workforce management: introducing a policy rules engine to industrial security

2015 Honeywell Users Group

Europe, Middle East and Africa

Workforce Management: Introducing a Policy Rules Engine

to Industrial Security

Adrian Fielding, Honeywell

Damian Vassallo, RightCrowd

2 © 2015 Honeywell International All Rights Reserved 2

Ensuring Safety & Security of your Workforce

Integrated Protective Solutions

• Honeywell’s Integrated Protective

Solutions deliver Safety Shutdown,

Fire & Gas, Physical and Cyber

Security holistically across process

facilities.

• Together these solutions ensure that

process, plant, people and environment

are safer and more secure than ever

before.

• They include independent yet interrelated

layers of protection to prevent, detect and

mitigate potential safety and security risks

and threats.

3 © 2015 Honeywell International All Rights Reserved

• Workforce Management: Introducing a policy rules

engine to Industrial Security, Damian Vassallo

RightCrowd and Adrian Fielding Honeywell

• This presentation will explain the emerging workforce

assurance space and the methodologies for

implementing an attribute based access control system

• The conversation will focus on defining attributes and

policies that a rules engine could enforce; i.e. near real

time condition based access control

• When incorporated as part of an over-arching industrial

security program, organizations can leverage powerful

and robust business process that aids and improves

business performance

Abstract


Workforce Assurance

Process

Structure

Reaction

Mental Model

Purpose

Improve the visibility and

productivity of the business by:

• Mitigating physical security, safety

and compliance vulnerabilities.

• Automating and standardizing

people processes to improve

productivity.

• Enabling the better management of

our people and their costs in real-

time.

Resource Management

Improve throughput

$ per hour / $ per person

Link Org Management to Business

Function


Link Org Management to Business Process

THIS IS CHANGE

Purpose

• Collaboration between different areas of the company –

HR, Finance, Operations, Compliance

• Assurance across the spectrum of Logical and Physical ‒ Logical – HR, Payroll, Active Directory, Task Applications

‒ Physical - Networks and Facilities (Data Centres, Vaults,

Industrial Sites)


Purpose….

• Security events ‒ Location data, when "root" account is accessed (console of a

server)

• Authorization to grant access ‒ Non-repudiation (Who is the Owner?)

‒ Multi-Level approval – link to Org Chart and Area Owners

‒ Separation of duties

• Validation checks differ ‒ Internal v 3rd Party contractors or visitors



Outcome

• Risk Reduction - Certainty that a task has been carried

out

• Process Automation – Less manpower has achieved

cost efficiency



Throughput

• Limit access to those who are approved, authorized,

accredited and accounted for ‒ Background checks

‒ EHS (Compliance/Certifications)

‒ Appropriate commercials

• Seamless Interdepartmental process ‒ Chain of Approval / Delegation

• Immediacy ‒ One touch Termination (Logical and Physical)

‒ Employee, Contractor or Visitor

Resource Management


Outcome

• Compliance – Full audit trail of data

‒ What was it changed from

‒ What was it changed to

• Reporting – information packaged in real time ‒ map to specific requirements and for specific users

Resource Management


Mitigate Risks to Business Interruption

• Converge with DVM to increase / improve security

performance

• Plan for peak periods and flow of workforce

(Shutdowns)

• Correlate multiple data feeds ‒ Asset information to Personnel information

‒ Pre-emptive – Business Continuity/Evacuation Plans

Business Improvement

Ensuring / Insuring Brand Reputation

• Timeliness responding to emerging / ongoing crises

• Sophistication to IT Security

• Advanced Persistent Threat / Insider Threat


Conclusion

NO SILVER BULLET

• Workforce Assurance requires clear approaches to

logical and PHYSICAL security ‒ Something you Own

‒ Something you Know

‒ Something you Are

• Prepare for aggression at a Cyber Level ‒ What are the sources and where can they be mitigated

• Situational Awareness of Assets and People ‒ Visibility and Value

‒ Trust


Logical / Physical Maturity Curve

Workforce Assurance Maturity Model

1. Unaware 5. Pervasive4. Strategic3. Focused2. Tactical

Leve

l of

Ma

turi

ty

Total lack of

awareness

Spreadsheet

Information

One-off

report

requests

No Business

sponsor

Security in

charge

Limited

users

Data

inconsistency

and ad hoc

systems

Specific focus on

a business need (e.g. attribute based

management or

fatigue management

or contractor

mobilization)

Funding

from

business

units on a

project by

project

basis

Specific set

of users are

realising

value

Business

Objectives

drive

Workforce

Assurance

with

Performance

Management

Strategies

Deploy an

enterprise

metrics

framework

Governance

policies are

defined and

enforced

Establish a

balanced

portfolio of

standards

Information is

trusted across the

company

Workforce

Assurance is

extended to

suppliers,

customers and

business partners

Workforce

Assurance

analytics

are

inserted

into and

around the

business

processes

Unsupported Structures

Accessing Business Improvement TM

aiding with Health, Safety and Security

decisions to support workforce

assurance compliance reporting


Experiences from CXO

CSO

• Corporate Security – Reduce Risk / Establish Standards

• Automate Security Policy and Procedures

COO

• Who is working for me today?

• Are they known, authorised, accredited and accounted for at all times?

CFO

• Contractor Reconciliation (Plan v Actual) hours

• ROI of Mobilization expenditure

CIO

• Logical and Physical Identity Management

• Interoperability between systems

CEO

• Zero Harm

• Licence to Operate

workforce management: introducing a policy rules engine to industrial security

Technology