White Paper Integrated Enterprise Security

A proactive, cross-functional approach for using security to enhance competitiveness of the enterprise
Executive summary
The multiplicity of security risks to todays businesses and the emergence of increasingly complex threats necessitate an aggressive, integrated organizational approach to security. Nortels Corporate Security team has been at the forefront of a proactive approach to corporate security, demonstrating that integrated security can improve the strategic competitive advantage of the enterprise. This white paper will provide a prescriptive guide to integrated security based on industry-leading practices. > The success of the Internet has not only changed how the world does business, it also has transformed forever the nature of the risks that organizations face. > Converging networks, dependency upon open communications links through the Internet and public networks, shared computing facilities and many other factors have tremendous positive potential while presenting a variety of internal and external security risks. They also have made security a collective responsibility across every organization and the globe. > Converged voice and data communications can become the foundation for an integrated security strategy. Nortels leadership in communications that enable business without boundaries is matched by our industry-leading approach that involves proactively building integrated security across our own organization. We combined essential security process and programs with deployment of the right enabling communications tools to ensure a comprehensive approach to security. > A proactive and integrated approach to securing assets and processes that drive earnings for the business can result in leveraging risk management to be a powerful competitive advantage. Disruptive forces in business have taken on new meaning with the realities of terrorism in all corners of the world, the emergence of eBusiness over the Internet, and the converged, interconnected society in which we live. With this ongoing transformation have come new, more destructive security threats than ever before. Leading enterprises are recognizing the necessity to mitigate risks and secure the enterprise in new, more effective ways. Nortel has been at the forefront of a proactive approach to corporate security, demonstrating that integrated security can improve the strategic competitive advantage of the enterprise. Using Nortels own experiences, this white paper will examine the issues and opportunities for integrated security and provide a prescriptive guide to using security to improve competitive advantage. Contents
Executive summary . . . . . . . . . . . . 1 Identify drivers that pose internal or external opportunities or risks . . . . 3 Understand critical processes . . . . 6
Examine enterprise security resource allocation . . . . . . . . . . . . . . . . 6 Integrating process management across corporate turf . . . . . . . . . . . . . . 7

Execution and results . . . . . . . . . . 7

Key steps in analyzing and managing processes . . . . . . . . . . . . . . 8 Core business strategy . . . . . . . . . . . . 9 Communications . . . . . . . . . . . . . . . . . 10 Hiring talent and skill sets . . . . . . . . . 12

Summary . . . . . . . . . . . . . . . . . . . 13 Appendix A: An employee case history . . . . . . . . . . . . . . . . . 14 References . . . . . . . . . . . . . . . . . . 16

With todays communications technologies, in which Nortel plays a leading role, convergence is much more than just putting voice over a data network. Convergence has evolved to combine voice, data, video and applications over wired and wireless networks. This new definition of convergence is delivering new levels of productivity, collaboration and cost savings to the enterprise. However, with the increased levels of connectedness come new and more complex risks. The interconnectedness of global business today can lead to catastrophic consequences when security incidents do occur. It can also be a valuable tool for preventing such losses. Converged voice and data enterprise networks like those from Nortel support the integration of corporate security across the organization creating a multi-layered, cross-functional approach to help mitigate the multiplicity of increasingly virulent risks. To make use of these powerful technologies, the enterprise must first understand what drives its business, the processes associated with these drivers and how security influences them. At Nortel, the Corporate Security function has undertaken a comprehensive process review and analysis to clearly link its activities and outcomes with the earnings drivers1 of the corporation. By identifying the earnings drivers, the risks and the security processes, an opportunity emerged to prioritize the functional contribution and refine security processes for enterprise strategic competitive advantage. This white paper reviews the opportunities for creating integrated security processes in any enterprise. Integrated security cuts across functional lines and overlaps business processes to ensure better protection of enterprise people, intellectual property and corporate assets in any situation, all the time. It helps to shape an enterprise that is prepared for the unexpected and can manage security-related challenges in a proactive manner before significant negative impact occurs.
Central to the effort is emphasis on employee education and awareness another opportunity enhanced by todays leading-edge enterprise network solutions. The capabilities and reach of converged networks can be leveraged to cultivate a collective responsibility for securing the enterprise. At Nortel, using our own enterprise network to facilitate integrated security has resulted in admirable security-related actions on behalf of our employees.

Global business has experienced strategic disruptions throughout history from war, market discontinuities, acts of terrorism, blackouts, computer viruses, natural disasters and other similar risks. The events of the past few years, however, have been most daunting to both commercial enterprise and governments worldwide largely due to the converged society only recently created. We are all in it together. Indeed, closer partnerships are emerging between suppliers and customers not only to further commerce, but also to ensure security interdependencies are recognized and mitigated across all facets of the business from research and design through manufacturing and supply chain management. Many corporations now understand that a significant competitive edge can be forged through the development of a more robust and resilient organization that can quickly recover from any disruption. A more resilient organization can gain market share because it can continue to conduct business when others are still recovering from natural or manmade disasters. Some enterprises are devoting significant resources to ensure this level of risk management across external interdependencies. However, it also clear that one of the greatest challenges and risks to the enterprise exists from within the organization itself. The lack of a comprehensive security strategy to identify and manage internal interdependencies can also lead to catastrophic disruptions to the business or otherwise add unnecessary costs and delays. Nortel refers to identifying and dealing with this risk as integrated security, or cutting across all staff and line organizations and overlapping essential security processes to identify and manage interdependencies unique to our operations and businesses. Our analysis and experience have shown that the challenges in a networked world include an increase in the number and complexity of risks those that are interrelated and global, and whose consequences can be devastating to business and its extended enterprise. Building integrated security in the enterprise results in proactive, integrated security that not only helps to mitigate disruptions to the core business and assets but can also be used as a value driver to enterprise earnings. Integrated security initiatives can increase strategic competitive advantage.

Enterprise Resilience: Managing Risk in the Networked Economy; 2003, Randy Star, Jim Newfrock, Michael Delurey.

Integrated security
A proactive, cross-functional approach for using security to enhance competitiveness of the enterprise
Identify drivers that pose internal and external opportunities or risks
Risk may be defined as a chance or possibility of danger, loss, injury or other adverse consequences that could affect the achievement of an organizations objectives. Todays business environment, processes and interdependencies have resulted in a variety of risks or threats emerging outside the organization. Convergence. The trend to greater openness among different business entities has dramatically increased the magnitude of risk. Enterprises are increasingly becoming extended and virtualized to accelerate the speed of business outsourcing and extending e-business connectivity to partners, suppliers and customers. This convergence is enabling companies such as Nortel to bring new products to market rapidly, going from concept to general availability, in a matter of months in some cases. Many businesses also are becoming more distributed, whereby some functions reside with customers and partners, thus creating demand for anytime, anywhere access to communications. These converged communications and applications are extending to help reduce costs, gain greater efficiencies and increase the level of engagement with customers. The acceleration, however, brings new security challenges. Nortel, for example, has more than 14,000 partner access accounts spread over more than 200 companies. Any significant level of interconnectedness leaves business entities increasingly vulnerable to abuse from inside their organizations and to attack from outside. Factors can even converge to cause a catastrophic event. The 2003 power blackout in the northeastern United States and Canada is a prime example. (See 2003 Power Blackout, page 9.) To mitigate these types of occurrences, corporations must develop clear processes that cross all company functions and reach to the extended enterprise. Once established, these processes must be rigorously reviewed, then updated to identify and close loopholes and to raise standards as needed. Corporate governance regulatory. The Sarbanes-Oxley Act of 2002 imposes weighty new responsibilities on corporate executives and board members. The Act demands that in all public companies, executives and directors must make themselves thoroughly aware of the veracity of quarterly and annual reports and that a system must be established for employees to confidentially report actual or perceived wrongdoing. In addition, the Bush Administration is considering two further measures: One is a proposal to include security plans and actions among the disclosures required in annual reports. The other, The Database Breach Notification Act [already passed in California], would require companies to notify their customers if they think their database of customer information has been breached. These new regulatory measures, along with the existing industry-specific ones such as those under HIPAA and Graham-Leach-Bliley, mandate that there be clear and frequent communication between corporate security and the board. Geo-political. The fallout of 9/11, the war on terror and the war in Iraq have heightened a fear of travel and caused a growing concern regarding business postings outside of North America. Global businesses find that these concerns can seriously limit the flexibility to move personnel where they are most needed. Meanwhile, outsourcing offshore remains attractive to many companies, yet, as one Business Week writer put it: Its simply harder to safeguard projects handled by other companies thousands of miles away. One reason is differing legal systems and values.2 Total risk avoidance is not possible, but employees have the right to feel secure in the workplace and companies must have high safety standards. Working closely with all levels of government and international organizations such as U.S. Homeland Security organizations is required for all critical infrastructure companies in industries such as utilities, finance and healthcare.

Spencer E. Ante. Commentary: Shifting Work Offshore? Outsourcer Beware. Business Week. January 12, 2004. 3

Market conditions. The economic downturn and recession over the last few years led to drastic measures in many organizations. Employees not affected by downsizing have sometimes been assigned to jobs that were not of their choice. The risks of violence in the workplace and of inadvertent or deliberate transfer of intellectual property to competitors must be managed. Insurance. Unless todays enterprise can show robust risk mitigation strategies, it will likely be impossible or prohibitively expensive to obtain insurance coverage for all potential significant losses. Insurance carriers are demanding that corporations demonstrate strong security practices such as proactive physical and network security before they will consider sharing the costs associated with most exposures. Connectivity. The connectivity, communications and collaboration that occur 24/7 in leading organizations today among people and systems spread across the globe are central to effectively serving customer needs and building competitive advantage. Inherent, however, are risks that can and do emerge internally. Corporate strategy/earnings drivers. One of the first steps in creating the secure enterprise is gaining a clear understanding of the business, the security risks the organization faces and how these two relate to one another. Aligning a risk mitigation strategy with the assets and processes that drive the success of the enterprise is essential to leveraging integrated security for improved strategic competitive advantage. At Nortel, for example, we identified a number of factors that drive our corporate earnings: customer relationships, technology, intellectual capital, partnerships, efficiency and market opportunities. An enterprise in another industry or with a different structure and set of goals might define those factors that drive or detract from earnings differently, such as capacity management or the ability to attract senior executives. Once we defined earnings drivers for Nortel, we then asked what risks could negatively impact the success of each of them. We established a Security Risk Council with key partners to delineate drivers, strategic assets and risks. (See Figure 1.) By mapping business processes and relationships that generate revenue and profits, we could identify key earnings drivers and their vulnerabilities. In our discussions with management and key decision makers, it was important to consider the degree of control over each driver in assessing priorities and recognizing which had more immediate versus longer-term impact. We were able to determine our companys state of resiliency, with clear opportunities for improvement in our security processes, risk mitigation priorities and associated security spending both as a percent of revenues and a percent of our Information Systems budget. We realized how essential it is for corporate security spending to be aligned with the potential risk impact to the enterprise earnings drivers.

Figure 1. Earnings drivers. Nortel Corporate Security analyzed corporate strategy, the processes, and assets that drive our success and the risks jeopardizing all. Every company will have its own set of earnings drivers and risks to consider when integrating security with enterprise strategy.

This analysis of corporate strategy and earnings drivers highlighted interdependencies across Nortel and our extended enterprise that reaches out to customers, suppliers and partners. The link between mitigating security risks and enterprise competitive advantage became readily apparent. The realization suggests that an aggressive approach to integrated security is imperative. Yet many organizations remain somewhat complacent about security. A white paper published from survey results by The Economist noted: Few companies currently have an enterprise-wide strategy that covers all the facets of corporate security.3 At stake is degradation of their core business as well as missed opportunities to demonstrate strategic leadership. Shrader and McConnell reinforce the opportunity for security initiatives to positively impact the bottom line: Although core business protection is also largely an exercise in risk identification, prioritization and mitigation, opportunities for value capture increase as one moves from people to businesses to networks. Done properly, and marketed effectively, an investment in appropriate levels of security can help differentiate a product or service, or enhance a companys operational effectiveness versus that of its competitors. Embedding security within the organization effectively hardwiring it into its operations, in much the same way supply chain management is today can transform security from a burden into an enabler.4 Regardless of the specific earnings drivers and strategy necessary for the enterprise to succeed, most organizations today face common threats in several areas. These risks can emerge from outside entities or interdependencies, or they can come from within the organization itself. Following are some prevalent risks many enterprises share today. Employees (culture). Building a culture of constant watchfulness so that every employee assumes personal responsibility for security is imperative. As Human Resources increasingly serve the enterprise in new and different ways work-at-home employees, remote network access, teaming and flexible work hours, for example accidental losses can be addressed through education and deliberate losses through clear policies and repercussions. The 2003 CSI/FBI Survey indicates a 50/50 split between security incidents originating inside and outside the enterprise.5 Contractors, partners. Resources brought in for specific projects, with certain skills or for a pre-determined time period as well as those representing partner companies must also be security-conscious and have clearly defined roles and responsibilities. Facility access control, enterprise network access precautions and termination of all access privileges at the conclusion of any given arrangement are the bare minimum. Policies (responsibility and accountability). Ensuring that there is functional responsibility and accountability for risk mitigation remains essential even as the enterprise seeks to build awareness of security as a shared objective and task. Having well defined policies ones that set forth clear delineation of roles and responsibilities will empower all levels within the organization to perform their obligations in securing the enterprise. Employees, for example, might be required to protect confidential information, not participate in Internet chat rooms as a representative of the enterprise, password protect their computer files and follow the rules for use of the corporate intranet. Managers might have further responsibility for inventory control or access entry audits on a regular basis to detect unauthorized entry into secured areas. At the same time, there is a functional need to communicate corporate responsibility and accountability for security in an ongoing and effective manner. (See Communications, page 10.)

Testing the defenses: Facing up to the challenge of corporate security. The Economist. October 18, 2002. Ralph W Shrader and Mike McConnell. Security and Strategy in the Age of Discontinuity: A Management Framework for the Post-9/11 World. 2002. 2003 CSI/FBI Computer Crime and Security Survey, www.gocsi.com. 5

Missing the obvious

Scenario I: Unrecognized interdependencies
What happened: Company XYZ spared little expense in its network security infrastructure. From desktop to server through firewalls and to the Internet, the enterprise established a state-of-the-art approach with every contingency covered. A non-descript bomb threat received at the Corporate Data Center (CDC) by a contract security guard was mishandled. Rather than following established protocols, the guard called for an immediate evacuation of the building, which shutdown the CDC for four hours. The threat was subsequently determined to have been made by local teenagers calling in to several businesses in the area, and the evacuation was unnecessary. What could have happened: Real Estate, the function responsible for managing the facility and security, and Information Systems could have identified their interdependencies and prepared for proper emergency handling of bomb threats. Training for CDC staff, particularly bomb threat drills, would have guided staff to handle the contingency without shutting down the network. Had the enterprise emphasized shared security risks across the organization and coordination with local law enforcement, the entire incident could have been avoided.

Understand critical processes

This section describes how proper analysis can become the foundation for proactive, integrated risk management and integrated security across all functions and among all levels of employees a foundation for managing and using end-to-end processes to address both internal and external security requirements. Examine enterprise security resource allocation In understanding critical processes to make corporate security a competitive advantage, it is equally important to have a firm grasp on resource allocation both money and time. Ensuring that the security budget is being spent to fully leverage the value of integrated security and that resources are deployed or assigned where they have the most impact can make the difference in successful risk mitigation and overall competitiveness of the enterprise. Financial resources. While the goals and accounting practices of the enterprise might dictate how best to determine the most effective allocation of financial resources to integrated security, several fundamental questions are likely appropriate for every organization: > What is the total budget allocated for security? > What percentage of revenues does it represent? > How is it divided among discrete security functions, such as information systems, physical security and corporate security? > What percentages are spent on proactive versus reactive security activities?

Scenario II: Failure to communicate

What happened: A corporation suffered several attacks on its network where various employees passwords were being used to gain illegal access at one location. The breach was traced to remote users in the immediate calling code of the facility itself. Information Systems and Corporate Security were investigating various aspects of the breach and exchanging little information. One investigator learned from a local custodial staff member that activity in the building appeared typical, including the constant movement of suppliers, delivery personnel and homeless people who frequented the area. Despite repeated re-setting of the employees passwords, the attacks continued. The investigator queried the custodian again, getting the same response, but deciding himself to watch the flurry of activity after hours. He learned that the homeless people were not indigents at all. They were hackers who were dumpster diving for computer printouts, employee notes and other material that revealed employee passwords. What could have happened: The obvious could have been determined more immediately, preventing ongoing attacks had local building security environments been checked for any unusual activity. If the two functions had communicated more effectively, the dumpster divers might have been spotted and stopped much earlier in the process.

With its commitment to integrated security for competitive advantage, Nortel Corporate Security has emphasized increasing its allocation of funds to proactive areas such as employee education and awareness, due diligence and executive protection. These types of allocations, however, are in a constant struggle with funds for reactive necessities such as investigations and liaison with various government authorities. We anticipate over time that by better balancing our funds allocation, we will begin to see improvements in areas requiring spending after the fact. Currently we spend approximately 57 percent of our resources proactively, up from 40 percent four years ago. People resources time. The same sorts of issues and questions arise with allocation of human resources in building integrated security. Dedicating man-hours to security starts with the earnings drivers discussed above and integrates with critical processes that affect competitiveness or success of the enterprise. Nortels security staff is organized across all time zones to ensure that regional priorities are met quickly. This also allows us to pass work to the next time zone for timely completion when time is of the essence. The size, shape, scope and geographic location of security resources must be carefully considered. Building relationships with line management is key to affecting integrated security, so the professionalism as well as the number of staff can be paramount. (See Hiring talent and skill sets, page 12.) With limited resources, like most organizations today, allocating their time to the greatest advantage is a challenge worth meeting. Nortels Corporate Security team is organized largely by geography, so that key security resources can be co-located with heads of regional operations in Europe, Asia, Canada and Latin America. In addition, we staff experts in systems security, investigations, global forensics and key employee protection. While still improving, our allocation of time to integrated security has evolved to more proactive than reactive activities in recent years. Integrating process management across corporate turf A practical approach to resolving turf, or perceived turf, issues is to get all of the stakeholders to agree on process ownership and to document those processes. This includes the mapping of the security processes within each discipline and documenting where different groups have process ownership and cross-functional responsibilities. (See Figure 2.) Completing this process management documentation is a time-consuming and often contentious task, but a critical one. Without this simple clarity, security issues fall through the cracks as set forth in examples of missed security inter-dependencies discussed later in this paper.

Execution and results

Nortel Corporate Security now sets objectives and determines its action plans by managing and executing the processes described earlier. We anticipate our customers needs and have eliminated cost-producing actions of little value. We have eliminated many barriers and silos, collaborating and responding to feedback from our internal customers so that we operate effectively on a crossfunctional basis. We manage by fact and can measure our value to the enterprise communicating risk factors and actions on a regular basis to the CEO and Board of Directors in a language that is well understood.
Figure 2. For integrated security to be most effective, the enterprise will need to map security processes within each discipline and document where different groups have process ownership and cross-functional responsibility.

Key steps in analyzing and managing critical processes

Checklist for enterprise security
Getting started
If the enterprise has a security organization, one individual should be designated as the key facilitator for the process. This is not an attempt to create a security guru security need not be centralized depending on the prevailing culture but to ensure the entire enterprise is considered and nothing is missed. Consult with key stakeholders: employees, senior management, customers, suppliers/partners, law enforcement, the office of State and Federal Homeland Security and other local corporations to ensure a good exchange of information, changing vulnerabilities and related intelligence. Identify key operational and staff partners and form an Enterprise Security Risk Council. Collectively identify key earnings drivers and risks that could negatively impact them. Ensure Council members are well acquainted with process management concepts, implementation and, importantly, process management terminology.

Process mapping
Carefully examine the major risks first, looking for interdependencies that are clear and those that may elude people. For example, review the importance of hiring and screening practices not only for employees, but for contractors as well. Identify in particular any interdependencies that appear when examining security process overlaps and areas not previously considered, such as the example above of the contract security guard and bomb threat procedures. This requires careful consideration and critical thinking to ensure nothing significant is overlooked. Map the security processes within each discipline and document where different groups have process ownership and cross-functional responsibilities. Using the example above, Human Resources usually owns the background review process, but many different organizations provide input such as Legal, Security, Operations, etc. Seek opportunities to learn from real-time issues (e.g., process flow of events, root cause analysis).

Execution and communication

Once all major processes are mapped, share the outcome with senior management of the organization to ensure they understand the process, are aware of various ownership issues within and between functions within the organization, and support the outcome. Appoint a security prime for each line of business and make sure these individuals are seasoned managers who are well respected in their areas of expertise and the organization as a whole. Its important that line staff own the risk. Develop protocols for what information needs to be communicated between functions, its relative importance from critical to important to need-to-know, how and when the communications should take place, and individual process owners responsible for taking action when necessary. Meet with the stakeholders involved in the process at regular intervals to ensure any changes in organizational structure, market or the environment are taken into consideration to make sure the process and mapping are evergreen.

Our core strategies are two-fold: 1. Focus on the key processes to meet corporate and client requirements Employee protection Education and awareness Consultation and advice Review and audit Investigations of unethical and unlawful conduct Crisis management 2. Continue to maintain industry leadership with minimal headcount and budget by leveraging existing and evolving management processes Our daily activities help to protect Nortels core business and company assets: people, information, networks and property. They also can help to enhance the companys competitive position. Core business strategy Nortel Corporate Security assists in protecting the core business of the enterprise by having crisis management teams in place around the globe. All players are educated on roles and responsibilities, and regular audits identify areas for correction. The value of these teams was demonstrated in August 2003 when a major power blackout struck the northeastern United States and Canada. (See Power blackout, right.) This level of business continuity planning has been a major result of our process management and commitment to integrated security. Beyond our overall role in helping to protect the core business, we involve customers in the New Product Introduction process. This has proven to enhance product resilience over time. Customers spend time on site at our labs and provide input throughout the development stages.
6

2003 power blackout results in no lost revenue Integrated security pays off
On Thursday August 14, 2003, a major blackout affected more than 50 million residents and enterprises throughout the northeastern United States and Canada. A state of emergency was declared and not lifted until the evening of August 22, 2003. The first indication of the blackout at Nortel came when servers and other computers across the affected area suddenly went into hard shut-down, knocking out labs, call centers, and customer-facing systems. Three sites in Canada and eight in the United States were without power, affecting 8,800 employees. Fortunately, the company was prepared. The investment that had gone into the establishment of Business Continuity Planning (BCP) teams over the previous 12 months paid off. BCP teams across the region with representatives from Information Systems, Real Estate, Communications, Environment, Health and Safety and Corporate Security mobilized to keep operations running smoothly. The teams also communicated with state and provincial officials to obtain the swiftest possible return to normal. Secured mobility allowed employees to continue to work from home. Nortel estimates that it maintained close to 85 percent productivity during this event. 6 Clear responsibilities, executive leadership and dedicated employees ensured the success of the BCP process. By rerouting incoming calls to call centers outside the affected areas, effectively communicating with employees, keeping customers and suppliers apprised of progress being made and ensuring the excellent cross-functional collaboration that integrated security makes possible, the business operations of the enterprise were minimally affected. Any gaps in the BCP process had been identified and corrected earlier through hypothetical crisis scenario testing. The process worked and the results were impressive: Nortel experienced no impact from lost revenue due to the blackout, customers experienced no interruptions in supply lines and order management and processing were business as usual. When power was being restored, the government provided another test by asking companies to use only 50 percent of their normal level. Nortel again met the challenge and was cited for commitment to good corporate

Secure Mobility at Nortel. Metagroup white paper. February 2004.

citizenship in the crisis.

9

Fundamental to securing the enterprise is an education and awareness program that establishes a vigilant atmosphere. Regular, ongoing communications compels all employees and leaders of the enterprise from board level down to be security conscious and take an active role in risk mitigation. (See Appendix A: An employee case history.) People. Appropriate protection of our employees reduces fear in the workplace and allows us to move resources to where they are most needed. Our ability to mitigate risks in this area is a strategic advantage for Nortel, which can subsequently attract and develop the best resources available. Security managers are trained to recognize warning signals of violence, preventative action is taken at shareholder and other critical meetings, and specific threats such as bomb threats are acted upon immediately. Converged communications now allows for employees to work from any location with secured remote access to the corporate servers. In addition, Corporate Securitys Travel Well program is provided to all employees. It provides 24-hour, one-stop access to important information for international travelers and offers expert assistance with health and security emergencies during travel. Once international travel plans are established, the employee receives a heads up on any requirements or area alerts. For example, travelers will be informed about required immunizations or local aspects of crime or unrest. If a destination is labeled particularly high-risk, the traveler can get an advance call from Corporate Security to discuss specific areas for awareness and to let the employee know how to reach them in case of emergency. Whats more, traveler itineraries are tracked, so all employees can be located immediately in case of a security crisis. Special circumstances for our human resources are also given security consideration. We provide risk assessments for expatriates and key employees, offering counsel and assistance at their destinations. All company decisions to downsize or outsource resources have security precautions built into them before deployment, including securing employee access and identification cards or changing passwords as required. Information. Our programs for protection of intellectual property are expansive. Employee education and awareness in this area are continuous throughout the year, and we use anecdotes from within the corporation and headline news externally to communicate the rewards and repercussions that are possible. We educate employees on the intellectual property rights of Nortel, our customers and our suppliers, clearly delineating responsibilities for protecting them. We monitor employee attrition patterns and document any unethical recruitment by competitors should lawsuits be filed. Intelligence is also gathered on potential patent infringements to provide for litigation support. And, we have a strategy in place to comply with the increasingly rigorous privacy legislation. Meanwhile, software is deployed in our enterprise network to detect network intrusions that can expose intellectual property to theft, and we follow up by establishing protection procedures to all employees. Network. We team with Information Services (IS) to develop strategies around encryption, application security and intellectual property protection. We conduct an ongoing evaluation of emerging technologies for intrusion detection and network protection as a basis for establishing network security policies with IS. We regularly update these policies and advise employees on their role in network protection. Our proactive intelligence identifies emerging risks in the industry and allows us to apply current technical solutions for risk mitigation and added value for the enterprise. In fact, we have learned through interaction with external organizations that our robust network security often results in far less negative impact from destructive viruses or trojan horses that are wrecking havoc with their networks and resulting employee productivity. Property. All Nortel locations have emergency procedures in place to handle specific threats. We also establish policies for new facilities and set standards for their operation. For strategic facilities such as our global headquarters and research and development labs, we conduct risk assessments and put in place needed security measures to protect human resources, intellectual property and assets. Communications The very interconnectedness and convergence of networks discussed earlier as necessitating a collective responsibility for security across the enterprise today are also fundamental to effective communications across the enterprise. Establishing integrated security as a proactive approach to securing the enterprise is facilitated by todays technologies and leading network solutions such as those devised and deployed by Nortel. Inside our own organization, we have created one of the most sophisticated communications networks in the world. Our converged voice and data network presents a variety of means for educating employees, building awareness and soliciting valuable feedback. We have an expansive intranet available for real-time communications, use alerts via
10

e-mail to highlight urgent matters, pass highly confidential data to those with a need to know using sophisticated encryption and segment our employees as needed according to level within the organization, location or business unit for targeted communications. Even our Nortel VPN Router provides a medium for delivering messages on the latest security risk. These capabilities have vastly enhanced our ability to increase communications and collaboration for improved enterprise security and resiliency, leading to greater enterprise success. Nortels education and awareness program in Corporate Security began as one designed to inform employees of security policies and procedures and make them aware of the noncompliance consequences. We did not solicit feedback and some employees viewed the security organization with trepidation. Today, our multi-faceted Education and Awareness Program informs, encourages involvement, shares exemplary examples and solicits feedback. Employees are now a part of Corporate Securitys processes, and they view the organization as a partner creating a more vigilant culture embedded in the enterprise. Our Education and Awareness Program has been the recipient of international awards for three consecutive years. To tap the interdependencies and ensure widespread communications, Corporate Security uses a variety of media and messages. Here are some examples that are getting recognized as best practices: > Quarterly security newsletters issued to all employees feature a variety of security issues and advice, with case summaries of recent frauds, conflict of interest, loss of intellectual property and network abuse. These case summaries hold intrigue for many employees, yet they also communicate valuable content regarding security practices and the many threats facing the organization today. > The Corporate Security Intranet Site is both a medium for distributing new information and an archive of vast resources and content. It contains information on how best to protect Nortels people, assets and intellectual property. Policies and procedures are contained here along with the latest information on geo/political trends, Homeland Security actions, recent company cases of inappropriate conduct and specific tips on travel security and personal protection. The intranet site is updated continuously and employees are asked for suggestions on what they would like to see posted. Traffic to the site is tracked and suggests employee interest and use, particularly when we highlight hot topics or those attracting attention in the external media.
Figure 4. traffic on been able effective,

Figure 3. Nortels Quarterly Security Newsletter. Issued to all employees, this security communications medium includes case summaries to build education and awareness. The sexiness of the material attracts employee interest while making an emphatic impression.

Intranet site access by category. By tracking employee our internal online medium, Nortel Corporate Security has to recognize key areas of interest, media that are most and even hot topics suggestive of employee behaviors. 11

> An e-mail address for reporting incidents or concerns lets employees bring information to the attention of Corporate Security. Great strides have been made in building a rapport of trust and concern with employees via this mechanism. Every e-mail received is answered and, where possible, additional information provided on the particular issue of concern. This twoway communication has paid off: employee reports of potential security concerns have increased 42 percent in a period of 18 months, with some significant issues exposed. One infraction reported by an employee, for example, alerted security to company confidential information that was available on the Internet through a standard search engine. Subsequent investigation determined a business partner had incorrectly configured the security settings on one of its servers and the matter was corrected. > A confidential 1-800 ethics hotline was created in 1990 to permit anonymous reporting of ethical violations or suspected inappropriate activity for investigation. > Web alerts are e-mail blasts that go directly to employees and can be sent to all employees or targeted employee groups to reach a specific geography or level within the organization. These are used judiciously, communicating a virus outbreak that might threaten our enterprise network, relevant information pertaining to a significant security incident, the impact of a change in Homeland Security alert codes or other timely and important information. > Travel Well provides traveling employees with information included with their travel documents. Where appropriate, country assessments are made available. A 24-hour hot line has been established and travel itineraries are tracked. This gives employees more confidence when traveling offshore since the risk alert is followed with advice on how to handle each situation. > Surveys provide feedback on all facets of Corporate Securitys Education and Awareness Program, enabling us to tailor future messages and ensure positive employee engagement. One all-employee survey asked the question, Have your security habits and practices improved since reviewing the awareness publications? Among those responding, 55 percent answered somewhat and 28 percent indicated yes definitely. In addition to its many communications media both ongoing and as needed due to security concerns that emerge unexpectedly Nortels Corporate Security staff have developed a useful rapport with management and staff in each of the regional areas. These relationships too are facilitated by the interconnectivity our converged enterprise network makes possible and they foster global collaboration. Continuously strengthening these relationships generates intelligence and creates an environment for open discussion by employees when inappropriate behaviors do occur. Through our metrics and measurement, Corporate Security can better track the effectiveness of all of our processes and partnerships across the organization. Sometimes, a positive reflection of our efforts falls in our laps. In one security incident, an employee victim of social engineering tactics inadvertently sent company confidential information to an unauthorized source outside the organization. Upon realizing the mistake, the employee quickly contacted Corporate Security. The employees awareness of the security breach and how to handle it, combined with Corporate Securitys relationship and partnering with local line management, resulted in recovering the lost data in question, as well as other information gained by inappropriate means. (Read the full case summary, Social engineering strikes at Nortel, in Appendix A.) Corporate Security used the incident to communicate not only the warning signs of social engineering to employees across Nortel but also to reinforce the message that every individual can make a difference in securing the enterprise. Hiring talent and skill sets The enterprise must rely on security professionals who are closely aligned with the business and corporate strategy, prioritizing risks and the mitigation of those most likely to negatively impact earnings. The secure enterprise will call upon its corporate security team to sense new geo/political trends, spot emerging Internet threats, be alert to potential violence in the workplace, and recognize the potential for financial crimes. The enterprise will rely on its security resources to raise the bar on corporate standards and put in place processes that ensure adherence from the board level down.

12

Figure 5 begins to paint a portrait of the critical skills needed by todays security professionals. The functional leader can at once be a strategist, communicator, negotiator and consensus builder a change agent for the enterprise. In order to respond to multi-faceted risks, Nortel security professionals come from a variety of backgrounds including accounting, engineering programming, policing, science, business management, human relations, risk management, investigations and law. Some have published papers on security management and all are involved in the types of security organizations mentioned earlier. We have recruited staff who make up for their small number with extremely broad backgrounds. We also have specialists in several areas: forensic auditors to detect fraud and inefficiencies and patent and litigation professionals who do due diligence on suppliers and partnerships in order to detect shell companies or criminal intent. In addition, the entire security team must be constantly alert to the requirement for business continuity should a crisis of any kind occur.

Figure 5. Evolution of security skill sets. Having the right skills and competencies in the enterprise security organization is essential to risk mitigation.

Summary
Nortel Corporate Security will never rest on its laurels, but it has come a long way in taking a proactive, integrated approach to securing the enterprise. By identifying key earnings drivers and tying all security processes to them, we have succeeded in knowing that the value of our work is a resulting positive impact on the overall success and competitive advantage of our corporation. Our commitment to integrated security security across all staff and line organizations that leverages interdependencies for greater effectiveness has been fundamental to protecting Nortels people, intellectual property and assets in a networked world. And the networked world has been fundamental to our ability to communicate better and build stronger relationships internally and with customers, partners and suppliers globally.

Figure 6. Integrated security. Having a clearly defined strategy will lead to securing the enterprise for improved competitive advantage.

A proactive, integrated approach to risk mitigation and enterprise security can best be established through a clearly defined strategy: Understand the environment in which your enterprise operates and the internal and external security risks it faces. Identify key earnings drivers for the enterprise. Conduct an in-depth review of security processes and prioritize according to value delivered against earnings drivers. Communicate effectively with employees at all levels. Build strong relationships with management and colleagues throughout the enterprise and in customer/supplier/partner organizations. Stay agile. Continuously measure the effectiveness of your processes and outputs in securing the enterprise and adjust accordingly using the closed loop policy management.7 In a volatile, networked society, security threats will continue to take new shapes and emerge from new directions. Securing the enterprise with a proactive approach that leverages security for strategic competitive advantage will help to ensure that you and your enterprise are prepared and protected at all times.
7

Unified Security Architecture for Enterprise Networks Security. Section 2.3. Nortel. 2003. 13

Appendix A: An employee case history

Social engineering strikes at Nortel
Anyone can become a victim of social engineers those smooth talking people hackers who con employees into sharing org charts, phone lists and all manner of other confidential company information. Heres a recent case history of a security incident involving social engineering from within our own company.

Heres what happened

A Nortel telephone operator working in Europe received a phone call from an individual claiming to be a Nortel employee traveling abroad and in urgent need of confidential contact and Human Resource information for business unit personnel in another region. The caller, well versed in company protocol, sounding completely confident and sincere and name-dropping others in her organization, requested that the company data be faxed to an external number. The operator asked for the womans global ID number, but was told that it was unavailable since the caller was away from her normal office setting; the caller said her computer was down so she couldnt reach the information quickly. The operator, a first-rate employee well respected by her peers and superiors, wanted to be helpful and efficient, so she faxed the information to the caller. A moment later as the operator was thinking about the call, she grew increasingly suspicious and dialed the number of the employee who had placed the call. A voicemail message announced that the employee was on maternity leave for several months. The operator phoned Corporate Security immediately. Using the information available, Corporate Security was able to identify the source of the fraudulent call. Then working with the Law Department, they retrieved from the recruiting firm not only the confidential information that was known to have been sent, but also a further set of confidential information that had been sent by another duped employee who had been less able to admit her mistake.

A common ploy thats hard to spot

Any Nortel employee at any time can be approached by social engineers a term used to describe con artists who use a variety of schemes to gain access to confidential information. Telephone operators, help desk personnel, human resources staff and receptionists are particularly at risk since outsiders often expect them to have access to confidential company data. The number of social engineers, also called people hackers, continues to rise as companies and individuals face more fierce competition. These information thieves seek ways to get their hands on competitive information and intellectual property belonging to others. Like most con artists, those who practice social engineering are quite good at what they do. Whether they present themselves as executives needing urgent help, customers desperate to reach an account executive or graduate students conducting critical research, social engineers rely on their unique communication abilities to convince you that its in your best interest to help them.

14

Dont be fooled
This recent incident is one of several where Nortel employees were approached by social engineers. As with this incident, the callers are often headhunters looking to steal away key personnel. They typically ask for seemingly unimportant information or information that is widely distributed internally. And thats a key distinction to remember. Just because information is available and distributed internally does not mean its to be distributed at all externally. Any information marked Nortel confidential should never be shared with an external source unless the appropriate nondisclosure agreements are in place.

What can you do?

Regardless of your title or work location, its important to realize that anyone can be a victim of social engineering. To protect yourself and Nortel, remember the following: > Be aware that social engineering is a real and ongoing security threat. > Be suspicious of all callers requesting sensitive or confidential information. > Tell all callers that youre unable to disclose sensitive information without proper authorization. > Write down any information that may be useful to Corporate Security or law enforcement, such as a caller ID number, an accent or tone of voice. > Should the caller be able to provide a global ID and other information, let him/her know youll return the call with the information once youve verified that its appropriate to do so. > Dont be fooled by social engineers who become verbally abusive or threaten you with disciplinary action for refusing to comply with their request. > Report all suspicious calls to Corporate Security as soon as possible.

Kinds of information social engineers want:

> Organization charts > Internal telephone directories > E-mail address books > Login information: user names and passwords > Product information, including launch plans > Personal information for employees, such as home addresses or spouses names > Blank letterhead or sample purchase order forms > Network or security details

15

References Randy Starr, Jim Newfrock, and Micheal Delurey. Enterprise Resilience: Managing Risk in the Networked Economy. 2003. Spencer E. Ante. Commentary: Shifting Work Offshore? Outsourcer Beware. Business Week. January 12, 2004. Testing the defences: Facing up to the challenge of corporate security. The Economist. October 18, 2002. Ralph W Shrader and Mike McConnell. Security and Strategy in the Age of Discontinuity: A Management Framework for the Post-9/11World. 2002. CSI/FBI Computer Crime and Security Survey, www.gocsi.com. 2003. Secure Mobility at Nortel. Metagroup white paper. February 2004. Unified Security Architecture for Enterprise Networks Security. Section 2.3. Nortel. 2003.

Nortel is a recognized leader in delivering communications capabilities that enhance the human experience, ignite and power global commerce, and secure and protect the worlds most critical information. Serving both service provider and enterprise customers, Nortel delivers innovative technology solutions encompassing end-to-end broadband, Voice over IP, multimedia services and applications, and wireless broadband designed to help people solve the worlds greatest challenges. Nortel does business in more than 150 countries. For more information, visit Nortel on the Web at www.nortel.com. For more information, contact your Nortel representative, or call 1-800-4 NORTEL or 1-800-466-7835 from anywhere in North America. Nortel, the Nortel logo and the Globemark are trademarks of Nortel Networks. All other trademarks are the property of their owners. Copyright 2006 Nortel Networks. All rights reserved. Information in this document is subject to change without notice. Nortel assumes no responsibility for any errors that may appear in this document.

In the United States: Nortel, 35 Davis Drive Research Triangle Park, NC 27709 USA In Canada: Nortel, 8200 Dixie Road, Suite 100 Brampton, Ontario L6T 5P6 Canada In Caribbean and Latin America: Nortel, 1500 Concorde Terrace Sunrise, FL 33323 USA In Europe: Nortel Maidenhead Office Park, Westacott Way Maidenhead Berkshire SL6 3QH UK Phone: 00800 8008 9009 or +44 (0) 870-907-9009 In Asia Pacific: Nortel Nortel Networks Centre, 1 Innovation Drive Macquarie University Research Park Macquarie Park NSW 2109 Australia Tel: +61 2 8870 5000 In Greater China: Nortel, Sun Dong An Plaza 138 Wang Fu Jing Street Beijing 100006, China Phone: (86) 10 6510 8000

N N 1 0 9 1 0 0 - 0 5 1 7 0 6