presidents CornerPresidents Corner

From the Editors DeskFrom the Editors Desk

Business Security EssentialsBusiness Security Essentials

Securing Business Establishments andSecuring Business Establishments andProjects Amidst Terrorist ThreatsProjects Amidst Terrorist Threats

Swiping SecuritySwiping Security

Facets of Security in a BPOFacets of Security in a BPO

Securing Peace and Order in a CentralSecuring Peace and Order in a CentralBusiness DistrictBusiness District

Five years ago, more than half of the worlds population was living intowns and cities. It is expected that by 2030, this number will exceed toalmost 5 billion. Africa and Asia will then be the center of this urbanexpansion. Cities like Makati will then have the perception of moreintense economic vitality, access to necessities and services, and betterchances for more democracy.

Furthermore, urbanization is a transformative process, tantamount tomodernization and progress. As nations urbanize, they become morecomplex, more advanced and more flourishing, yet the lives of hundredsof millions of its citizenry could be victims of crime, poverty and

insecurity. The poorest of the poor, when unattended to could be deniedof the benefits of the rights to the city.

Last May 20 and 21, I represented the Mayor of Makati City, Hon.Jejomar ErwinJunBinay to the International Forum of Mayors onCrime Prevention and Security in Urban Settings held in Turin, Italy.This conference of highly urbanized and advanced cities in the worldwas sponsored by the United Nations Interregional Crime and JusticeResearch Institute (UNICRI), with the United Nations HumanSettlements Programme (UN-Habitat) and the Municipality of Turin,Italy.

I showcased Makati as a city notable for its exceptionallymulticultural lifestyle, as a significant center for intercontinental mattersand for its reputation as a major entertainment center in the metropolis -also known for its cosmopolitan culturebecause of its major shoppingcenters, condominiums, financial hubs, hotels, and entertainment hubs.The audience was elated that by all rights a techno-city, Makati is themost preferred location of investors. Likewise presented are some of ourmany undisputed awards from both local government and internationalorganizations.

The audience gave their favorable nods as the slides about theimpact of computerization proved to be really significant for the citygovernment and the transacting public reducing long queues,decreasing processing time, and a faster, more efficient service. Ourinitiative to make Makati City the countrys first WIFI City washighlighted as well, having initially established City Government Websiteand the Makati Traffic Twitter Account to provide real -time trafficinformation and updates. Our use of CCTV in monitoring traffic andcrime in the city being connected to the Command, Control andCommunications Center at the City Hall is well applauded.

The highlight of our best practices on peace and order focused onour program and belief that a strong and effective police force needs tobe supported so that they deliver the services that are due to thecitizenry, businesses and visitors. The delegates very well noted thatour police force enjoys multiple benefits on top of their remuneration andcompensation from the Philippine National Police. Our equipment andpolice stations are among the best in the country and at par with firstworld nations. As a result, we are likewise proud to have presented tohave very low crime rate one of the lowest in the country actually. Our

Crime Solution Efficiency is one of the highest as well. Our policeprogram to deter criminality such as random checks, bank to bank visits,barangay level immersion of police force and police visibility and patrolsreceived approval from the audience. Our Barangay Tanod, MakatiDepartment of Public Safety and the Peace and Order Council are wellrecognized as well. Our police precincts, strategic distribution, divisionand accessibility are showcased, too. Likewise presented is the citygovernments utilization of its own funds to provide logistical needs ofour police force and its multipliers.

Like any other advanced cities around the world, Makati Citygovernments programs for recreational facilities in steering the youthand citizenry away from drugs and other vices as well as well -lightedpublic structures and facilities are well noted by the participants. Thepresentation ended with cheers and applause. Kindly refer to theappendices for the copy of the detailed presentation.

The Forum was attended by local authorities, international experts,private sector and non-governmental organizations. There was a very

high expectation on the presentation of the best practices of MakatiCity probably because Makati City was among those inviteddeveloped and highly developed cities around the world.

The delegates deeply studied the concern of security and crimeprevention in cities during the plenary sessions and workshops. Itconcentrated on addressing the intricate and dynamic features ofurban safety and security through the rule of law, the diminution ofvulnerabilities and the founding of successful public -privatepartnerships (PPP) by supporting the sharing and transfer of bestpractices between cities, and the creation of new programsaddressing the lessons learned identified in the presentations andsessions.

It was discussed in the plenary sessions that governments areeasily plagued by the trend and LGUs are often caught flat -footed tomanage the immense influx of people from the rural areas. Ifmismanaged, this phenomenon of great migration may affect the

solidity and security of developing and even those of developed citieswhere lack of sufficient job, social stigmatization and marginalizationmight provide the right conditions for social conflicts and criminalactivity.

Presenters and delegates discussed that crime and violencehamper urban economic growth and potentially weaken localgovernments. These hurdles impact the undermining efforts topromote sustainable development and to reduce if not eradicatepoverty. The most vulnerable, such as women, young people and theelderly and marginalized groups be greatly impacted by this violentcycle.

Likewise, it was learned that the need for understanding andproficiency to competently handle the concerns on security in urbansettings is vast. Fortunately, there are a mixture of experiences andresults that have been achieved by local authorities and theircitizens. The best practices shared by Makati City delegation wasapplauded and cheered by the delegates due to the paramount bestpractices that the City of Makati has established over the years. Inthis manner, these programs need to be continued in such a way that

the ever changing and challenging setting of Makati City will be bestaddressed, managed and realized.

The International Forum of Mayors on Crime Prevention andSecurity in Urban Settings was an opportunity for Makati City tolearn, benchmark, share information, exchange knowledge and bestpractices, experience and results realized in the execution of policiesin managing the issue of security and crime in urban settings.

As a standard, the Makati Citys efforts and programs weregreatly praised by the co-delegates and participants. In Makati City,like any other cities around the world, the challenge to reducevulnerabilities, inequalities and injustice to address the complex andchanging dynamics of security and crime prevention is alwayspresent and should be of utmost concern. We have programs andprojects aimed at these concerns. Like the advanced cities, wesimply need to maintain and continue developing and improvingthese already established programs.

The success of an ideal urban living where peace and order,equality and the rule of law are enjoyed by everyone is not far-fetched, it could be realized. The key is in our hands. We simply

need to find it, drive it and the door towards a highly-developed and

sustainable urban setting will open up. Makati City is a living exampleof this experience. We were able to showcase this fact during theforum and the world has seen it. Let us continue the legacy of beingthe premier city in the Philippines.

Maka City, A techno City: Gen. Jovie Guerrez presents the techno-

logical programs on security of Maka.

7/28/2019 Ang Kalasag_June 2013_Rev1Final.pdf

2/4

An officer of a mall approached me, seemingly knowing that I am

from PSIS. Sir, arent you an officer of PSIS? he asked. Yes I am I

replied. Sir, I passed the CSP Review Program recently, and I was

wondering what really its advantages are for me? he added. The

PSIS is the only institution in the Philippines who professionalizes

security practitioners. The CSP Review Program is your ticket to the

vast emergent world of the industry of security. It enhances your ability

to be a professional security manager or a management security

specialist. I hurriedly replied.

Having that conversation in mind, I asked myself, How can a

security officer who passed the CSP Review Program, becomes a

CSP, and not even knowing the essence of the program and the

benefits that go beyond it? As for me, arming security practitioners

with vast knowledge and skills to gain a broad view to security industry

and pursue educational and professional development is the real

meaning of being a Certified Security Professional.

Certified Security Professionals having been quantified and

qualified are people equipped with knowledge in security and

reinforced themselves with most relative skills and tend not to end the

capacity of the mind to a more innovative knowledge in security to

become more than a CSP.

Considering these options, a CSP equipped and outfitted with

knowledge and skills, may pursue a higher level of professionalism like

being a Certified Security Trainer (CST). For example, the CertifiedProtection Professional (CPP), Professional Certified Investigator (PCI)

and Physical Security Professional (PSP) of ASIS International, are

likewise higher steps of the ladder of security industry and these could

make one competitive around the world.

Becoming a security professional does not stop from being a CSP

as the horizon behind the sky has a lot of stars ready to be explored. A

Certified Security Professional (CSP) may be the start now, and

subsequently, tomorrow offers more opportunities beyond CSP. Lets

keep stepping up!

Hello folks!

Businesses are our security because security is our business.

Nope, not youre your typical tongue twister challenge. But in a

simpler vernacular, we security professionals, practitioners and

providers need these business establishments requiring our security

services as it is because of them that we stay in the business as

well.

This month, lets focus on the biggest chunk of the industry that

requires our expertise, the business establishments. First, let take a

look at the challenges of securing industries that are at high risk of

terrorist threats as Col. Fred Soriano, CSP talks on this agenda.

Then lets take a look at the fastest growing industrys challenge, the

Business Process Outsourcing or more popularly known as call

centers. Here, Dir. Ed Parocha, CSP, a former BPO and banking

security executive, will introduce to us the world of securing the

virtual credit card information and data. Lets swipe it Sir Ed!

Then, lets all fly to Europe, where Dir. Jovie Gutierrez, CSP,

proudly represented the Mayor of Makati City, the countrys premier

Central Business District to the International Forum of Mayors on

Crime Prevention and Security in Urban Settings held in Turin, Italy.

This conference of highly urbanized and advanced cities in the world

was sponsored by the United Nations Interregional Crime and

Justice Research Institute (UNICRI), with the United Nations Human

Settlements Programme (UN-Habitat) and the Municipality of Turin,

Italy.

Meanwhile, back in the Philippines, Dir. Ed Balmaceda, CSP, a

security consultant of one of the countrys leading BPO, will discuss

the many facets of this industry. Hell focus not just on the

mainstream physical and personnel security but will dig deeper into

the information security management as well. Securing business

establishments remain the most commonly served discipline of the

security industry., says our colleague and regular contributor Alvin

Matabang, CSP as he shares his insights on the essentials of

business security.

The newest PSIS director and likewise a security book author,

Dir.Jun Dela Cruz, CSP will introduce to us a new vocabulary in the

security parlance, Secuprenurial Concept. He says that this is the

new trend in security management. Wondering what that is? Well,

have a good read ahead. - Jeremy Astrero, CSP, Editor-in-Chief

It has been a challenge for security professional to adopt in thevery fragile business environment of today amidst fierce competitionand economic headwinds.

In the article published by Natalie Runyon, entitled Skills for aSuccessful Executive in the Business of Security, the authoroutlines the biggest skill gaps in the security industry from the areaof business insight, strategic capabilities and entrepreneurialmindset. The first gap refers to demonstrating securitys values in

key financial terms; the second gap pertains to the ability to clearlycommunicate how security contributes to the business mission andserves the companys clients while the third gap underscores theability to drive creativity, innovation and accountability.

I find this article worth of sharing to everyone as it is responsiveto the changing business landscape amidst threats on economicrecession due to continuing weakening of the currencies in someparts of the globe, armed conflicts and high rates of unemployment.It is the hope of every business owner that the security officer intheir fold should not be a thing of the past where they know thetraditional safeguarding management system.

If security is in the business of protecting assets, then ourefforts to do so increase the value of the assets on the left-handside of the equation, Runyon added. The need to developsecureprenurial mindset is essential to every security officerwhere plans are based on in-depth understanding of the businessof the organization, plans are carefully developed according to theneeds and financial soundness of the company and securityprocesses are flexible to the changing business environment andeconomic challenges. The applicability of these thoughts is widerand encompassing from the security service provider/outfit/vendoror to the most popularly known security agency up to the level ofcorporate security director down to the first-line security supervisor.

The challenge is clear; the security officer of todays generationshould be equipped with correct mindset that security is anessential cost of doing business and partner in economicdevelopment therefore it is necessary that security program arebased on prudent assessment of the requirements and capacity toinvest of the organization. Gone are the days that security isconsidered to be a small support unit of the administrationdepartment and continuous to be the cost center functional unit andregarded to be an investment towards future profit rather than anecessary expense.

Having understood and having been given that securitymanagement is here to stay, one question lingers

Is Security as a Profession?

No amount of skills training and technical exposures in securitycan supersede the desire and willingness of the heart to performthe tasks to protect lives and property. This is where passion andcommitment are demonstrated.

In the argument whether security is a profession, my answer isin affirmative. This is not only an occupation to derive economicadvantage but also a career that provide an equitable opportunity.Here are some of the many criterion that defines that a particularrespectable occupation can be regarded as a profession;

Income. The post 9-11 ( World Trade Center in the US) eraopens a great opportunity for security practitioner, manyorganizations have realized that security is an essential cost ofdoing business. This development translated to an increase inthe demand of security professionals with justifiableremuneration. If you look at the salary survey in different job

search engines, you will findthat security career leveled offwith other profession within thesame rank, position and jobdescription as far as income isconcerned.

Competence. Security requiresqualified personnel to carry out

desired results and demands extensive trainings and specializedstudy given the fragile business environment. This demonstratesthe achievement of Knowledge, Skills and the right Attitude (K.S.A.)to perform the given tasks.

Institutional Training. Role-out of skills training, practicalexperiences and continuous upgrading of skills are necessaryattributes to exercise profession. Security in our country is regulated

with training curriculums by both PNP-

SOSIA and TESDA,respectively.

Career. This is a full-time commitment because of the criticality ofthe responsibility which defines a profitable and a non -profitablebusiness organization which directly translates to achieving highstatus, prestige and rewards as well.

Mobility. This is directly correlated to career development whichstates that the skill, knowledge and authority belongs to theprofessional itself not to the organzation he is employed with whichopen an opportunity to professional to move from one organizationto another due to attributed talents.

Licensing. Security is regulated by a national law and supervisedby a national policing body. License to exercise profession is amandatory requirement for those who would wish to conductsecurity functions including the mandated curriculum for training.Security license reflect the legitimacy of the profession.

Ethical Standards. Security profession is provided with Code ofProfessional Conduct and Ethics which defines the acceptablebehaviour in the actual performance of security functions andprovides disciplinary procedures for those who infringe the rules.

Professional Association. Local and international securityorganizations have been developed for professional advancementsuch as the Amercian Society for Industrial Security (ASISInternational), Philippine Society for Industrial Security (PSIS),Philippine Association of Detective and Protective AgencyOperators, Inc. (PADPAO) among others.

Autonomy. This refers to the work autonomy or controlling and ordominating a particular situation particulalry in enforcing physicalaccess procedures. It also relates to the control of a professionalown theoretical knowledge.

Self-Regulation . Security tends to operate independently butcomplementary with the regulating agency. The biggest challengefor security is to gain representation to congress in order to berecognized as an industry not merely a sector as part of social

and other community development services.

(Excerpts from the authors book A Textbook on Security & Safety

Management, 2nd

Edition)NEXT MONTH ONAng Kalasag

Every July is the Philippines National Disaster

Consciousness Month so I enjoin everyone to

contribute for our July issue, focusing on Disaster

Recovery, Crisis Management, Business Continuity,

Calamities, business disruptions and the likes. Of

course, our usual security-related topics are always

welcome.

7/28/2019 Ang Kalasag_June 2013_Rev1Final.pdf

3/4

The typical business firm that wins construction projects or mine

concessions usually does their business activities in isolated or

critical areas which are faced with real time threats from armed

groups or terrorists. In order to safeguard their personnel, property

and capital, the firm invests in hiring security people (consultants,

officers and proprietary or contract guards) and tries to get friendly

with the local AFP/PNP/LGU bigwigs. The firms security personnel

then institutes security procedures such as SOPs, Control points etc.

which more or less suffices for firms which are not subjected toarmed attacks.

As events in the past have shown, foreign or local business firms

engaged in big ticket infrastructure projects or huge mining

concessions are prone to attracting threats from terrorists and other

armed groups who see these firms as cash cows once they are

subjected to extortion. Consequently, some firms have opted to

downsize their operations, or terminate their operations and as in the

case of foreign firms, leave the country, thus giving the Philippines a

bad reputation and depriving the government the business taxes that

it can utilize for its projects.

To be sure, business firms ensure the smooth functioning of their

business and do not want to have their operations disrupted, their

personnel and properties killed or destroyed and their profits

extinguished. To this end, some business firms give in to the

extortion in order to preserve their gains which in turn give incentives

to the terrorists to continue in their nefarious activities. Other firmshowever, find it in their interests to defy the terrorists aware that

doing so makes their business premises and activities subject to

armed attacks sooner than later. Indeed, the spate of attacks against

construction firms, (as was the case in the attack in the ongoing

Southern Luzon International Airport (SLIA) in Bogy. Alobo, Daraga,

Albay on May 2012 where a group of terrorists assaulted the security

detachment while the other groups devastated the construction firms

property resulting in damages amounting to P100 Million of burned

equipment and facilities) bus companies; mining sites (as exemplified

by the terrorist attack on the Platinum Metals Group Corp and

Taganito HPAL Corporation in Claver, Surigao del Norte on October

2011) and most recently, Del Monte Company in Bukidnon by local

terrorist groups demonstrate the challenge facing business owners

especially those in critical, isolated areas who refuse to give in to

the extortionate activities of various criminal or terrorist groups

operating in the country.

Predictably, the firms who chose to cooperate are not bothered

by the extortionists but their periodic pay offs are increased time and

again while the firms who refuse to kowtow to the terrorist demands

are subjected to attacks. With the attacks happening sooner than

later, it behooves the firms to upgrade their security capabilities as

the terrorists cannot afford to just ignore the defiant firms and lose

their credibility in the process.

Consequently, the business owners are in a conundrum in as

much as protecting their establishment and business sites involves

more than posting security personnel in or around their offices and

sites. The typical business establishment or company is usually faced

with several options:

1) Secure the assistance of the AFP/PNP especially if there are

security units in their area. Typically, if the operational environment

necessitates doing so, the AFP/PNP will provide personnel, (usually

CAFGUs or PNP mobile units) establishing a detachment near the

business site to provide added security while the business

establishment is principally secured by its proprietary or contract

guards

2) Another option is to create a SPECIAL CAFGU contingent in

coordination with the AFP that is composed of the business

companys security personnel thus authorizing them to arm

themselves with high powered firearms. While this may offer some

benefits, adopting this option exposes the company to some

repercussions which may prove too much to the management such

as:

a). Arming private security forces with High Powered Fire Arms

(HPFAs) leads to an intensification of the disagreements t hat often

arise over mineral extraction in mines or Right of Way problems in

road concreting and other infrastructure projects that violate cultural

sensitivities among indigenous people. Affected residents will

naturally view the security force and the company as a whole as

upping the ante in the dispute and will gravitate towards arming

themselves or seeking aid from other armed groups

b). It paves the way for rash use of force during confrontations

between opponents and proponents of the project. Having the

companys security force armed with HPFAs makes them more prone

to utilizing them when confronted with agitator led project opponents

thus projecting the business firm as oppressive.

c). It will invariably lead to an increase in the number of death

or injury grievances by aggrieved local residents and NGOs against

the company. Accidental or intentional use of the HPFAs during

demonstrations and normal security patrols invariably leads to deaths

and injuries.

d). Company employees particularly its security personnel risk

becoming targets of terrorists and other lawless groups. Possession

of HPFAs makes the companys personnel attractive to terrorists or

other armed groups out to increase their weapon inventory or

increase their number of para-military forces eliminated.

3) Lastly, there is the option of increasing the number of security

personnel, equipment and other security precautions which is par for

the course in case of big companies but which may mean so much

expense on the part of the small companies. Nevertheless, real time

threats leave the company with no choice but to upgrade or improve

their security capability if only to ensure the protection of their

companies assets.

For business companies who need to upgrade their security but

wishes to avoid the aforementioned disadvantages the following

steps should therefore be considered:

a) Improving capability of existing security personnel-

Relying on

ones security force is almost always the best option provided the

security personnel are properly trained and led by competent

supervisors and officers. This can be attained by hiring competent

security personnel and conducting periodic refresher training

courses. Attendance of security seminars, conventions and other

activities which updates security personnel about recent security

trends and threats will also boost their capability.

b) Risk transfer of assets- additional expenditures for insuring

company assets and security personnel can mitigate whatever

destruction inflicted on the company by terrorist attacks. It will also

relieve the management of benefits to be extended to security

personnel who become casualties in the event of attacks. This is true

whether the security personnel is proprietary or by contract.

(continuation to page 6)

Having been able to work in a Business Process Outsourcing(BPO) or more popularly known as Call Center, and recently in thebanking industry, I have been involved in various projects andprograms securing customer and credit card information. Whether itis for marketing purposes, customer relationship management(CRM), or taking orders, the communication between customers andcompany is routed through a BPO. As establishments morecommonly handle their customer communication and businessprocesses through BPOs, it is not surprising that this business sectorcan see major expansions almost unprecedented. In most cases,BPOs are coming in contact with sensitive customer data which must

be protected.

I would like us, security professionals to focus and not just to lookat the more mainstream physical security but I invite you to take alook at the challenges of managing sensitive credit card data orcardholder data in a BPO setting. Payment Card Industry- DataSecurity Standard (PCI-DSS) says that credit card data is particularlyneeded to be safe-guarded. This standard applies to and passed onto all companies, areas, systems and persons, that process, store ortransmit credit card data and apply not only to digital systems butalso to printouts, receipts, etc. as well as physical data storageentities where credit card data are stored.

With the significant need brought about growing concerns oncredit card fraud and security, the PCI Security Standards Council(PCI SSC) was established. The PCI SSC was founded by AmericanExpress, Discover Financial Services, JCB, MasterCard Worldwideand Visa International and, with this backing; it represents almost thewhole credit card industry. PCI SSC since then became responsiblefor the continuous development, improvement, dissemination and

implementation of security standards aiming at the protection ofcredit card data.

PCI SSCs duties and objectives include making sure the PCIDSS becomes a common basis of the security programs from VISAand MasterCard. A part of it is the prevention of theft and misuse ofcredit card data.

Companies handling credit cards then need to undergo acertification process in order for them to be accredited. Thecertification requirements for companies and service providers likeBPOs depend on the amount of processed transactions and on theamount of accepted credit cards in different levels. There are 4 levelsfor merchants and 3 levels for service providers. The PCI DSSconsists of 6 control objectives which are containing 12 requirementswith approx. 160 guidelines.

As the PCI DSS offers a comprehensible guidance on thetechnical aspect, there must be exceptional considerations on thehuman side. If all technical settings and configurations are establishedand realized, it needs only the basic requirements that all establishedsecurity controls are working well to fulfill the standard. If the technicalaspect is carried out properly, it is not going to make any more workthan a few hours of control activities per specific period to becompliant.

The personnel in a BPO are providing more problems when itcomes to security concern. Typically, a lot of people are working in aBPO. And if the BPO operates on a 24/7 basis, people are working in3 or 4 shifts per day. Furthermore, the attrition and turn -over rate ofemployees is higher than in the average workplace as the workingstress is higher. I may say then that the weakest link in the BPOsecurity compliance chain is man itself. In order for BPOs to managethat problem, solutions need to be established. First, there should bepolicies which are easy and practical to teach and understand, andsecond, constant and correct security awareness programs as atraining for the job before the new employees are deployed.

Every BPO agent has to attend and pass a security awarenesstraining program as a mandatory education tool. This can be a classroom type session or an online education. At the end of the awarenessprogram, a test for understanding must be passed. In all cases, it mustbe put into record that the employee user has attended the securityawareness program successfully. The security awareness trainingmust be conducted regularly. Ideally, the interval between two securityawareness programs should not be longer than 1 year and it shouldbegin upon hiring.

Policies are a two-edged sword for maintaining informationsecurity in a BPO. If they are written well, they can be used to educateemployees about the company stand about information security. Onthe other side, policies are providing legal freedom as every employeewas informed about his daily duties in information security with all itslegal implications. This process requires employees to acknowledge inwriting that they have read and understood the companys informationsecurity policy.

Policies must be written in a way that a non-technical person is

able to understand the policy and their intention. This means thepolicies must be written in plain language and must be concise andprecise. It is a fact that huge policy books will not be read, not evennoticed by users as they are daunted by the language and its size. It isno problem to boil policies down to a user friendly wording and size,products which are providing direct policies to solve that difficulty arealready accessible on the market. Furthermore, the policies should beseparated in three categories, for users, for technical administratorsand for management. It is obvious that policies for technicaladministrators are quite dizzying for the average user, same goes formanagement-specific policies.

With a compulsory security awareness program and securitypolicies written for specific target audiences it should be achievable tocope with the challenges caused by human activities on the way toPCI DSS compliance.

Objective Requirement Build and Maintain aSecure Network Install and maintain a firewall configurationto protect cardholder data

Do not use vendor-supplied defaults forsystem passwords and other security

ParametersProtect Cardholder Data Protect stored cardholder data

Encrypt transmission of cardholder dataacross open, public networks

Maintain aVulnerability

Management ProgramUse and regularly update anti -virus softwareDevelop and maintain secure systems and

applicationsImplement StrongAccess Control

MeasuresRestrict access to cardholder data bybusiness need-to-knowAssign a unique ID to each person with

computer accessRestrict physical access to cardholder data

Regularly Monitor andTest Networks Track and monitor all access to networkresources and cardholder data

Regularly test security systems andProcesses

Maintain anInformation Security

PolicyMaintain a policy that addresses informationsecurity

7/28/2019 Ang Kalasag_June 2013_Rev1Final.pdf

4/4

Securing business establishments remain the most commonly serveddiscipline of the security industry. This however remains a challenge for us securityprofessionals. The first step a security professional should do is to understand whatthe business requirements are. In the past, weve seen how a business security isbeing placed as the last priority on every list. It has become the most neglecteddiscipline by many businesses. Fortunately, the dedication of PSIS to change thearena is making great waves. With the efforts of the able directors, our organizationcontinuously educates many security practitioners who turned out to be securityprofessionals that in turn help influence the decision makers of every business

institution.

Nowadays, many business firms consider the importance of security.Often, even small businesses include security in their to -do-list as they are moreand more becoming a target of bad elements. In these dangerous times, securityprofessionals focus on protecting assets by adding new means of providingsecurity measures. These essentials are as follows;

Being Vigilant.Every business firm should be watchful and sensitive, not only on its surroundings but for any eventuality that negatively impact its

operations. Added consideration must be made during opening and closing hours as perpetrators will try to take advantage of thesedistractions. Its always wise to provide security/safety alerts like placing precautionary measures for eventualities might seem too much, but ifthe events happen because you havent prepared for it is much worse. Remember that t he time and the resources you wil l have to allot if yousuffer from any type of security attack will infinitely be more expensive compared to taking precautions in the first place.

Employing and Deploying CCTV Camera Systems.Aside from the usual posting of static guards, m any businesses now utilize the technology of surveillance cameras to help deter

criminality thus protecting assets and preserving lives. Business owners or company management can always have a peace of mind knowingthat the business, employees and patrons are always protected 24/7.

Getting Help from Security Service Providers.

Its always prudent that a business acquire competitive quotes from various legitimate security service providers licensed by PNP-SOSIA. Security service providers that can cater not only static guards, but also other security services like executive protection, security

trainings, personnel security investigation, security surveys are always on the advantage. Always make sure the right one for the business isalways chosen.

Establishing Business Continuity Management Program (BCM). Eventualities, security breaches or disruptions happen anytime to anyone, whether you are a large enterprise or a small business. A

carefully craftedbusinesscontinuitymanagementsystem provides the foundation for a proactive approach to keepingyourbusinessinbusiness.

Conducting Security/Safety Audits.Make a rule of conducting security/safety audit within your facility; a highly specialized consultancy may help manage all essential

security measures needed to better protect your establishment.

With all these in place and if you still find setting -up and managing your

businessto be daunting, its always good to consult a security

professional. This might seem like an added expense, but appropriate

securitysystem is an essential part of your business and should not be

taken lightly.

Maintaining a sound physical security measure like physical

access control makes up the first line of defense in any other

business establishment. On the other hand, in a Business Process

Outsourcing (BPO) establishment, the data security and data privacy

system, along with physical security consists of: a) Applying a

rigorous background checks of personnel, b) Establishing a

processes making sure that access rights to information resources

are well-managed in a timely manner, c) Guarantee sound

management between the physical access control team andthe Information Security Team so that electronic prohibition rules are

adhered to, d) Implementing practical but a sure-fire technical

solutions for data protection, e)Assigning able compliance officers to

manage regulatory requirements which needs to be complied to for

each and every client and conducting audits to measure adherence to

standards such as PCI DSS, ISO and HIPPA.

These programs are administered by the BPO based on customer

requirements and moreover because of regulatory frameworks. The

basic considerations of most customers are: a) The architecture of the

security framework which the BPO should comply to, b) Agreement to

non-disclosure agreement (NDA) and c) Running regular audits of the

BPO's security processes. Physical technical controls on the data that

are outsourced to the BPO are rare as most of these data are

manipulated by the agents in real-time within the customers network

mostly via Virtual Private Network or VPN. Many companies prefer a

virtualized environment as a way of controlling the flow of data and

the end user desktop environment while many are also ensuring that

agents only get to see only a part of the confidential data like the last

four digits of a credit card number.

These techniques have their pros and

cons and furthermore they do not fully

prevent flow of data to the BPO

because once the data goes out of

controlled environment of a company

there is no way to technically control

what the BPO can do with it.

Having it known that the fundamental significance of all regulations

is that companies can outsource their processes but cannot

outsource accountability or responsibility for data security/privacy it isvery important that more effective technical solutions should be

considered.Although more common in the US, Information Rights

Management (IRM) can help to a large extent. IRM ensures that

security policies associated with the data travels along with the data

wherever it goes and best of all important elements such as time

based controls and usage for specific purposes/applications can be

inbuilt in these policies. This ensures that an organization retains full

control on the data even after it is shared with a BPO to be processed

either by humans or by applications.

Data management approach is crucial when it comes to effective

data protection in an outsourcing relationship. IRM enables an

organization to become more aware of how data should be managed

during its life cycle and also provides granular control and visibility

on how data is being used by each of its vendors. BPO companies

employ data leak protection (DLP) and other data security tools to

safeguard customer information, company data and credit card

numbers to name a few. This is a significant step which will help the

global shared knowledge economy to prosper even more.

( cont.'s from page 4) Liaising with intelligence community-

Nothing beats accurate and timely information especially when an

attack on the company site is concerned. A company with minimal

security force can still deter terrorist attacks if warned beforehand.

Close coordination and excellent networking with local intelligence

units is therefore critical to this purpose. Business companies are

well advised to coordinate with their AFP/PNP contacts to come up

with timely information that may mean the difference between

preventing and repelling a terrorist attack.

d) Developing rapport with local populace-Getting the support of

the local residents usually entails a lot of efforts and commitment on

the part of the company management but it pays in the long run in

terms of profitability. Employing locals to work in company projects

shows to the residents the benefits of having the company operating

in the area whether it be a mining, construction or manufacturing

company. Participating in community endeavors and activities will go

a long way in projecting the company as a partner of the residents

and not as an exploiter of the place. For the security officer, a goodrapport with the local residents is a force multiplier providing several

potential benefits (e.g. it could serve as an early warning device) or

another intelligence network.

e) Coordination with LGUs- Without a doubt, close coordination

with the local executives can result to tremendous benefits to the

company as it gives them the legitimacy for staying in the area.

Cultivating the Local Chief Executives (LCEs) also gives them (the

LCEs) an informal affinity to the company as the terrorists may

consider the LCEs to be too chummy with the company personnel

and thus subject them to harassment when opportunity is presented.

f) Awareness of current issues- Implementing Corporate Social

Responsibility (CSR) The Companys management and security

personnel should be aware of the festering issues being exploited by

terrorists and militant groups in the area and positive actions

undertaken. Issues like environmental degradation, violation of

indigenous peoples rights and traditions etc. should be addressedeffectively and definitively so as to prevent alienation of the local

residents and executives. Dialogues, environmental preservation

activities (tree planting, erosion control, river cleanup etc.) should be

religiously participated upon or undertaken by the company to

preempt whatever potentially explosive issues the militant groups

and terrorists can exploit later on.

Adopting all or part of these activities, a large part of which falls

under the companys CSR will result to improved security. The

important thing is for the company management and security officer

to assess the threats to their company and adopt the appropriate

activities that will boost its security and safeguard its productivity and

profitability. Preventing the loss of company assets after all is the

primordial task for the security officer thus it is but beneficial for

management and security departments to join hands in

safeguarding the companys property and profit.

http://bit.ly/reSPvehttp://bit.ly/o4YWyphttp://bit.ly/o4YWyphttp://bit.ly/o4YWyphttp://www.seclore.com/http://www.seclore.com/http://bit.ly/ncwqwhhttp://bit.ly/ncwqwhhttp://bit.ly/ncwqwhhttp://www.seclore.com/http://bit.ly/o4YWyphttp://bit.ly/o4YWyphttp://bit.ly/reSPve