Crisis management for special

security incidents

Guidelines

- For internal distribution only -

Issue 2004

Imprint

Published by:

Corporate Security OfficeD-80333 Munich, Wittelsbacher Platz 2

Management: Norbert WolfTel.: +49-89/636-34220Fax: +49-89/636-33505

E-mail: corporate.security@siemens.com

Intranet homepage: https://intranet.cso.siemens.de

2

Contents: Page(s)

1. Why crisis management? 4-13

1.1 How serious is it and how does it affect me? 4-5

1.2 What can lead to a security crisis? 6-7

1.3 Could I be affected by a crisis; how well 8-13am I prepared?

2. Crisis management in practice 14-32

2.1 Early recognition of possible crises 14-15

2.2 Risk analysis and risk evaluation 15-16

2.3 Advance planning and organizational preparations 17-29

a. Stock-taking and data management 17-18

- Software tool "Emergency Planning, Security"; aids for preparing

for and implementing local crisis management

b. Crisis management team 19-21

- Organization of a crisis management team

c. Functions and tasks in the crisis management team 22-29

- Manager 22

- Documentation and information 22-23

- Crisis communication, press and PR work 23-24

- Consultants 25-26

- Logistics, supply and technology 27-28

- Negotiations 29

2.4 Competence through training 29-30

2.5 Preparations for crisis situations. Instructional notes, 31

plans and checklists

3

1. Why crisis management?

1.1 How serious is it and how does it affect me?

From all the reports we receive in the media about the various

flashpoints around the world and the security incidents, some

spectacular, that have taken place in so many different countries we

could be forgiven for believing that crisis management was a matter

purely for politicians and the security services.

This simply is not the case, as actual practice shows. Crisis

management is an issue that affects the company throughout the

world, day in day out, and one that is very real. Examples of security

incidents that have led in the past to crisis management include

blackmail, protection rackets, bomb threats, know-how leaks,

abduction and unrest.

Factors affecting corporate security

4

Economic changes

Globalization Global networking Increased

competition Cost pressure

Political/social causes

Contentious issues

General shift in values

Open borders

Ethnic/religious conflicts

Minorities Religious

fundamentalism Pseudoreligious

groupsPolitical radicalism

Escalation of the security situation

Economic espionage Violent crime Information warfareOrganized crime Terrorism / extremism Cyber crime

It can affect anyone any time:

With our presence in more than 190 countries throughout the world

and an information and communication infrastructure that covers

virtually every part of the globe, our company is exposed more than

ever before to a complex spectrum of threats to our security.

No manager is exempt from being confronted with emergencies or

security crises at any time, in any place and in any way. And then

they have to make the right moves, in most cases under enormous

pressure.

If you are suitably prepared for a security crisis you are more likely to

react appropriately and therefore help prevent or limit the damage.

Statutory obligation: A lack of crisis prevention measures

may have consequences under civil or criminal law for the

company and for its employees in positions of responsibility.

Key words here are: security obligations, organizational

negligence and laws governing control and transparency in

the corporate sector.

References: At this point we should like to refer you to the

Risk Management Guideline from CF T 4 (Corporate Risk

Management), the communication guidelines of Siemens AG

(Z-Circular No. 11/2001) and the " Industrial Disaster

Prevention Regulations" (BKO) issued by CT ES FD.

5

1.2 What can lead to a security crisis?

There are many events that can develop into a crisis. Here are just a

few examples:

Data theft and manipulation with blackmail involved

Loss of data through negligence with an adverse PR effect

Smear campaign

Abduction, hostage-taking, hijacking

Blackmail and protection rackets

Bomb threats

Sabotage

Bomb attacks

Fire, catastrophe

Illegal stoppages/strikes/demonstrations

Product piracy

Contamination of food

Accidents involving injury/death, considerable material damage or serious repercussions for the local population, employees and/or the environment.

Business trips and projects in countries with high security risks.

6

Of increasing importance in "security-related crisis management" are the risks associated with the global networking of information and communication systems. These risks include:

virus attacks

hacking

"cyber crime" and internet criminality

economic espionage

Case study/headlines:

International hackers break into US Defense Department computers.

Hacker changes patient records on hospital computer.

I love you virus cripples three million computers around the world.

Online banking data found on the internet.

CD-ROM with Siemens data for sale on the black market.

More and more such incidents also involve blackmail. These "new

risks" find enormous resonance in the media and may involve not

only financial damage but also loss of confidence among customers

and business partners.

7

1.3 Could I be affected by a crisis; how well am I

prepared?

Various security incidents cannot usually be handled with the

organizational structures and resources provided for "normal

everyday business" and therefore require crisis management.

Crisis management begins with a systematic review of the current

situation, progresses to the definition and evaluation of the risks

involved and leads to the development of timely and appropriate

reactions to various crisis scenarios. In actual practice, this means:

Considering realistic threat scenarios at a very early stage and

then analyzing and evaluating the possible risks.

"Early warning system": What is the security environment

in which my unit operates? What are the conceivable and

probable crisis scenarios (serious software theft, strategic

insider information leaked to the media, blackmail, smear

campaign, and so on)?

Preventative risk evaluation: What are the potential risks of

the scenarios for people, processes, the infrastructure and

my business overall?

Status of prevention: What preventative security measures

are being taken in my unit? Are they adequate in view of the

risks? What more needs to be done?

8

Creating the framework for rapid and appropriate reaction -

emergency planning.

Creating alarm plans and communication lists: How do I

get in touch with someone from the legal department on a

Sunday? Which emergency services (power supplies,

medical, telecommunication, and so on) are available and

accessible in an emergency? Which projects are running

where in the country; how many employees of which

nationalities are involved; how and above all how quickly can

I contact them?

Structure of a crisis management team: A highly trained

group of employees capable of handling various scenarios.

Reviewing strategies for crisis management: Can incident

plans be devised to deal with the various crisis scenarios?

Who does what, when and how? What resources are used?

How prepared are you for dealing with serious

security incidents?

Read the following case studies and see how you would fare.

How well could you cope with the following crisis scenarios? The

case studies are based on actual incidents. We have simply changed

the names to preserve anonymity.

9

Case study 1: Blackmail

You are head of the B. Division. Your secretary receives a fax from country C. The fax reads as follows: I have in my possession a number of PCs from authority XY. Your company supplied these PCs and you were asked to dispose of them after they had been replaced.

Well now I have hold of them. They contain sensitive data stored by authority XY. I think it's worth US $ three million not to tell authority XY or leak this story to the press. You have one week to think this matter over. I will be in touch again.

Does the blackmail note sound convincing? Has the company had dealings with authority XY? What was the nature of these dealings? Were PCs supplied to the authorities? Was there a request to dispose of the PCs? Does the company have any links to country C?

What are the contractual requirements relating to any disposal request? Who is responsible for data backup/destruction of hard disks?

How sensitive do you think the matter is? Should you use a scrambler on the phone? Do you have the necessary hardware to scramble calls?

Whom do you think you should tell? Who absolutely needs to know? Who can help? Corporate Security, Corporate Communication, Legal Services, Key Account Managers, authority XY?

Who is the best person to speak to in authority XY? Should this person be told? If so, at what stage? Who should tell him/her?

Do you need to call in the security services? Is it best to let them know immediately? Do you know someone you can trust?

Who will be handling the next call? Do you have someone suitable in your team? What strategy will be adopted? Who will be drawing up this strategy?

10

Case study 2: Know-how leak/blackmail

You receive a letter from a person unknown stating that he has information that a complete forgery of one of your products will shortly be appearing on the market. The forgery looks convincing but the quality is extremely poor and there are risks involved in using it.

The forgers indicate that they have gained insider knowledge from your unit. The letter is accompanied by a sample of the forgery for your inspection.

The author of the letter is demanding US $ ten million to hand over detailed information. He also threatens to go public unless his demand is met within one week.

Should the threat be taken seriously? What does the sample contain? Who in your unit can find out quickly?

Should the police be called in? What is the legal position? Who knows someone they can trust to talk to?

What will be the effect on your customers if they can buy a product with identical features for less? How will you deal with this problem?

Where might the insider information come from? Who in your Group can carry out the necessary investigation?

What might the consequences be for the image of your Group if the public were to find out that your development know-how is not adequately protected? Would you be prepared for this? What specific action should you take?

Which corporate offices in the company should be informed? Legal Services, specialists in patent law, Corporate Communications, Corporate Security?

11

Case study 3: Attack, kidnapping, blackmail

You are the sales manager for Region XY within the AA Division. At present you are responsible for an installation project at a river delta in the jungle of "Backofbeyondland".

It's Sunday and you receive a call from one of the 20 European project workers working on the site.

He is extremely agitated. He tells you that an hour ago they were attacked by a group of jungle fighters. Three local security men were killed and the site manager, who works for your unit, has been kidnapped.

The leader of the jungle fighters has threatened to kill the site manager within 24 hours unless the company provides someone in authority to listen to their financial and political demands. The leader intends to renew contact with Siemens in 24 hours through a messenger.

Do you know the project details? How many employees are definitely in the area (age, nationality, next of kin)? Are they all on site or are some working elsewhere in the country? Where is their accommodation located? How can they be reached– communication links, message paths? Who can give you all this information within a reasonable time?

Does the project have a security concept? Security personnel, security equipment and facilities, evacuation plans, transfer options, nearest military base? How reliable is the local government, how reliable are the security forces?

Who is now empowered at the site to make decisions? Have any contingency agreements been made?

Who do you need to inform within the company? Do you know the relevant emergency numbers, for example of Corporate Security?

12

Case study 4: Abduction

You are the HR manager of a Regional Company. The head of your company, Mr X, is visiting an important customer. His second-in-command, Mr Y, the Commercial Director, is on a business trip abroad. It is 5 o'clock in the afternoon. Mr X was due back two hours ago and cannot be contacted on his mobile phone or car telephone. You ring the customer, who tells you that Mr X drove off about two hours ago. It is now quarter past five. Your switchboard receives a call from a person who declines to give his name. The caller claims to be holding Mr X and demands to speak to someone in authority. He says he will call back at six o'clock.

Are you convinced that this is not a sick joke? Did the person who received the call hear correctly? Does your switchboard have a recording facility or a checklist for logging and dealing with suspicious calls? Are your staff sufficiently well prepared from the security point of view to deal with such calls?

Who do you have to inform immediately? The parent company, the police, the man's family? Who informs whom and how? What do you say? Is there someone in the relevant authorities that you can speak to in confidence? Do you call in the German Embassy?

Who will take the next call? Who should negotiate with the suspected kidnapper? Are the police reliable and will they take over as negotiators if the kidnapping is genuine? Are there any reasons why you and your appointed team would have to handle the negotiations? Are there suitable employees you could turn to? In the absence of the boss and his second-in-command, who is authorized to take decisions?

Which members of staff do you need to handle this crisis as it begins to unfold? What characteristics are you looking for? Are the right people available? Do you have the means of getting in touch with them? Who will alert whom and how?

Is there a strategy in place for starting possible negotiations when the next call is received? How will you behave? What will you say to the kidnapper if he demands a large ransom? Do you know the legal position with regard to negotiating with kidnappers or paying ransom money?

13

2. Crisis management in practice:

There is no "patent recipe" for managing a crisis. In actual practice,

however, various basic patterns and procedures have proved to be

successful. These are presented below.

2.1 Early recognition of possible crises

If only we had noticed earlier .............

Crisis management starts before the crisis starts. The ability to detect

potential crises calls for an in-depth knowledge of the security

situation in your area of responsibility.

America, Asia, Europe, Africa - different countries, different customs.

It is not only the security risks that vary from country to country. The

political and social environment, the legal framework, the infra-

structure and possibly also the skills and reliability of the local

authorities call for separate assessments and preparations for each

country.

If there is no full-time security officer it is best to appoint an employee

(and two deputies) who will devote some of his or her time to security

and crisis management. The tasks of such an appointee may include

the following:

Producing a security analysis

Reporting to management

Collecting, evaluating and forwarding information

Acting as a contact in security matters for internal departments

and outside agencies

14

Practical experience has shown that in order to build up an objective

picture it is best for Operating Groups, Regional Units, support

centers and projects abroad to cooperate closely with Siemens

headquarters. Corporate Security with its contacts to international

security authorities and -consultants can lend vital support.

2.2 Risk analysis and risk evaluation

What are the security risks in your area of responsibility (e.g.

Operating Group, Division, Regional Unit, site, project or factory)?

How well are you prepared for possible emergencies?

You may find it helpful to have a questionnaire that has been tailored

to your particular circumstances. Such a questionnaire may contain

the following questions:

What is the security situation in the country (e.g. political and

social developments, crime levels, kidnapping risks)?

What do I do if confidential strategic information is regularly

finding its way into the press?

How should I react if someone offers me confidential

documents from my Division?

15

What should I do if workers go on strike and shut down

production in my factory?

Where are all the various projects taking place? How

exposed are they from a security point of view? What

protection measures have already been taken (e.g. fire,

buildings, know-how)?

In the event of an emergency how do I contact all the

employees throughout the country and how long will it take?

How can I evacuate the employees and how long will it take?

What do the people on the switchboard do if they receive a

bomb threat?

What contact do I have to the security authorities?

What should I do if I am being blackmailed (by a protection

racket for example)?

What should I do if I find out that an unencrypted email

containing details of a tender for a major project has found its

way to a competitor?

Do I have a contingency plan to deal with serious food

poisoning in my factory?

2.3 Advance planning and organizational preparations

16

You should inform Corporate Security whenever there is

a major security incident, such as kidnapping or

blackmail. They can quickly arrange for a task force to

be sent.

In such cases, as indeed in all cases, the following applies however:

Crisis management can generally only run efficiently if you are aware

of the latest plans and preparations for dealing with possible crisis

scenarios in your area of responsibility.

a. Stock-taking and data management

Case study:

Imagine you are the head of Regional Unit XY. Because of a major earthquake in the north of the country, the Corporate Crises Management has decided to close the factory there, place all projects on hold and evacuate the workforce and their families.

For many crises you need a detailed inventory of equipment and

facilities (locations, offices, projects, work sites). A knowledge of the

existing and available infrastructure is essential particularly with

regard to medical care, transportation, security services and the

emergency services.

17

In addition, access lists, alarm plans, information sheets and

checklists need to be prepared. City and building plans need to be

produced. Communication links must be established and

safeguarded, and consideration must be given to alternatives (such

as satellite telephones).

To provide concrete support in the preparation and

implementation of local crisis management, particularly

outside Germany, Corporate Security Office has

developed a web-based "Emergency Planning -

Security" software tool. Go to Softwaretool „ Emergency

Planning - Security“

There is a CD-ROM that provides a central repository

and efficient tool for handling all the data and

information (checklists/information sheets) relating to

security crisis management, such as access lists, alarm

plans, maps, communication directories and

documentation.

You will require advice on how to use the software tool.

For further details please contact Corporate Security

directly.

Email: Corporate.Security@siemens.com

Tel.: +49-89-636-34220

+49-89-636-32883

+49-89-636-33345 (24 hours)

18

b. Crisis management team

Case studies:

You Information Security Coordinator warns you that sensitive in-house software from your unit is freely available on an American server and the American press and the FBI have already been informed.

Your switchboard receives a fax in which someone claims he is in possession of a hard disk containing sensitive strategic data from your unit and he will hand it over in exchange for a "ransom", otherwise he will go to the press.

Criminals report that they have abducted an employee and give you three hours to let them know what you intend doing. They are demanding a ransom of $3 million.

Crises call for instant and efficient responses: The initial response is

critical in dealing successfully with crises.

The objective in any crisis must be to mitigate the shock of the crisis,

isolate the conflict, improve the negotiating position and thereby

avoid or limit the damage.

To create the necessary framework and freedom to produce an

appropriate response, the crisis management team needs to offer

organized support and prepare proposals.

19

The tasks to be performed by a crisis management team include the

following:

Collect and evaluate information

Report on the current situation

Liaise with internal departments, authorities and

institutions

Carry out PR work

Present and recommend the various options

Document all products and activities

The description below of the organization and activities of a crisis

management team represents the ideal situation.

The actual makeup and size of such a team should be decided for

each area of responsibility, based on the prevailing local conditions

and security problems as these vary throughout the world.

The important factor is not the size of the team but the quality and

skills of the team members in handling exceptional security incidents

and performing the tasks described below.

20

In crisis situations special demands are placed on employees in

terms of their stress levels and ability to make decisions.

The makeup of the crisis management team should therefore be

based exclusively on the personal and professional suitability of the

people involved.

Crises have no respect for schedules. The head of your crisis

management team is on holiday, the press spokesperson is on a

business trip and your security officer is in hospital.

Always bear in mind that you need an adequate number of people to

stand in for others.

21

c. Functions and tasks in the crisis management team

The head of the crisis management team should come from

corporate management, construction management or project

management because he or she will have the necessary experience

and authority to make decisions. This person should report directly to

the person in overall authority. The tasks to be performed include the

following:

Defining the tasks in the crisis management team

Coordinating the work processes

Informing the person in charge

Preparing possible solutions for the person in charge

Documentation and information

Case study:

Following the outbreak of a fire you have evacuated the factory in what you think is only a short time. Even so, 10 people have to go to hospital suffering from severe smoke inhalation. An official inquiry is held. You are criticized for starting the evacuation too late. What's more, two of the injured workers could not hear the loudspeaker announcements to evacuate the building because they were in the washroom at the time.

A full documentation of the taken measures could help you to refute the reproaches.

22

One of the tasks of the Documentation and Information Department

is to collect, evaluate and forward relevant information.

It evaluates the incoming information and records the decisions and

actions taken (situation report).

Full documentation is extremely important, not least because of

possible legal consequences.

Crisis communication, press and PR work

Case study:

Following an illegal strike in your factory you have to use security forces to exercise your right of entry and have two former employees arrested for trespassing on the site.

At the factory gates there is a camera team from the local television station and a pack of reporters.

Whether it is food poisoning in the canteen, a fire at the factory, a

bomb threat or kidnapping, the PR pressure on a global company is

enormous and extraordinary incidents are always going to attract the

attentions of the media. This is particularly the case if the company in

question makes a mistake in handling the emergency.

23

Crisis communication is an essential part of crisis management and

must be covered by persons with appropriate skills.

A press spokesperson must be aware of the current situation and the

plan of action.

Crisis communication and all press and PR work relating to the crisis

must be handled via this channel with the approval of the head of the

crisis management teams or the person in overall charge.

The tasks involved in crisis communication include the following:

Monitoring and evaluating the local and regional media.

Informing and supporting the media representatives and

employees as appropriate.

Planning/preparing press conferences and/or interviews.

24

Consultants

Case studies:

A competitor is manufacturing almost identical products and there is a suspicion that it is using some of the software developed within your unit (violating your patent rights). Customers switch to the cheaper product and the damage due to loss of orders amounts to several million US $. You suspect that the competitor is being helped by someone in the unit (who is conducting research?).

Criminals are blackmailing the company for US $ 2 million. The crisis management team is not sure whether such a payment is permitted under the laws of the country and who could obtain this amount of money.

Many crisis situations call for specialist knowledge. Depending on the

situation, it is therefore often necessary for the local crisis

management team to be advised by consultants. The following are

available, for example, at Siemens headquarters:

CD S

Corporate Security Office

Legal Services (LS)

Corporate Finance (CF)

Corporate Communications (CC)

Other specialist departments (such as CIO IS and CERT)

25

Other possible consultants:

Psychologists

Interpreters

Relatives

Doctors

Engineers

Representatives from friendly companies

Employees of the Regional Unit, unless they are

integrated in the crisis management team

Officials from the German Embassy (or Consulate),

Chambers of Commerce and other such agencies

Liaison officers with the local police/military or other state

institutions

Representatives of airlines, shipping companies,

communication and/or media companies

26

Logistics, supply and technology

In a crisis you generally need what you don't have

A person in the crisis management team should be appointed to

handle issues concerning logistics, supply chains and technology.

This person should ensure that the necessary resources are

complete, operational and available. Their tasks include obtaining

vehicles, couriers, accommodation, food and equipment.

Depending on the situation, a suite of rooms should be

commandeered and equipped for crisis management. It is best for

these rooms to be located close to the offices used by corporate

management and the people authorized to take decisions.

An access control system should be installed and escape routes

should be identified. The technical equipment needed to handle a

crisis must be identified at the planning stage.

The following table represents the ideal situation and shows the best

possible solution for the number and layout of the rooms for the crisis

management team and the technical/logistic equipment for the

rooms. "Scaled-down" practical solutions need to be found for

smaller sites, support centers and projects.

27

We can sum up as follows: Specific arrangements will depend on the

nature of the threat and on the economic facilities on site.

Room for person in charge Room for information and documentation

Equipment:

Normal telephone line Scrambler telephone Tape recorder attached to

telephone

Equipment:

Normal telephone line Tape recorder attached to

telephone Overhead projector, laptop-based

projector Flipchart Television and video recorder Radio/short-wave receiver Town plans, maps

Room for secretary Special room

Equipment:

PC with internet and email Normal telephone line Answering machine Scrambler fax Tape recorder attached to

telephone

Equipment:

Normal telephone line Additional confidential exchange

line Tape recorder attached to

telephone

Room for head of crisis management team

Equipment:

Normal telephone line Scrambler telephone Tape recorder attached to

telephone

Common room for drivers, clerks, messengers, etc.

Equipment:

Normal telephone line

28

Negotiations

Depending on the nature of the crisis it may be necessary to conduct

negotiations.

For this, a skilled spokesperson is needed as part of the crisis

management team. This spokesperson will receive bulletins,

demands and proposals from the protagonists and forward them to

management or the person in overall charge. Conversely, the

spokesman will pass on proposals and decisions from the crisis

management team to the protagonists. Negotiations in the event of a

crisis serve to stabilize the situation, give the crisis team time and

provide the team with important information on the situation, the

perpetrators and any victims.

The people to be appointed as negotiators must meet extremely high

demands in terms of their personality and ability to handle stress.

This should be taken into consideration when appointing people to a

crisis management teams. Corporate Security can offer advice and

support on this specific aspect.

2.4 Competence through training

Training is the recipe for success for any team. Training exercises

must be realistic and cost-effective. The nature and scope of the

exercises will depend on the security situation, the actual risks and

the resulting need for action. In practice, this may take the following

form:

29

Discuss realistic scenarios with your crisis management team

Call the crisis management team together. Can all the members

be reached, are they all available, is the technology in place, are

the logistics right?

Practise role play. Does the team perform well?

Practise the process of developing a strategy and taking

decisions on the basis of a realistic scenario. How do you rate

your prospects in a real-life situation?

Liaise with important external agencies. How high is the level of

cooperation?

Practise trial alarms. Did you contact everyone, how long did it

take, were there any problems with the selection, functionality and

operation of the communication equipment, were the message

paths correctly defined?

Set up evacuation plans and carry out an evacuation. Were the

response times as expected, where were the difficulties and what

were they?

In effect, only appropriate crisis management training (at least once a

year) can indicate whether preparations are adequate, strategies are

effective, the persons are right for the job and the necessary

equipment and logistics are appropriate and operational. Corporate

Security can offer specialist advice on setting up crisis management

teams and conducting exercises.

30

2.5 Preparations for crisis situations: Instructional notes, plans and

checklists

The success or failure of crisis management is determined in many

cases in the first 24 hours after the onset of the crisis. The quality of

your preparations is crucial to the outcome. Generally speaking, you

will not have the time to catch up on what you have not done.

To help you make the necessary preparations for effective crisis

management for special security incidents, Corporate Security

has produced a wide variety of instructional notes and

checklists notes and checklists covering the issues raised. You

can find it in the intranet under https://intranet.cso.siemens.de.

31