Margaret Levine, corporate security manager at Georgia Power, has found ways to convert the necessary burden of regulation into a bounty of physical security data for the electric utility.Margaret Levine
Georgia power Metrics insight: Scorekeeping on government regulations compliance yields valuable performance measures.Levine
must demonstrate that Georgia Power
, the largest subsidiary of Southern, the $11.3 billion regional utility based in Atlanta, complies with federal regulations.Her
security group does that by completing security audits to make sure that the protected areas at plants and substations are indeed protected.
"We have reports documenting that the people who have access to those areas have legitimate reasons to be there," Levine
A second metric for Levine
comes from a combination of readiness reviews and penetration testing.
Readiness reviews are planned events and are a key component of Georgia Power
's business continuity program.The reviews assess whether employees and site security professionals at a particular facility understand that facility's threat plans and know what to do when the threat level is raised or lowered.Readiness reviews also include interviews with local managers about facility security; an audit of procedures and documentation related to security requirements; an evaluation of the facility's physical security program; and a review of its emergency action plan.
At the end of each review, Levine
office writes a report for the facility manager that highlights findings, best practices and recommendations.
For readiness reviews, Levine
sends a pre-announced team of security professionals to do security audits of all critical facilities and operations (though she
declines to list what types of facilities those are).
In addition, penetration testing attempts to breach security,procedurally, technologically or physically,to determine whether the security program is functioning as it should, she
says."We may have someone try to walk through a facility without wearing a badge to see how far they can get before being challenged," Levine
says."Or we may have someone see if they can talk their way around our delivery processing requirements."
Results Reports Results are reported in two ways.First is what Levine calls the "objective, scenario, outcome": Here's what Georgia Power
was testing (for example, the effectiveness of visitor management personnel); here's how security tested it (use of outdated or fake identification credentials); and here's what happened."The results are reported by comparing the test outcome with the test objective, in addition to including a description of how the test was carried out," Levine
After collecting results, Levine's
group tracks the physical and technical security measures at each location to ensure that they are functioning properly.Physical security measures include perimeter barriers, lighting, locking devices and key controls, and signage.Technical security measures include intrusion alarms, closed circuit television and other monitoring devices, access control and visitor management systems.
"We would want to make sure that the security folks onsite knew what to do in the event of raising the threat level or a breach of security," Levine
says, "and also have a good awareness of security protocol and who they could go to if a breach did occur."
Tracking Trends Incident trends and loss trends are next on Georgia Power
's metrics list.Levine
says that it's critical to be able to demonstrate that a CSO's
security program is a significant mitigating factor in preventing increased incidents and losses.Levine
can compare incidents by quarter, year-to-year and across multiple years.She
can note the changes in the number and frequency of incidents by type of incident (for example, thefts, threats against employees or sabotage), by line of business (generation, transmission, distribution, staff services) or by location.She
follows the same process for tracking losses; she
tracks property and monetary losses.The key, she
says, is if you're not able to prevent losses, then "you can demonstrate an ability to quickly pinpoint where the weakness was and put in place the appropriate stopgap measures." Levine
adds that metrics must be more than in-house security tools; they have to be relevant to the people she
supports,business executives, plant operators, substation engineers, customer service managers.She
reports must contain information that is important to them, not just to security managers.Doing this, Levine
says, "also enables us to educate them about things that are important from our perspective, and in that give-and-take process we're able to validate the measures that we're using."Depending on the type of data and compliance requirements, Levine
metrics monthly, quarterly or yearly.
considers two other factors when collecting data for metrics.The first is how Georgia Power
compares to other utilities.And the second is data quality. Levine
says Georgia Power
collaborates on metrics reviews with other security managers from within Southern's 12 operating companies. (Besides Georgia Power
, there are four electric utilities and companies in wholesale power, power generation management, natural gas, nuclear power and energy services.Southern also owns a wireless company and a fiber optics business.)
As for data quality, Levine
says that it's important to watch out for the equivalent of scorekeeping changes.She
says Georgia Power
recently transitioned from a 10-year-old case management system to a new system developed last year by Southern's security managers.
"To make an apples-to-apples comparison between the old and the new, we have to select a specific subcategory (for example, larceny) in the new system," Levine
says."Otherwise, the analysis,larceny versus financial matters,would show that we'd had a crime wave at Georgia Power
."And that's the last thing that Levine
executives want to hear.
PHOTO OF FRANCIS D'ADDARIO BY GARY BENSON; PHOTO OF PLATE WITH COFFEE BEANS-NO PHOTO CREDIT; PHOTO OF JOHN HEDLEY BY RETO SCHLATTER; PHOTO OF MARGARET LEVINE
BY SONNY WILLIAMS