corporate security

When confidential data gets out it can be catastrophic, but there are safeguards, writes Cynthia Karena.

DATA loss is a significant factor in modern business, dependent as it is now on electronic systems. And it occurs in many ways, some inadvertent, some through stupidity and some criminal.

One organisation accidentally puts its sensitive market research report online before it has been approved; another can't find data that has been requested by a government department. Others lose laptops, unwittingly send confidential information in emails, or give contractors too much access to internal data. This is lost data and its impact on a business can range from financial loss, to damage to its reputation, potential loss of customers, or even imprisonment if there is a breach of corporate governance. So, how good are your data management policies and procedures? How secure are your corporate borders? More than two-thirds of Australian organisations experience six losses of sensitive data every year, according to new research by the US-based IT Policy Compliance Group. One in five organisations loses sensitive data 22 or more times a year.

Lost data includes customer, financial, corporate, employee, and IT security data that is stolen, leaked or destroyed. Loss of sensitive, confidential corporate data can also give a rival company a competitive advantage. It might, for example, include results of market research, competitive intelligence analysis of another company, research and development results, financial information, or a list of possible staff redundancies.

"In most organisations, the most sensitive information is in emails," says Milton Baar, the director of IT Security consultants Swoose Partnership, and committee member of the ISO 27001 international security standard for information management. Mr Baar says three factors should be considered in assessing data loss: confidentiality, integrity, and availability. The integrity of data is maintained by ensuring that information is changed only by those allowed to do so, but organisations also need to make sure that data can be accessed when it is required. Confidentiality is often breached when emails are sent, accidentally or intentionally, to people who should not be seeing them, or when emails are sent before information should be made public. Mr Baar says staff should be trained in the use of email, helping them understand what information is sensitive.

"Have black and white lists, where the server stops sending out and/or receiving emails to or from certain places," he says. "Have word searches in outbound emails to ensure that sensitive information isn't disclosed, accidentally or intentionally. Mark the information physically or electronically with its security classification."

Attachments could be protected from email disclosure by having Access Control List entries that allowed them to be sent or blocked depending on the classification and destination of the information, he says.

Cybertrust security consultant Andrew Walls says that the "number one issue" for organisations is classification of their data. Is it important that some data remains confidential no matter whether its integrity is critical or how important it is to have the information readily accessible.

"The critical thing is for business to say what is important, then apply security controls. What role does the data play in an organisation's plans, including its profitability? How important is that information?" he says.

"At a simple level decide what is a secret, and what is not. If it is a secret, talk to us before accessing it or publishing it," Mr Walls says. "Don't expect the IT security people to make these decisions; classifying the data is a business decision."

Mr Walls says the Australian Government has five tiers of classification: public data, internal use only, confidential, protected and highly protected. At each tier a decision is made on how important are confidentiality, integrity and availability.

Mr Baar says the proper use of information standards, such as AS/NZS4360, a risk management standard, would provide a much better basis for decision making. "Poor risk analysis means that the real risks, likelihoods and consequences are not known in detail, therefore the real losses are also unknown," he says. Often, risk was simply wrongly estimated.

Symantec systems engineering manager Paul Lancaster agrees that compliance is not just about the data, but its integrity and availability. Compliance means adhering to regulations that affect a business and what that means for its data storage systems.

"Data loss occurs when it can't be accessed," says Mr Lancaster. "Organisations have their own products and services they deliver as a business and the data behind that is key. Not having the ability to obtain data to show the public that their data is intact, with no integrity loss, can be detrimental to a business."

Backing up is one obvious strategy, but how many organisations do this critical task properly?

Mr Baar says people do back-ups and they usually work. "But most people don't verify that their back-ups have worked; that is, restore the data to see if it worked, as sometimes you can't read a back-up." Back-ups sometimes were not comprehensive enough, missing critical files or directories.

Mr Lancaster says an example of compliance procedures not being met was when back-up tapes were overwritten and reused to store new data, "especially if the data is to be kept for 25 years. There have to be strong internal guidelines as to how a business checks the integrity of data and the recovery process of data."

Mr Baar says staff training is essential to reduce the incidence of "stupid mistakes," such as deleting a whole file set instead of purging multiple copies, or allowing devices to be taken off-site without appropriate authorisation.

He cites a case at Australian Customs in 2003, when two men posing as computer technicians entered the cargo processing and intelligence centre at Sydney International Airport. They were given access to the top-security mainframe room where they disconnected two computers and wheeled them out of the room past the security desk and out of the building.

So what should organisations do to keep their data confidential, uncorrupted, and available?

MR BAAR says most hospitals in NSW have multiple secure systems, with servers in two locations to keep patient records secure. There is also "role-based security access" where only certain people can access or alter information, for example where a nurse can read or annotate a patient record, but not delete or create one or where administration can create a record, but not add information.

The Justice Department and offices of state and federal attorneys-general are "paranoid about leakage," says Mr Baar. For example, witness protection program lists are closely guarded, and kept on a computer system accessible to only a few, not including the systems administrator.

Macquarie Telecom is one of the most highly certified commercial data centres in the Asia Pacific region. It has Defence Signals Directorate (DSD) certification for its internet gateway service for Australian Commonwealth customers. The gateway provides protection from external threats appropriate for systems and data.

National security information, such as used by the Cabinet and Prime Minister's offices, is carried on a private secure network, says Mr Baar. "The data centre is locked down - its physical security configuration has met ASIO T4 requirements." It also follows procedures to obtain ISO 17799 Information Security Management System certification.

"Everyone on a computer in a secured area can be recorded on video. All staff have ASIO security checks."

Pharmaceutical companies are "bristling with physical security controls", says Mr Walls. They have millions of dollars invested in the research and development of their drugs and guard their design information carefully, with physical and procedural controls. PDAs and mobile phones with cameras are usually banned.

"Their information is a major corporate asset," he says. "It cannot be allowed to leave the company until it is patented or copyrighted."

Keeping research data confidential is one thing, corruption or loss of integrity in the data is another.

Mr Walls says an extreme case would be getting a new drug accepted by the Australian Government. The company might have invested 10 years of research and development to reach a point where authorities would accept data from tests and clinical trials.

"If the validity of the data is questioned, then 10 years have been lost," he says. "To recreate the data in a clinical trial would cost millions of dollars, and a few thousand for a lab test. But it's when the information is irretrievable that it's costly."

Pharmaceutical companies have high security networks, cut off from all other networks. They encrypt their entire networks, "down to the hardware," Mr Walls says. "If someone is working on something that isn't encrypted, they'll stand out. This approach is being adopted more and more by companies.

"Islands of security don't work in a sea of insecurity. In critical environments, we will encrypt everything," he says.

But not all security is electronic. Physical protection remains relevant, Mr Walls says.

If data is to be stored for a long time it may be better to lock it in a safe rather than encrypt it, because staff changes and "someone needs the keys to unlock encrypted data". If data is needed in a court case and it can't be decrypted, then courts will "assume that you are deliberately hiding it, are incompetent (therefore not allowed to be a company director), or obstructing justice," Mr Walls says.

Mr Lancaster notes that, in the US, companies are fined tens of millions of dollars when they are unable to provide data required by a court, something not yet seen in Australia.

Identity theft is a more common problem in Australia, Mr Lancaster says, with fraudsters trying to access laptops and servers to get credit card details or personal information.

"Online banking is a key target for security breaches," Mr Lancaster says. "Users need to know that they (are connected to) the real banking online site."

Mobility is increasing the problem, he says. It means the walls of a corporation are becoming increasingly permeable. Laptops could be mislaid in the field, or stolen from cars. How does a company balance the need for such tools with security concerns?

"Any PC or laptop that goes outside an organisation should have a file system that is encrypted," he says. "Otherwise (a thief) can just bypass the password by ripping out the hard drive and putting it into another machine to read it."

Mr Lancaster says that, with 250 million smart phones in the market, mobile devices need the same security infrastructure, such as firewalls and Virtual Private Network access.

It also comes down to what the telcos are doing, he says. "There has to be a degree of lockdown at their end to secure devices. They need to have intrusion detection, firewall device, anti-virus, and instant messaging security".

And then there is the human factor. "Data loss occurs primarily because of people," says Mr Baar. "Most information loss is through inappropriate behaviour - someone talking about it in the pub or a lift, for instance. People could go to a cafe with, say, patient records and leave them behind."

Employees may have ASIO checks and security clearances for their staff but what about the cleaning staff? And what if there's a last-minute replacement? A cleaner could easily slip into an office where sensitive material was stored unencrypted.

"Everybody always underestimates the likelihood of data theft. It is usually unreported, which (distorts data on occurrences) but given the choice of attempting to hack an organisation from the outside or getting inside to its soft centre, you would always take the easiest option. External hacking is uncommon now, because it is too difficult. It's easier to find an insider through money or threats," Mr Baar says.

What about disgruntled employees taking information with them when they leave the company? Mr Lancaster says data needs to be locked down. Departments should be able to retrieve only their own documents. Finally, says Mr Walls, organisations should not reveal their security controls to their own personnel.

Attachments could be protected from email disclosure by having Access Control List entries that allowed them to be sent or blocked depending on the classification and destination of the information, he says. Cybertrust security consultant Andrew Walls says that the "number one issue" for organisations is classification of their data. Is it important that some data remains confidential no matter whether its integrity is critical or how important it is to have the information readily accessible. "The critical thing is for business to say what is important, then apply security controls. What role does the data play in an organisation's plans, including its profitability? How important is that information?" he says.

"At a simple level decide what is a secret, and what is not. If it is a secret, talk to us before accessing it or publishing it," Mr Walls says. "Don't expect the IT security people to make these decisions; classifying the data is a business decision." Mr Walls says the Australian Government has five tiers of classification: public data, internal use only, confidential, protected and highly protected. At each tier a decision is made on how important are confidentiality, integrity and availability.

Mr Baar says the proper use of information standards, such as AS/NZS4360, a risk management standard, would provide a much better basis for decision making. "Poor risk analysis means that the real risks, likelihoods and consequences are not known in detail, therefore the real losses are also unknown," he says. Often, risk was simply wrongly estimated. Symantec systems engineering manager Paul Lancaster agrees that compliance is not just about the data, but its integrity and availability. Compliance means adhering to regulations that affect a business and what that means for its data storage systems.

"Data loss occurs when it can't be accessed," says Mr Lancaster. "Organisations have their own products and services they deliver as a business and the data behind that is key. Not having the ability to obtain data to show the public that their data is intact, with no integrity loss, can be detrimental to a business." Backing up is one obvious strategy, but how many organisations do this critical task properly? Mr Baar says people do back-ups and they usually work. "But most people don't verify that their back-ups have worked; that is, restore the data to see if it worked, as sometimes you can't read a back-up." Back-ups sometimes were not comprehensive enough, missing critical files or directories.

Mr Lancaster says an example of compliance procedures not being met was when back-up tapes were overwritten and reused to store new data, "especially if the data is to be kept for 25 years. There have to be strong internal guidelines as to how a business checks the integrity of data and the recovery process of data."

Mr Baar says staff training is essential to reduce the incidence of "stupid mistakes," such as deleting a whole file set instead of purging multiple copies, or allowing devices to be taken off-site without appropriate authorisation.

He cites a case at Australian Customs in 2003, when two men posing as computer technicians entered the cargo processing and intelligence centre at Sydney International Airport. They were given access to the top-security mainframe room where they disconnected two computers and wheeled them out of the room past the security desk and out of the building.

So what should organisations do to keep their data confidential, uncorrupted, and available?

MR BAAR says most hospitals in NSW have multiple secure systems, with servers in two locations to keep patient records secure. There is also "role-based security access" where only certain people can access or alter information, for example where a nurse can read or annotate a patient record, but not delete or create one or where administration can create a record, but not add information.

The Justice Department and offices of state and federal attorneys-general are "paranoid about leakage," says Mr Baar. For example, witness protection program lists are closely guarded, and kept on a computer system accessible to only a few, not including the systems administrator.

Macquarie Telecom is one of the most highly certified commercial data centres in the Asia Pacific region. It has Defence Signals Directorate (DSD) certification for its internet gateway service for Australian Commonwealth customers. The gateway provides protection from external threats appropriate for systems and data.

National security information, such as used by the Cabinet and Prime Minister's offices, is carried on a private secure network, says Mr Baar. "The data centre is locked down - its physical security configuration has met ASIO T4 requirements." It also follows procedures to obtain ISO 17799 Information Security Management System certification.

"Everyone on a computer in a secured area can be recorded on video. All staff have ASIO security checks."

Pharmaceutical companies are "bristling with physical security controls", says Mr Walls. They have millions of dollars invested in the research and development of their drugs and guard their design information carefully, with physical and procedural controls. PDAs and mobile phones with cameras are usually banned.

"Their information is a major corporate asset," he says. "It cannot be allowed to leave the company until it is patented or copyrighted."

Keeping research data confidential is one thing, corruption or loss of integrity in the data is another.

Mr Walls says an extreme case would be getting a new drug accepted by the Australian Government. The company might have invested 10 years of research and development to reach a point where authorities would accept data from tests and clinical trials.

"If the validity of the data is questioned, then 10 years have been lost," he says. "To recreate the data in a clinical trial would cost millions of dollars, and a few thousand for a lab test. But it's when the information is irretrievable that it's costly."

Pharmaceutical companies have high security networks, cut off from all other networks. They encrypt their entire networks, "down to the hardware," Mr Walls says. "If someone is working on something that isn't encrypted, they'll stand out. This approach is being adopted more and more by companies.

"Islands of security don't work in a sea of insecurity. In critical environments, we will encrypt everything," he says.

But not all security is electronic. Physical protection remains relevant, Mr Walls says.

If data is to be stored for a long time it may be better to lock it in a safe rather than encrypt it, because staff changes and "someone needs the keys to unlock encrypted data". If data is needed in a court case and it can't be decrypted, then courts will "assume that you are deliberately hiding it, are incompetent (therefore not allowed to be a company director), or obstructing justice," Mr Walls says.

Mr Lancaster notes that, in the US, companies are fined tens of millions of dollars when they are unable to provide data required by a court, something not yet seen in Australia.

Identity theft is a more common problem in Australia, Mr Lancaster says, with fraudsters trying to access laptops and servers to get credit card details or personal information.

"Online banking is a key target for security breaches," Mr Lancaster says. "Users need to know that they (are connected to) the real banking online site."

Mobility is increasing the problem, he says. It means the walls of a corporation are becoming increasingly permeable. Laptops could be mislaid in the field, or stolen from cars. How does a company balance the need for such tools with security concerns?

"Any PC or laptop that goes outside an organisation should have a file system that is encrypted," he says. "Otherwise (a thief) can just bypass the password by ripping out the hard drive and putting it into another machine to read it."

Mr Lancaster says that, with 250 million smart phones in the market, mobile devices need the same security infrastructure, such as firewalls and Virtual Private Network access.

It also comes down to what the telcos are doing, he says. "There has to be a degree of lockdown at their end to secure devices. They need to have intrusion detection, firewall device, anti-virus, and instant messaging security".

And then there is the human factor. "Data loss occurs primarily because of people," says Mr Baar. "Most information loss is through inappropriate behaviour - someone talking about it in the pub or a lift, for instance. People could go to a cafe with, say, patient records and leave them behind."

Employees may have ASIO checks and security clearances for their staff but what about the cleaning staff? And what if there's a last-minute replacement? A cleaner could easily slip into an office where sensitive material was stored unencrypted.

"Everybody always underestimates the likelihood of data theft. It is usually unreported, which (distorts data on occurrences) but given the choice of attempting to hack an organisation from the outside or getting inside to its soft centre, you would always take the easiest option. External hacking is uncommon now, because it is too difficult. It's easier to find an insider through money or threats," Mr Baar says.

What about disgruntled employees taking information with them when they leave the company? Mr Lancaster says data needs to be locked down. Departments should be able to retrieve only their own documents. Finally, says Mr Walls, organisations should not reveal their security controls to their own personnel.

Mr Lancaster says an example of compliance procedures not being met was when back-up tapes were overwritten and reused to store new data, "especially if the data is to be kept for 25 years. There have to be strong internal guidelines as to how a business checks the integrity of data and the recovery process of data."

Mr Baar says staff training is essential to reduce the incidence of "stupid mistakes," such as deleting a whole file set instead of purging multiple copies, or allowing devices to be taken off-site without appropriate authorisation. He cites a case at Australian Customs in 2003, when two men posing as computer technicians entered the cargo processing and intelligence centre at Sydney International Airport. They were given access to the top-security mainframe room where they disconnected two computers and wheeled them out of the room past the security desk and out of the building.

So what should organisations do to keep their data confidential, uncorrupted, and available? MR BAAR says most hospitals in NSW have multiple secure systems, with servers in two locations to keep patient records secure. There is also "role-based security access" where only certain people can access or alter information, for example where a nurse can read or annotate a patient record, but not delete or create one or where administration can create a record, but not add information.

The Justice Department and offices of state and federal attorneys-general are "paranoid about leakage," says Mr Baar. For example, witness protection program lists are closely guarded, and kept on a computer system accessible to only a few, not including the systems administrator. Macquarie Telecom is one of the most highly certified commercial data centres in the Asia Pacific region. It has Defence Signals Directorate (DSD) certification for its internet gateway service for Australian Commonwealth customers. The gateway provides protection from external threats appropriate for systems and data.

National security information, such as used by the Cabinet and Prime Minister's offices, is carried on a private secure network, says Mr Baar. "The data centre is locked down - its physical security configuration has met ASIO T4 requirements." It also follows procedures to obtain ISO 17799 Information Security Management System certification.

"Everyone on a computer in a secured area can be recorded on video. All staff have ASIO security checks."

Pharmaceutical companies are "bristling with physical security controls", says Mr Walls. They have millions of dollars invested in the research and development of their drugs and guard their design information carefully, with physical and procedural controls. PDAs and mobile phones with cameras are usually banned.

"Their information is a major corporate asset," he says. "It cannot be allowed to leave the company until it is patented or copyrighted." Keeping research data confidential is one thing, corruption or loss of integrity in the data is another.

Mr Walls says an extreme case would be getting a new drug accepted by the Australian Government. The company might have invested 10 years of research and development to reach a point where authorities would accept data from tests and clinical trials.

"If the validity of the data is questioned, then 10 years have been lost," he says. "To recreate the data in a clinical trial would cost millions of dollars, and a few thousand for a lab test. But it's when the information is irretrievable that it's costly."

Pharmaceutical companies have high security networks, cut off from all other networks. They encrypt their entire networks, "down to the hardware," Mr Walls says. "If someone is working on something that isn't encrypted, they'll stand out. This approach is being adopted more and more by companies."Islands of security don't work in a sea of insecurity. In critical environments, we will encrypt everything," he says.

But not all security is electronic. Physical protection remains relevant, Mr Walls says.

If data is to be stored for a long time it may be better to lock it in a safe rather than encrypt it, because staff changes and "someone needs the keys to unlock encrypted data". If data is needed in a court case and it can't be decrypted, then courts will "assume that you are deliberately hiding it, are incompetent (therefore not allowed to be a company director), or obstructing justice," Mr Walls says.

Mr Lancaster notes that, in the US, companies are fined tens of millions of dollars when they are unable to provide data required by a court, something not yet seen in Australia.Identity theft is a more common problem in Australia, Mr Lancaster says, with fraudsters trying to access laptops and servers to get credit card details or personal information. "Online banking is a key target for security breaches," Mr Lancaster says. "Users need to know that they (are connected to) the real banking online site."

Mobility is increasing the problem, he says. It means the walls of a corporation are becoming increasingly permeable. Laptops could be mislaid in the field, or stolen from cars. How does a company balance the need for such tools with security concerns?

"Any PC or laptop that goes outside an organisation should have a file system that is encrypted," he says. "Otherwise (a thief) can just bypass the password by ripping out the hard drive and putting it into another machine to read it."

Mr Lancaster says that, with 250 million smart phones in the market, mobile devices need the same security infrastructure, such as firewalls and Virtual Private Network access.

It also comes down to what the telcos are doing, he says. "There has to be a degree of lockdown at their end to secure devices. They need to have intrusion detection, firewall device, anti-virus, and instant messaging security".

And then there is the human factor. "Data loss occurs primarily because of people," says Mr Baar. "Most information loss is through inappropriate behaviour - someone talking about it in the pub or a lift, for instance. People could go to a cafe with, say, patient records and leave them behind."

Employees may have ASIO checks and security clearances for their staff but what about the cleaning staff? And what if there's a last-minute replacement? A cleaner could easily slip into an office where sensitive material was stored unencrypted.

"Everybody always underestimates the likelihood of data theft. It is usually unreported, which (distorts data on occurrences) but given the choice of attempting to hack an organisation from the outside or getting inside to its soft centre, you would always take the easiest option. External hacking is uncommon now, because it is too difficult. It's easier to find an insider through money or threats," Mr Baar says.

What about disgruntled employees taking information with them when they leave the company? Mr Lancaster says data needs to be locked down. Departments should be able to retrieve only their own documents. Finally, says Mr Walls, organisations should not reveal their security controls to their own personnel.

Every company's objective is profitable business operations. The operating environment for companies has become more challenging not only through globalisation and harder competition but also due to linking and networking of operations.

Security is increasingly important in improving productivity, building a company's competitiveness and setting business objectives. Particularly when a commitment to security is included in a company's business principles or as part of social responsibility, the company must have a concrete action programme to support it.

Business objectives must always guide a company's security work. Competitiveness and security are not opposites; security is a key prerequisite of competitiveness and an important part of quality business activity.

Corporate security refers to a company's total management of security matters. It is part of the daily corporate operations which are the responsibility of management and which safeguard the legal basis for the company's activities, trouble-free operations, production and services, continuity and a safe operating environment.

Practical corporate security work consists of preventive action which protects a company's personnel, property, information, environment and reputation from accidents, damage or criminal activity. Corporate security, therefore, is a natural part of a company's risk management process.

The purpose of corporate security work is to improve productivity and to support a company's competitiveness by minimising uncontrollable security risks and by improving operational preparedness in case of accident, danger and damage.

Statutory security work to safeguard a company's operational prerequisites is not an activity dependent on business cycles. Nevertheless, statutory requirements provide for many companies only a minimum level of corporate security.

Voluntary and goal-oriented preventive investment in corporate security brings added value to a company's operations when the security of the business and working environment is enhanced, production and service continues uninterrupted and accident risks are under control. These matters, moreover, have a positive impact on a company's resource management, external image and competitiveness.

A company's owners, management, customers and other important interest groups dictate their own objectives and requirements to business operations and corporate security.

In a networked operating environment, corporate security activities must increasingly meet contractually binding content and quality requirements - in subcontracting chains, for example.

In respect of security work carried out within a company or organisation's management activity, the term security management is also used. The challenge of security management particularly involves the establishment of good cooperation with the authorities as well as open communication, i.e. the management of a company's serious disturbances as part of ensuring the continuity of operations.

Corporate security is naturally implemented in everyday work within operational management systems as well as work and operational guidelines. In corporate activity development projects, special attention must be paid to corporate security when new or altered security risks are connected with products and services and when new tools are developed to support the company's management.

The correct assignment of corporate security responsibilities among personnel is one of the key aspects of an effective security procedure. The company's management, moreover, is always ultimately responsible for corporate security. The managing director's task is to arrange the necessary resources for corporate security activity and to decide the extent to which the company needs its own corporate security expertise.

Supervisors responsible for business performance are also responsible for their business unit's corporate security. In this, special expertise in corporate security is needed to assist the line organisation.

Corporate security experts have special expertise in the use of the line organisation, and responsibility for the organisation cannot be transferred to them anomalously. Legal responsibility always rests with the company's management and expert responsibility with the corporate security experts.

Personnel who work for the company also carry out the security work required of them. Corporate security is an issue for all personnel. Productive development of the corporate security culture and of the personnel's security thinking succeed only with goal-directed and systematic security training.

The basis of corporate security work is a corporate security policy or a set of general principles, a corporate security action programme with detailed assignment of responsibilities, unit and subarea operational guidelines that cover corporate security issues, indicators that measure operations and their results, and a reporting system.

The Board of Corporate Security (Annex 3) has been involved in various reports and studies connected with corporate security. The basic message which these studies give to companies is:

• Corporate security is an important part of a company's management and competitiveness.
• Personnel play a key role and for that reason great attention should be paid security attitudes by improving awareness, familiarisation, education and practical training.
• Security and a sense of security have a significant impact on a person's behaviour both in leisure time and at the workplace. A security culture to which all personnel are committed creates an opportunity to

  use human resources effectively, because operational efficiency can be realised only in security conditions and a secure environment.

• Each company has its own individual security profile and that's why it must itself consider its own operating model, taking its own operations and operating environment into account. (Annex 2)

Companies face increased crime-related risks as a consequence of growth in drug use, violence, financial and data crime, as well as the internationalisation and increasingly professional nature of criminality. Moreover, the risk of personnel becoming involved in violent situations has increased, particularly in service industry jobs.

This increases the importance of good cooperation with the authorities and other interest groups, both regionally and locally. Recommended tools in this work are various partnership agreements between companies and official bodies in preventing accidents and damage as well as in crime prevention.

The Board of Corporate Security wishes to draw the attention of corporate management to the strategic importance of corporate security for business operations and to the comprehensive implementation of corporate security.

The sub areas of corporate security, their main content and official contacts are outlined in Annex 1.

The Board of Corporate Security recommends that a manager with overall responsibility for corporate security be appointed to corporate management bodies and that a corporate security programme be prepared in companies.

The Board's recommendation for the content of such a programme is given in Annex 2.

The recommendation does not replace statutory obligations in different sub areas; it stresses the comprehensive implementation of corporate security and its importance in supporting business operations.

The duties of the manager in charge of security may be handled alongside the manager's own work or alternatively on a full-time basis, depending on the size of the company and its field of business. The key point is for corporate security matters to be included within the area of responsibility of someone belonging to corporate management and that these matters are handled using established procedures.