Genzymes approach to security

The last decade has seen a shift in the security arena, from a traditional focus on physical security operations towards a focus on the fusion between physical and IT security. The security team at Genzyme has been at the forefront of this shift towards a holistic, business-based approach to security and risk management. Genzyme Security has implemented an integrated and intelligent enterprise risk management (non-finance) framework designed to:

Reduce vulnerabilitiesand costs by eliminatingsecurity gaps andredundancies

Identify, assess, analyze,report and manage riskswithin and across businessunits

Apply integrated riskmanagement practicesduring the developmentphase of all processes sothat security is built-in

Improve decision makingby integrating technologyand analysis to providebetter intelligence on theimpact of risks to theenterprise

Increase stakeholder valueby training all businessunits to reinforce theimportance of securityacross the enterprise

Security as an Integral Part of an Enterprise Risk Management (ERM) Program

Genzyme is one of the worlds leading biotechnology companies, dedicated to making a major positive impact on the lives of people with rare disorders or life-threatening diseases.

Threats know no organizational boundaries. Security breaches can be targeted at

any part of an organization and can quickly impact stakeholder value. Up-the-ante

when you factor in globalization. Protecting your brand, reputation, intellectual

property, supply and distribution chains, customer relations, and employees requires

a coordinated response by both the traditional brick and mortar security operations

and the information technology professionals. However, achieving a coordinated

response within the traditional physical and cyber security silo structures is a

challenge, and can prevent a truly integrated view of an organizations overall risk

position. For an organization to have a full understanding of risk interdependencies

across the enterprise, physical and IT security need to be converged into an

Enterprise Risk Management focused program. An ERM approach to security will

ultimately target and eliminate gaps and redundancies to reduce vulnerabilities and

increase stakeholder value.

The shift from silo-based security to an enterprise approach

Time is the greatest teacher. Over the past ten years, time has taught that the silo

approach to mitigating risks to the organization is inadequate and presents

inefficiencies in the protection of the enterprise. By combining physical and IT security,

an organization is in a better position to understand their overall risk position.

Risk Center

About Genzyme, a Sanofi company

Genzyme is one of the worlds leading biotechnology companies, dedicated to making a major positive impact on the lives of people with rare disorders or life-threatening diseases. Since 1981, the company has grown from a small start-up to a diversified enterprise with more than 11,000 employees in locations spanning the globe and 2008 revenues of $4.6 billion.

With many established products and services helping patients in nearly 100 countries, Genzyme is a leader in the effort to develop and apply the most advanced technologies in the life sciences. In 2007, Genzyme was chosen to receive the National Medal of Technology, the highest honor awarded by the President of the United States for technological innovation.

Early in their evolution, Genzyme,

one of the worlds leading

biotechnology companies,

recognized the need for a

coordinated and integrated

approach to security, wanting a

framework that would allow them to

manage not only the risk to existing

assets, but also risks to all aspects

of the organization that could

impact future growth. Realizing

that a traditional silo structure

would prevent a full understanding

of risk interdependencies between

business functions and processes

within the enterprise, Genzyme

implemented a security risk-based

program that encompasses physical

security, information (including IT)

and product security with business

continuity/crisis planning.

Genzyme: a benchmark for success

In 1994, Genzyme experienced the

loss of intellectual property through

theft and brought in consultant

David Kent to help evaluate the

situation. Fast forward to today and

David Kent now heads Genzyme

Security as Vice President of Global

Risk and Business Resources,

responsible for combined security,

risk management, and competitive

and technical intelligence.

Supporting Mr. Kent in the mission

of a business-based approach to

security and risk management is

Bhavesh Patel, Senior Director of

Global Risk and Business Resources.

The mission of Genzyme Security

is to protect both the tangible and

intangible assets of the enterprise

including brand, reputation, people,

monetary, data and facilities. To

achieve this goal, Genzyme security

takes an active role in identifying

and managing both rewarded and

unrewarded risks:

Rewarded risks to increase

growth and stakeholder value,

including new markets, new

products and services, new

business models, and new

partnerships

Unrewarded risks to protect

the organization against potential

monetary loss, including security

breaches, destruction or theft of

both tangible and intangible assets,

destruction of brand and reputation,

and the risk of noncompliance with

regulatory bodies

Genzyme Security manages risks

in an intelligent manner, through

a continuous life-cycle approach

from R&D, to manufacturing, to

distribution Security is involved

every step of the way to create

and preserve value. The Security

team has developed common,

unified security policies, processes

and practices which serve as the

framework for the management

and mitigation of risks across all

Genzyme business groups. One

factor that drives their success is

building risk management into the

foundation of every process.

Today, security is an integral part of Genzymes

culture. But the road to where they are today took

time and dedication to construct, and is paved by

their many accomplishments. From overseeing the

integration of security components into the design and

construction of the companys corporate headquarters,

to implementing a universal card access system, the

list of accomplishments is exhaustive and has served

to build their credibility at the board and c-suite level.

Credibility is born not only by our accomplishments, but

also by our communicating trust and value, says David

Kent, who is an active participant in executive-level

security strategy and risk assessment discussions. We

have changed the perception of security being seen only

as a tactical function to one where it is part of strategic

planning across all business processes.

Integrating technology and analysis to streamline decision making

The keystone of a successful ERM program is integration

in the form of improved intelligence sharing and

collaborative decision making across business operations.

Always with an eye towards continuous process

improvements, Genzyme Security looks to technology to

help them improve intelligence sharing and streamline

decision making. Genzyme utilizes the NC4 Risk Center

solution for notifications of global all-hazards incidents

that could pose a risk to their enterprise. NC4 helps

them in their efforts of improving their capabilities for

monitoring, gathering, analyzing, reporting, escalating

and responding to risks. As a result, they are in a better

position to deliver actionable business intelligence to the

enterprise. In the blueprint stage of defining business

processes, we consider what technological innovations

are available that can help us to streamline that

process, says Mr. Patel. The function of streamlining a

process is to ultimately save the company money we

want to work smarter not harder. We work with many

technologically savvy companies such as NC4. What

sets NC4 apart is that not only do they have superb

technology, but they also listen and react to their

customers needs.

In their state-of-the art Cambridge, MA facility, their

Security Service Center (SSC) combines physical and

IT security in one space, monitoring both information

networks and physical perimeters. NC4s global map

display has been integrated into their daily SSC

monitoring processes and is front and center in the

SSC, showing incidents being reported on by the NC4

International Monitoring Centers. Full details for each

incident can be further analyzed by clicking on the

associated incident icon. When an incident occurs

within a specified proximity to a Genzyme facility, the

icon on the map to indicate that location is highlighted

with pulsing red circles. This visual queue helps bring

immediate awareness that there is an incident that could

potentially be of higher risk to Genzymes enterprise.

Prior to subscribing to the NC4 service,