Draft Security Manual for Private Industry

20130626_Assocham_Rahul Gangal.pptx1Draft Security Manual for Private IndustryKey issues and approachJune, 2013

20130626_Assocham_Rahul Gangal.pptx5OUR ACHIEVEMENTS: We deliver tangible results – deeptransformation of our clients' business modelRoland Berger experiences in 2011/2012 - ExtractSTRATEGY & M&ANEW COLLABORATIVE MODELSSUPPORT AND SERVICES> Growth options for a Tier-1 supplier> Strategic review in the field of Cabin Interior> Market assessment for a new service offerings to Airlines> Strategic review of an Aerostructures Tier-1> Strategic plan for a new business of a A&D Tier-1 supplier> Strategic review of an A&D Engineering Service Provider> Securing of a strategic bid for a Systems Integrator> M&A scenarios for a Tier-1 in Aerostructures> Due diligences for Private Equity funds on A&DEngineering Service Providers> More than 12 Joint Improvement Plans between anaircraft OEM and a Tier-1 on key critical developmentprograms> Design of collaborative business models> Implementation of supplier support in aircraftmanufacturer FAL to support ramp-up> Supply Chain Readiness for industrialization for a majorSystems provider> Design of convergence plans between OEMand Tier-1> Strategic reviews / growth plans in the areas of Supportand Services> Development of Support & Services offer for a key militaryprogramme> Set-up of Joint Ventures in the area of Support andServices> Post Merger Integration in Services business for anAerospace platformist> Ramp-up of MRO activities for an OEMOPERATIONSPROGRAMME MANAGEMENTORGANIZATION> (Re)design-to-cost projects for OEMs and Tier-1s> Industrialization and manufacturing ramp-up preparation> Deployment of a modular platform policy for a leadingCabin supplier> Full strategic and operational review of an Enginemanufacturer> Transformation plan for an Aerostructure Tier-1 supplier> Recovery plan to meet Entry Into Service planning target> Marketing & Sales optimization for a Tier-1 supplier> Engineering efficiency plan for leading aircraftmanufacturer> Ramp-up securing plan for a large Tier-1 System Supplier> Recovery plans at different stages> Optimization of Planning on a major aeronautic program> New planning principles for a military aircraft manufacturer> Impact assessment of planning drift on a Space program> Recovery plan to reach technical performance target on amajor aeronautic program> Cost @ Completion optimization project> Deployment of a Programme Management function at amajor Tier-1> Benchmarking of Support & Services organizations inAerospace and adjacent industries> Organization of supplier management (Engineering andIndustrial activities)> Plateau organization in FAL to support industrial ramp up> Reorganisation of the Finance and Control function of aPrime> Reorganisation of the Engineering Centre of Excellence of aSpace Prime> International Engineering footprint strategy

20130626_Assocham_Rahul Gangal.pptx6Background to the issue : Need for a security guideline is wellestablishedThe current issue is largely an operational issue but one that is holding up businessSecurity assessments are now proposed by the MHA for all industrial licence applicants> These guidelines are still under promulgation> Under the structure envisages, MHA will be required to do a "Security Assessment"> As a result of this, a signifcant number of IL applications are held up for clearance> There is a need for industry dialogue to help create a better understanding and appreciation of issues> From a global perspective, A recent study found that OEMs allocate nearly 2-3% of their annual turnover to maintainsecurity (incuding data and personnel security)

20130626_Assocham_Rahul Gangal.pptx7Security Guidelines for Private Manufacturers : What is the globalexperience on the same?Need for a security guideline is well establishedWell established global process for all units addressing strategic manufacturing needs> Globally these guidelines encompass– Physical Security– Data Security– Personnel Security– Vulnerability and Risk Assessment– Business Continuity Measures> Globally these guidelines are– Clear and Established ✓– Understood ✓– Non-negotiable ✓– Self Certified and Auditable ✓– With extremely high penalties for violations ✓

20130626_Assocham_Rahul Gangal.pptx8Security Guidelines for Private Manufacturers : What is the globalexperience on the same?Need for a security guideline is well establishedWell established global process for all units addressing strategic manufacturing needs> Globally these guidelines encompass– Physical Security– Data Security– Personnel Security– Vulnerability and Risk Assessment– Business Continuity Measures> Globally these guidelines are– Clear, Established and Understood ✓– Built into the business cases of Companies ✓– Non-negotiable ✓– Self Certified and Auditable ✓– With extremely high penalties for violations ✓NOT THE ISSUETHE ISSUE

20130626_Assocham_Rahul Gangal.pptx9Security Guidelines for Private Manufacturers : What is the globalexperience on the same?Need for a security guideline is well establishedWell established global process for all units addressing strategic manufacturing needs> Globally these guidelines encompass– Physical Security– Data Security– Personnel Security– Vulnerability and Risk Assessment– Business Continuity Measures> Globally these guidelines are– Clear, Established and Understood ✓– Built into the business cases of Companies ✓– Non-negotiable ✓– Self Certified and Auditable ✓– With extremely high penalties for violations ✓NOT THE ISSUETHE ISSUE

20130626_Assocham_Rahul Gangal.pptx10Security Guidelines for Private Manufacturers : Nature of the issueexplainedThere are primarily three key questions that emergeIssue 1IL is sought by a variety offirms with differing levels of'sensitivity' of deliveredproduct> Components to Full Systems> Services to ManufacturingIssue 2Security Guidelines came as an add-onrequirement much after most firms hadalready concluded their discussionswith foreign partners and had appliedfor JVs> It is causing an Inordinate delay in the ILprocess> For some firms, their current securityarrangements are already on-par withglobal requirements, they too are stuckIssue 3Issue of cost of implementationof guidelines. Cost needs to bebuilt into the business case> What happens to companies forwhom Defence relatedproduction is only a smallsubset of their overallproductionWhat are the differing standardsrequired for different classes offirmsWhilst self certification and an Affadavitstating intent to comply upon notification isa quick-fix, a lot of firms are held upHow to ensure costs ofcompliance are factored in thebusiness case or mitigated

20130626_Assocham_Rahul Gangal.pptx11Assocham Recomendations on Security Guidelines for PrivateManufacturersPhysical SecurityCriteria Superior Advanced BasicPhysical Securityon the PerimeterSingle wall (12 feet) with barbed wire fencing andtrack upfront.Single wall (8 feet) with barbed wire fencing.Perimetric Wall with barbed wire fencing on top incases of independent units. For units operatingout of shared commercial spaces, defined spacewith its perimetric controlPerimetric ControlPerimeter and entry/exit points lighting and videostreaming by surveillance cameras to ControlRoom.Perimeter and entry/exit points lighting andvideo streaming by surveillance cameras toControl Room.Perimeter and entry/exit points lighting.Surveillance &Monitoring24X7 Video Monitoring, Recording and ArchivalFull campus outdoor and each room in buildings/workshop under surveillance.24X7 Video MonitoringEach room in buildings/ workshop undersurveillance.Specificareas in building/workshop undersurveillanceAccess ControlANPR & Continuous Video analytics – stationaryobject, fire etc including data recording andarchivalBiometric access control to each room of eachbuilding/ workshop areas with intruder alarm withdata logs of AccessElectronic access control to large definedspaces (manufacturing zone, warehouse,Office space etc) with data logsKey based access control with register in allrooms recording entry and exit.

20130626_Assocham_Rahul Gangal.pptx12Assocham Recomendations on Security Guidelines for PrivateManufacturersPerimetric and Access ControlCriteria Superior Advanced BasicControl Center Control Room with monitoring, recording for 30days and replaying facility.Control Room with monitoring, recording for10 days and replaying facility.Control Room with monitoring.Access control monitoring and card managementCommunication to Management and RespondersAccess control monitoring and cardmanagementCommunication to Management andRespondersCommunication to Management and RespondersData SecurityCriteria Superior Advanced BasicData Security ISO 27001 Compliant ISO 27001 CompliantSecurity - PersonnelCriteria Superior Advanced BasicData Security ISO 27001 Compliant ISO 27001 Compliant

20130626_Assocham_Rahul Gangal.pptx13Assocham Recomendations on Security Guidelines for PrivateManufacturersSecurity - PersonnelCriteria Superior Advanced BasicSecurityPersonnelChief Security Officer reporting to MD Chief Security Officer reporting to MD Chief Security Officer reporting to MD andmanning control roomPerimeter Patrol Entry/ Exit Gates Entry/ Exit GatesEntry/ Exit GatesQuick Response Team including FireFightingControl Room Manning, 24x7MedicsIT Security HeadQuick Response Team including FireFightingControl Room Manning, 24x7IT Security HeadIT Security HeadEmployeesSecurityClearanceDirectors Yes Yes YesEmployees Yes No NoConsultants Yes yes No

20130626_Assocham_Rahul Gangal.pptx14Security Guidelines for Private Manufacturers : Way ForwardApproaches that work… Globally… and could work in India as well> Promulgate the Guidelines and make them public. Also define the penalties> Companies can plan their security investments and build them into their business cases> Provide a tier-ed approach to requirement of Security Infrastructure> We have recommended a three tier approach : Basic, Advanced, Superior> The assessment of which bucket does an Assessee company fall in should be done at the time of the SecurityAudit which the MHA conducts currently in the early part of the Industrial licence process> Make the implementation of the guidelines easy> Companies should be able to create the Security Infrastructure and self certify> DOMW or a designated MHA department should be designated to have the powers to conduct security audit andvalidate the process> Some companies depending upon an environmental perception of risk could be asked to start commercialproduction only after a security audit by the designated security agency> Security certifications should be valid for a period of 2 years> Companies found defaulting should be debarred from the production activity of the specific iitem for which IL issought

20130626_Assocham_Rahul Gangal.pptx15It's character that createsimpact!