Phase 1 - Assessment
In the first phase, data is collected and analysed on the existing systems. An onsite assessment is completed of the physical and environmental security incl. production or server room, for example. Next, a Service Level Agreement is evaluated to ensure that all IT systems meet the business requirements for availability. Finally, an IT Security Assessment is completed to review relevant controls regarding IT/OT Security based on ISO27002, CIS20 and IEC62443.
Phase 2 - Reporting
Findings, conclusions and recommendations for improvement and, if any, future CAPEX investments are then collected and evaluated in Phase 2. In this stage, the average score from the IT Security Assessment for all factories will be summarised for benchmarking and reporting.
Phase 3 - Site Level Agreement
In the final stage of the Factory IT assessment, the report is presented to the factory and relevant stakeholders. Here, all IT Service Management approved activities will be registered and assigned. A Site Level Agreement between the factory and the Global IT Factory Solutions team for the services provided is also presented.
The working relationship and areas of responsibility are defined and agreed upon in the Operational Level Agreement and any approved CAPEX investment will be applied for through due process. Finally, follow-up procedures are agreed upon to ensure successful implementation of the findings and conclusions of the assessment.
IT must have a place at the board room level.
Getting to the next level
At Danish Crown, the processes are constantly evolving. As Lars Sleimann concludes, “From the technology perspective we need to be on top of our game, standard systems, with a high level of IT security, to ensure business continuity. Also, as in any company, IT must have a place at the board room level. This helps to ensure funding is in place as well as streamline decision-making for business-critical IT."
"Awareness is also key, employees need training and tools in order to understand and help protect the business from the risks involved during their daily work. In many ways these components are on the next level, as we must also focus on people and the business itself, not just hardware, to mitigate digital risks and cyber threats.”