Enterprise Security is one of the most talked about and important aspects of running a sustainable business. Organisations today require extensive systems and measures to maintain the protection of the safety and security of people, critical assets and intellectual property of operations. Businesses globally receive threats to their enterprise integrity every day which may interrupt operations and put employees and the business itself at risk
Intertek’s new Corporate Sustainability Enterprise Security certification standard offers assurance that your organisation is managing and controlling intellectual property assets and cyber risk in a sustainable manner. In this episode of Total Sustainability in Progress, Charlie Clark, Program Manager for Risk and Information Security, Americas, discusses the steps and blind spots to be considered by organisations when assessing information security, data protection, privacy, and physical asset protection.
Enterprise Security is one of the most talked about and important aspects of running a sustainable business. Organisations today require extensive systems and measures to maintain the protection of the safety and security of people, critical assets and intellectual property of operations. Businesses globally receive threats to their enterprise integrity every day which may interrupt operations and put employees and the business itself at risk
Intertek’s new Corporate Sustainability Enterprise Security certification standard offers assurance that your organisation is managing and controlling intellectual property assets and cyber risk in a sustainable manner. In this episode of Total Sustainability in Progress, Charlie Clark, Program Manager for Risk and Information Security, Americas, discusses the steps and blind spots to be considered by organisations when assessing information security, data protection, privacy, and physical asset protection.
Hello, welcome to total sustainability in progress. Uh, this is the podcast for organizations committed to a more sustainable future put on by Enertech. Uh, today our topic will be sustainability and enterprise security with our guests, Charlie Clark, who is the program manager for information technology, data security, risk, and custom solutions services for Intertek business assurance group in the Americas. Charlie, how are you doing today?
Speaker 2:
I'm doing fantastic, Seth, and thank you for asking me to join this. I think it's a great topic
Speaker 1:
For sure. So, uh, to kick it off, uh, let's talk about you. So what is your experience in the industry and what do you do with that? Your tech?
Speaker 2:
Well it's, um, I have a few, uh, responsibilities, the areas of responsibility, so it always keeps it fresh and exciting. Uh, I've been in the certification body world for almost 20 years. Uh, the last five of those with Intertek and, uh, I come out of industry where I have a broad and vast array of business experiences to include telecommunications, manufacturing, automotive, medical devices, et cetera. And in many of those, uh, I was responsible for data and connectivity with customers for special projects and some of the networking and infrastructure components within those roles.
Speaker 1:
Great. So, uh, to get in, uh, how does enterprise security affects an organization? Sustainability?
Speaker 2:
Well, I, you know, sustainability is still a relatively new term, but, uh, I think the, uh, the market, and certainly the globe is awakening to the importance of sustainability from a perspective of enterprise security. Let's talk about what components or what maybe best practices a sustainable enterprises security system would include. For example, a sustainable organization would understand the importance of the effective management of intellectual property assets and the impact it has on their business. Or as another example, uh, a sustainable organization has a responsibility to ensure that personal data for their employees and their business is a steward of that personal data. So they're taking appropriate measures to personally identifiable information, couple more examples, perhaps, uh, a sustainable organization. Is it a continual state of preparedness for effective response to incidents in the event of an incident communications with key stakeholders would take place for the organization's ability to effectively manage a security incident within the business employees. Another example, employees are a key partner in helping a business to ensure they remain protected from cyber threats. In order for partnership to be effective, employees need training retraining and visual reminders of cybersecurity risks and how their responsibilities can help protect the business as well as a sustainable enterprise security organization has processes in place and it identifies high value assets within the facility. Those that are critical to its business operations. These assets are identified and managed via additional control programs and ensure their continual availability and protection to support this sustainable ongoing business organization. Uh, there's so many more I can talk about, but let me just end with this one, a sustainable enterprise security organization looks beyond its own direct activities to take a leadership role in ensuring security throughout its entire supply chain risk assessment activities are included and demonstrate leadership in supporting and communicating sustainability in data security plans, both upstream and downstream within the business partnership. So I feel like I might just keep going and going, but is, is that addressing your question
Speaker 1:
For sure. For sure. So with that in mind, how can an organization improve its enterprise security, uh, maybe using some of the examples that you were talking about?
Speaker 2:
Well, sure. Yeah, that's a great question. So I think the way one would do that in, um, in the best practical sense is using the very familiar plan, do check act. So planning the business and planning for sustainability around enterprise security, you implement your controls and then you periodically check reassess reconsider where the organization is and then take actions to improve and perpetuate the improvement cycle. So in practical terms, let me answer your question. So improving the enterprise security, I think a great place to start is in evaluating risks and opportunities and mitigating those risks and enhancing those opportunities, taking a look to see where are there threats to the business and these threats to be considered in a sustainable organization around enterprise security are not always and limited to only digital threats, but they can be tangible threats for example, documentation or access to a facility, et cetera. So sustainable organizations understand the need around authorized access for electronic data as well as physical premises. And there are controls that are in place and can be enhanced to prevent and mitigate those kinds of risks. So we've all probably seen the swipe card access to get into a door. A great example of that is what we call tailgating. Somebody swipes the card and the person behind them wants to walk in behind them. So, uh, mitigate a mitigation of that risk would be the, uh, one, one entry per swipe rule. So that part of your protecting the facility is making sure that door closes behind you and that the next person actually swipes in to ensure they have authorization. Another example would be policies and processes that are in place and the review and updating of those policies and processes from time to time. And then again, back to the risks, those risks need to be tested. Oftentimes security enterprise security requires the testing and penetration of vulnerabilities looking to see how those tests fare against what we expected the outcomes to be. And again, back to the idea of mitigation and correction taking action when the responses were not what we had hoped or desired and addressing and improving the types of security, both network infrastructure, as well as physical assets. Lastly, improvement is always about the business. The goal of the business in a sustainable view is having a well-defined response plan in the event of an incident, whether that be a breach, whether that be a near miss, whether that be a problem or a weakness that is identified taking the actions to create a more robust and well-defined and communicated business plan.
Speaker 1:
So which industries are most at risk, uh, with regards to enterprise security.
Speaker 2:
That's a great question set. So, you know, when we think about risks, um, particularly in this world of, of networking and globalization, I almost have to tease a little bit, uh, perhaps it'd be easier to mention companies that wouldn't have risk when it comes to enterprise security. And I might throw out a paper-based systems or a single person garage based company using a computer that isn't network to anything, or, you know, uh, I, I think you get the point I'm trying to make in today's world, you know, our cell technology, aren't our networking, our it infrastructure, everything is so connected. Our connectedness really is not limited to any one industry or, uh, per view. It really transcends any and all industries. I think perhaps the way to look at this in terms of risk or most at risk, I guess we'd have to say the value proposition, looking at the service, the industry, the entity, the product, the service, the end result that's being provided. So I think of, uh, if we talk about value proposition, I think of banking, or I think of personal information or personal need in terms of, uh, perhaps law firms or, uh, educational institutions or, or, um, anything to do with finance, anything to do with, with commerce, um, you know, business today is, is so reliant. Uh, there's a myriad of digital devices and technologies. And without these tools, our businesses would grind to a halt. So I think in summary, the sustainable organization understands mitigates risks, threats, vulnerabilities, and enhances and improves within the digital age of technology devices and media. It really isn't limited to just one industry or group, and I'm sorry to keep going on and on, but it's important for that highlight and that emphasis
Speaker 1:
For sure. Uh, so intersect, launched a whole series of sustainability standards recently. Uh, one of which is the enterprise security standard. So how does that standard relate to other accredited it security and continuity standards, for example?
Speaker 2:
Well, I'll tell you, um, that's a great question again, and, and, um, I, I think the, the, the way to address or answer that is to that, uh, you know, back in the early two thousands, I think the internet or, or the worldwide web as a new entity was, was kind of like the wild west. And, uh, uh, and, and I was privileged to kind of watch the emergence of this in the, uh, early nineties and two thousands. And, and what's happened is in the absence and in the vacuum, there's been so many, um, derivative groups and, um, control organizations within industries around networking and commerce and information. Uh, I'll use an example of now back in that timeframe that I'm describing when things were new, uh, electronic data inter interface or interchange was taking place. And that was big within the automotive industry. And it was used for communicating schedules and forecasts for needs of products, as well as, uh, advanced shipping notices and evidence that product was on its way to someone's shipping dock, all that to say, here we are now approaching 2020, and we have almost an alphabet soup out there of acronyms and requirements and standards. And let me just go through a couple to address your question cause your question's a great one. How did Intertek derive what our sustainability program is drawing upon? So we drew on many inputs for accredited and unaccredited industry best practices, and I'll go through some of them. Uh, some of them are ISO based international standards organization based, and I'll give you some examples there. So, uh, 27,001, which is information security ties right into enterprise security. Uh, along that line, there are others like 27 35, and that's a standard around security incident management. There's also a sister standard to that 2,736, which is securing supplier relationships. ISO 28,000 is supplier security system requirements 29, 100. Another ISO standard is information technology, security techniques and privacy framework. So those are international and accredited standards. Let's talk about some other best practices, just so you can see, uh, the breadth of which we've considered for our development. Uh, one is the center for internet critical security controls for effective cyber security, uh, great resource there. Um, another is the COBIT five. Now, maybe not all of our listeners are going to know some of these terms. So let me give you a little more backdrop here. Uh, COBIT five is the only business framework for the governance and management of enterprise. It now COVID many people may not know COVID was originally derived as an acronym from control objectives for information and related technology. So we've shortened that now it's now just COBIT, but it originally had a much longer, uh, uh, reference of where that term came from. Uh, another example for the, uh, uh, center for an internet security CSC four, and the CSC series stands for the critical security controls. So CSC four is continuous vulnerability assessment and remediation. We've also considered CSCs one in 17. One is the inventory of authorized and unauthorized devices, as well as CSC or critical security control, 17, which is security skills, assessments, and appropriate training to fill gaps. We have a couple of IEC standards and an NIS T standard. Let me start with that one. The NIST SP 800 dash 53 is a standard used by federal agencies to implement FISMA and FISMA stands for federal information security management act, and it's a management tool and other programs fit into that pro and protect information and promote information security. And then the IEC standards I mentioned, I'll end here. Uh, there's a couple of them. The first one is part two dash one under the IEC 6 2 4 4 3. And that's the industry industrial communication networks. Part two dash one is establishing an industrial automation and control system security program. And then we have 6 2 4 4 3 dash three dash three, which is part three. And again, same intro here, industrial communication networks, and its focus here is on network and system security requirements and security levels. So when I, when I mentioned that there was a lot of governance and requirement references out there, um, the list could go on and on and on, and that the speed of improvement and new technology means that there are more and more offerings and automation coming just about every week. So, uh, we've gone through the wall and derived what we thought were the best practices, and that's really what informs and brings us to, um, our sustainability offering enterprise security. I hope I answered your question, sir. Uh,
Speaker 1:
For sure there does appear to be a, quite a laundry list. So there's a lot of breadth in, um, in, uh, the offering here. Um, thank you Charlie, for your time.
Speaker 2:
Well, it's been my pleasure. It's always a pleasure to talk about the good things we're doing here at Intertek. Thanks.
Speaker 1:
So for sure, and thank you for listening to total sustainability in progress. If you would like to learn more about enter Texas day inability, please visit us at intertek.com/sustainability, and also please feel free to follow us on our social media channels on LinkedIn and Twitter, as well as enter text channels on Facebook and YouTube and any others. Um, also please subscribe, uh, any subscription helps and rate us when you can. Thanks.