Xerox

• magazine case

BUILDING CONTROL

Implementation of the information security office in Xerox's Brazilian unit emphasizes the importance of following adequate rules and practices.

Impelled by the scenarios set by the terrorist attacks to the United States in 2001 and 2002, which spread fear throughout the world, Xerox made a worldwide decision to improve security measures and policies in all of its branches. This plan also included a Business Continuity Plan (BCP).

In Brazil, the implementation of the new model was made easier by the insecurity that had prevailed in most companies after watching the mishaps of several organizations, which simply disappeared for having neglected contingency plans and business continuity plans, as well as various security procedures.

Arnaldo Cadena, Information Technology, Information Security, and Architecture manager at Xerox Brazil, who was assigned the task of imple- menting the new security office in country, recalls that in mid-2003 he embraced the cause of banning fear and defined two initial guidelines: showing employees the value of information, and implementing an awareness campaign among users and partners on the importance of information security. "We did not adopt a policy of obligation, but one of sensitization".

We chose to implement the office using an outsourced third-party model, including an internal structure with trained employees and an aproved international partner selected according to the following requirements: use of modern methodology, proven certification, solid knowledge of both technology and solutions, availability of tools for risk assessment and analysis, a commitment to take risks in the face of results presented a variable-cost offer-ing. Modulo was chosen among the six candidate companies.

The second stage was to define the risk management framework consider-ing the Sarbanes-Oxley Act, informat-ion security, and internal control metrics. "Our mission was to support the internal controls areas, since they do not have technical knowledge on security standards or policies. We provided all the assistance they needed regarding information", says Cadena, also highlighting the importance of the office in the revision, correction and documentation of processes and in implementing controls for critical areas. Xerox Brazil's Master Information Security Plan included compliance with security policies, maturity, systems development, implementation of projects, compliance with the Sarbanes Oxley Act and balanced scorecards. In addition, we designed an internal marketing plan for information security, the business continuity plan, risk analysis and penetration tests, and centralized access control.

In this package, the central aim was to reduce the general risk level to a minimum. For such, we implemented backup procedures for servers, links and many others within a range of defined standards, as well as the use of Risk Manager, developed by Modulo. Cadena summarizes: "In this way we guaranteed the proper conditions for business recovery if necessary". The marketing campaign increased employees’ sensitivity to security rules and policies. It included a letter from the president to all the staff, the publication of electronic newsletters, and a NewsBoard. We even organized a theater play on the topic. Access control was implemented based on the following guidelines: a centralized process for analyzing the function usage, approval flow, responsibility matrices for access to information, among others.

After this implementation effort on the security office and its operations, and thanks to the results it has produced, Xerox Corp. has recognized the Brazilian unit as a model regarding information security, to be followed by all its subsidiaries throughout the world. And there is more to come. Last year, the SOX audit was successfully concluded and the Disaster Recovery Plan (DRP) was also successfully implemented and tested.