Tokheim: the benefits of a progressive security plan
The Tokheim Group is a world leader in production and sales of petrol pump systems, payment terminals and multimedia systems. The Group also offers maintenance and support services via its vast global network.
As part of its program to grow, centralize and open up its information systems, the need to control IT security-related risks has increasingly become imperative, leading Tokheim to define and implement a global IT security plan.
Five questions for Patrick Weisse, Head of Networks and Security for the Tokheim Group.
What have been the main stages in this project?
No project of this type can start without first defining a comprehensive vision of the information system: so our first task was to carry out a global audit of existing security for our IS, using an approach based on a CLUSIF* methodology. From this analysis, we were able to define 15 sub projects, covering all the parameters linked to IS security, be they technical or organizational. We classified these by level of priority, enabling us to roll out our implementation for the overall plan gradually, while constantly aligning on our business priorities. The most important elements included fully mapping our information system (not just the different elements within it, but also all the application chains), implementing a disaster recovery plan, protecting nomad workstations, drawing up a back-up and restore policy, plus strategies for storage, physical security, and optimizing our authorization management processes, and technical audits. We also wanted to optimize and simplify our server administration, and consider virtualization and consolidation.
In parallel, we are working on our organization, and on building awareness among users: this is a key success factor for the project, and one we want to formalize by precisely defining roles, instances involved in IT security, and through a user contract.
We have been rolling out this plan for nearly 18 months now, and we are constantly enriching it through progression projects, jointly overseen by the IT department and the company’s senior management team. Even if business systems remain our priority, security has become everyone’s business: it is managed by everyone who uses our systems, and its effects are not just technical, but functional and even legal. That’s why we now talk about the ‘security ecosystem’.
At this stage of the project, what improvements have you been able to identify?
Generally speaking, the principle benefit is not financial ROI, but the capacity to anticipate and manage risk better. This is particularly important with regard to ‘regulatory’ requests (originating from our own customers or company management certification bodies such as the LNE in France) that we have to deal with. For example:
- Implementing formal procedures shared between teams: to optimize and secure standard tasks. The savings in time are tangible, and our teams are today acutely aware of this
- IT is the engine of every business. Taking security issues into account much earlier accelerates the completion of projects, and this is a real advantage for operational departments
- With the opening up of our IS and the growth of our business activities, we have to increasingly control risk. The uniformity of systems facilitates risk management and monitoring, and so makes them easier to control.
What are the key success factors for this kind of approach?
- The project must be supported by the company’s senior management, since it will have an impact on all the enterprise’s staff. Tokheim’s executive management team is very heavily involved, as are a number of departments
- You can’t have a security plan without a global vision of the enterprise: the IT department must have precise knowledge of what they have to secure and recover!
- Awareness-raising is the most important thing. For users, security remains an extra complication and a constraint: we have to help them understand how useful IT security can be to them
- Any new project must take security aspects into account as early as possible. It is essential to define best practices in a pragmatic, and above all, realistic way!
- It’s also important to know where you are headed: the breakdown of our project into discrete sub projects and into avenues for progress has been one of the key elements of our success.
How has Bull helped in this approach?
Bull advised us when it came to defining and launching the project. The risk was that we became bogged down in something that was either too complex, or not sufficiently exhaustive. Thanks to Bull we have built an IT security plan that takes into account all the issues that affect risk reduction, whether it is a question of availability (including business continuity), integrity, confidentiality or proof. The other big ‘plus’ that Bull offers, is its capacity to adapt to medium-sized manufacturing environment with its own specific constraints.
The Bull’s methodology has been invaluable, enabling us to build a progressive plan that is solid and realistic. Now we are able to move on to a phase of wider awareness-raising.
How are you capitalizing on this project?
France is now supporting other European countries in their deployment of similar action plans: this is a real opportunity to capitalize on the expertise we’ve acquired!
* CLUSIF is the French club for information security