May 1, 2002 12:00 PM

Think "Big Five" accounting firm, and you might picture stuffy, Wall Street-types with ideas as rigid as their bow ties.

Although many of the financial assets handled by KPMG LLP ! U.S. member firm of KPMG Intl., which has more than 100,000 employees in 152 countries and $11.7 billion in FY '01 revenues ! indeed drive financial markets, the firm's approach to security is anything but staid.

Headquartered in New York, KPMG LLP takes a dynamic, flexible security approach that mirrors its corporate culture. Charles Steadman, partner in charge of firm-wide security, oversees the effort in America.

When Steadman joined KPMG as the firm's first security director in 1994, it was to build a security organization from the ground up. Amply qualified for the challenge ! he is a former president of the International Securities Managers Association and an attorney with more than a decade investigating white-collar crime for the FBI to his credit ! Steadman says he spent nearly a year learning the firm and its culture before making initial recommendations about physical and information security.

In the eight years since, Steadman has added five professionals to his inner security circle, including a director of investigations, a director of information management and an attorney. All of them are former law enforcement officials. He describes one of his key priorities as due diligence: "We must ensure our prospective clients are who they say they are and that their background and credentials are impeccable in order to pass our standard for new client acceptance," he explains.

KPMG's high-profile client list includes many Fortune 500 firms.

But how does such a small staff oversee security for KPMG's 17,000 employees in its 100-plus American office spaces? Through constant interaction and cooperation with other KPMG team members, says Steadman ! and more than a little technological and procedural prowess.

"Our biggest priority is protection of our clients' sensitive information," Steadman says. "The capital markets depend on the integrity of audited financial statements, and we have sensitive information from our public clients well in advance of release dates, so we must secure and protect it."

Steadman explains that one way the firm monitors security is by partnering with the firm's large information technology (IT) organization, based in Montvale, N.J. "Too many times complex information systems concentrate their security protections with 'moats and walls' around the perimeter of the networks," he says. "Like a Tootsie Roll Pop, this approach has a hard outer-shell, but a soft, easily-consumed interior if the outer shell is breached. At KPMG, our objective is to balance perimeter security with other protections to provide confidentiality, integrity and accountability for the information we use and store, while at the same time protecting the availability of and access to our networked information systems."

Another key player at KPMG is the firm's security committee. "Last spring, we established a firm security committee which I think is fairly unique in terms of organization," Steadman explains. "IT sits on it, as does HR, legal, operations services and partners from the audit and tax and advisory practices, and we meet at least four times a year in person and we talk constantly to address all our risk management and security needs. It works very well because every possible business unit within the firm is at the table as one team, and we can resolve any kind of issue."

Steadman believes in the value of partnership and describes security consulting firm Kroll Schiff and Associates (KSA), Bastrop, Texas, as a vital business partner. "They're in on every real estate project we have," he notes.

KSA began working with KPMG in the mid-1990s as well, and as KSA associate Carl Clopton describes it: "There were many different types and brands of systems installed at KPMG offices nationwide ! most of which were older and outdated with incompatible access card formats. There was little CCTV in place, and there were no consistent guidelines for planning, design or implementation of systems."

Since 1998, Clopton has managed the KPMG account on a full-time basis, and KSA has managed more than 100 security projects for KPMG nationwide, writing and maintaining equipment specifications and procedures for equipment deployment, and designing and upgrading physical security systems for the firm as it expands, remodels or leases office space ! which happens more often than you'd think. According to Steadman: "We establish and shut down offices depending on the market, and right now one of our biggest challenges is we've spun off our consulting practice as a public corporation, so we're trying to separate both physical space and systems from the practice." He adds that for security to keep pace with such changes, it must "know the client and be flexible."

Clopton says that fluidity is one of the challenging aspects of working with a firm as dynamic as KPMG. "Once lease negotiations are worked through, aggressive design and construction schedules must be met. KSA is able to meet those schedules by having developed guidelines to work from and by having close relationships with many security integrators who can bid projects and begin work very quickly," he explains.

He adds that KPMG maintains construction design teams led by director of architecture and construction Frank Erickson Jr. in the east and associate director of architecture and construction Mary Sutton in the west, which are assisted by architectural firms. "Through architectural, electronic, and operational coordination, KSA is able to design KPMG's security along with the space planning and design, rather than as an afterthought as so many other firms do. With Charlie's help, we all work together as a team," Clopton says.

Among KPMG's security integrators are: NetVersant, Orange, Calif., for the West; Siemens Building Technologies, Ft. Lauderdale, Fla., for the mid-Atlantic and Rocky Mountain regions; Issco, Westbury, N.Y., for the East; Advent, Chicago, for the Midwest; and SFI, Charlotte, N.C., for the Southeast.

NetVersant's role, for instance, was to install Casi-Rusco Secure Perfect systems and HID ThinLine readers at nine sites with 4,000 users on the West coast. NetVersant maintains the host in Los Angeles, which communicates to 12 to 13 remote sites, each with eight to 30 readers.

"Though the systems are currently integrated regionally, we are moving toward a completely integrated enterprise system coast to coast that will communicate over KPMG's LAN/WAN with an interface to their People Soft HR system," Clopton says. "The interface will provide automated management of a centralized national card access database." He notes that KPMG has standardized on Casi-Rusco for access control and that consultant program manager Perry Garvis is helping to make the enterprise system happen.

KPMG has also standardized on Sanyo high-resolution color mini-dome cameras and HID proximity cards and readers, and Clopton says that where possible, KPMG will have a "one-card solution" for entrances to buildings, elevators and KPMG suites. In recent and ongoing projects, he adds, KPMG is standardizing on Kalatel digital recorders.

Clopton says the nature of a financial firm with associates who travel often "presents a card access challenge." By standardizing proximity cards, employees can have one card programmed into any Casi-Rusco system. When an employee travels to a new KPMG site for the first time, a security administrator enters the existing card into the system. "It's a workable solution for now until all systems are integrated with the new database," he explains.

He notes that other recommendations KSA makes when possible include: fail-safe or fail-secure and tamper-resistant electromechanical mortise locks that interface with card readers; elevators equipped with card readers to control floor select buttons; access-controlled doors equipped with door management alarm units to discourage employees from propping doors and which may also be used in high security areas; exit alarm units for fire stair doors; Aiphone color video intercoms for deliveries and after-hours visitors; Ademco duress push buttons underneath reception desks, and Sentrol glass-break detectors in facilities where KPMG occupies the ground floor and exterior glass is accessible.

"KPMG's New York, Chicago and Montvale, N.J., offices each have a large Casi-Rusco Picture Perfect system with on-site alarm and CCTV monitoring performed by in-house personnel and Securitas contract security officers and connected to multiple Casi-Rusco Access Vision Badging remote sites over the LAN/WAN," Clopton says. "Stand-alone Casi-Rusco Secure Perfect systems at smaller sites are generally monitored off-site and used by office managers for CCTV video and alarm verification and investigative services. Managers also handle card and photo badge administration [and run reports], using Access Vision Imaging Workstations and Fargo badge printers."

Says Steadman: "Security officers are contracted out because we're mainly a tenant in buildings, so we depend on building security for common spaces and have our own contract security officers for our firm's acquired space.

"If we have nine floors in a building," he explains, "we don't want to assume the liability for monitoring lobbies or loading docks. We generally only go into buildings with their own camera systems and security force for public areas and specific tenant needs."

In addition to information and physical security, background and criminal investigations, Steadman's team is also responsible for security training of all firm employees and travel security. "All new hires must go through our 'on-boarding process,'" he explains, "and as an accounting and tax firm, we have to have a certain amount of continuing professional education every year in which there's information and physical security awareness training." He adds that KPMG has produced two videos ! one on traveling abroad safely for personnel and one called 'Security First,' which addresses a range of security issues ! and that the firm is now undertaking interactive employee training.

According to Steadman, the physical security systems have already greatly reduced laptop thefts, and in another instance, cameras picked up the theft of expensive halogen light bulbs from fixtures. "This was a highly-paid professional who was apparently taking them home and giving them away as gifts," he says.

But Steadman asserts that in addition to detection, the purpose of KPMG's security management systems is deterrence.

Kate Henry is an Annapolis, Md.-based writer and regular contributor to Access Control & Security Systems.

  • ANCIENT artifacts, MODERN technologies
  • United Airlines enhances security with fiber-optic transmission equipment
  • 14 Inch 4 Camera Color Quad Monitor
  • Sunglasses Camera - Color CMOS
  • Wireless Net Takes Over Homes
  • Richmond Airport uses buried cable for enhanced security
  • Doors Feature Electronic Eyes
  • Touching all the bases: security at Orioles Park in Baltimore
  • Home Automation Telecom Interface
  • Single Channel Digital Video Recorder
  • Discussion on Security Camera