In Depth

Harland Clarke Rechecks Risk Management

New security program adds more systematic processes for evaluating, prioritizing and mitigating risk

By Mary Brandel

October 16, 2007CSO — Three and a half years ago, Harland Clarke Holdings' approach to security was very much in tune with its identity as a market-leading manufacturer of checks and check-related products for businesses and consumers. Security, according to John Petrie, chief information security officer at the San Antonio, Texas-based company, was a tactical concern that focused on the production processes in its nine plants throughout the U.S.

But that approach was becoming a bit old-fashioned as Harland Clarke expanded beyond its manufacturing roots, adding customer contact centers, direct response marketing services and electronic commerce capabilities to its offerings.

"There were issues around protecting electronic data, and our printing processes had changed over to the digital age,

so there was a transformation that had occurred," Petrie says. "We knew we had to change our risk management structure."

That's why, when Petrie was asked to join the company in 2004, Harland Clarke (named Clarke American at the time) was on the brink of a CEO-driven reinvention, not just of the processes it used to make security and risk management decisions but also the way its entire culture viewed security. In order to retain its competitive position in the market, "we wanted to become a secure provider of checks and check-related services, versus just a manufacturer," Petrie says.

Meanwhile, by 2005, Harland Clarke's own customers—financial institutions—were demanding more security controls and risk programs from their suppliers, thanks to regulatory changes that required them to prove end-to-end security in their supply chains.

Three Priorities

The top three priorities of the new security program, Petrie says, included taking advantage of enterprisewide quality processes (the company won a Malcolm Baldrige National Quality Award in 2001); linking security and risk mitigation decision processes to the business's operating plan and strategic growth goals; and ingraining security into the mind-set and daily activities of Harland Clarke's employees. "We wanted to make sure security wasn't a thing that sits out there and functions on its own," Petrie says.

It was essential, Petrie says, to leverage Harland Clarke's quality program in the design of the security program, especially to enjoy the cost savings. "We were able to take advantage of the solutions we implemented for quality in the areas of identification, notification and prevention," he says. For example, in each plant there are personnel in charge of monitoring and maintaining quality processes. Now those same people are also responsible for determining whether events that could potentially affect quality might also impact security, such as changes to plant schedules or machine malfunctions.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development