By Matthew Arnold.
In some risk management situations, the link between physical security and information security is often overlooked and not appreciated. This disconnect is often a two-way street where information security managers neglect the dangers and vulnerabilities posed by physical security lapses; while physical security managers avoid the seemingly complex and intimidating practice of securing information. This article looks to bridge the link between the two by exploring the role of physical security in an information security management system.
Information security management systems are business management systems that aim to protect information from unauthorised access, use, disclosure, disruption, modification, recording or destruction. It is a common misconception that information security management systems are built only to prevent hackers from gaining access to a computer or network. On the contrary, an information security management system is meant to protect the integrity, confidentiality, and availability of information. A successful information management security system will protect and secure information of all types, whether it be printed, written, stored electronically, spoken, presented in video or audio format, or sent via post or email. An information management security system ensures information, no matter how it is transmitted, shared or stored, is always protected in an appropriate manner.
The protection of information does not stop by simply ensuring that ample, virus-protection software and strong firewalls are established. Information security also includes establishing a thorough, physical security system as well. The goal of a physical security management system, in terms of information management security, is to prevent unauthorised physical access, damage and interference to an organisation’s premises and information.
In establishing a physical security system for ample protection of an organisation’s information, the following questions should be addressed:
- Does your organisation have a physical security policy?
- Does this policy address the following?
- Campus security?
- Building security?
- Floor security?
- Room security (including data and wiring closets)?
- Asset security?
- Are controls in place to physically protect the classification of information and information technology?
- Are controls in place to ensure the use of appropriate identity and privilege credentials?
- Are physical barriers present (fences, gates, walls, exterior doors, windows, interior doors)?
- Are the physical premises monitored for fire, flood, intruders and temperature fluctuations?
- Are appropriate controls in place to serve as physical barriers, such as vehicle barriers, card readers and combination locks?
- Is a log entry and exit system in place?
- Are video monitoring systems, motion detectors, proper lighting and guards (when appropriate) in place, as needed?
Most of these questions are rather intuitive, such as ensuring there are exterior doors and windows on an office building. However, physical security requires further measures to ensure that information is not accessed by unauthorised parties. For example, when labelling interior doors, it is more prudent to label the room as Room 3A as opposed to Data Centre.
Once these questions have been addressed and controls have been put in place, it is necessary to test these mitigating controls through penetration testing. Penetration tests aim at assessing the vulnerabilities of information, assets, and the physical security system as a whole. Simply creating controls does not ensure the controls will prevent unauthorized access and security breaches. Penetration testing exposes errors in the physical security system, especially the most common issues of risk associated with human error.
In order for a control to be successful, employees must understand the ins and outs of the mitigating controls and why they have been put in place. Education, information and awareness training of employees are elements vital to ensuring the success of any security management system. In order to understand the comprehension and level of awareness of employees regarding controls, penetration tests should be carried out continuously. Penetration tests attempt to breach the physical security system in ways which should be prevented by mitigating controls.
An example of a penetration test would be to have an individual from outside of the organisation attempt to gain access to the organisation’s secured information. This individual, dressed as a technician visiting the organisation to do something as simple as read electricity-use meters or test the voltage of certain power outlets, then attempts to access secure information held by the organisation.
A successful physical security system would be able to stop this individual at the early stages of entry. For example, a secure, entry and exit card reader would prevent the individual from entering the premises without the necessary approval. However, this is not always the case and the individual, dressed in his or her technician’s outfit, often establishes credibility. Next, the pretence used often fools employees into being more than willing to assist the technician to complete his stated task, giving him free rein to otherwise-secure areas of the organisation’s premises.
During such penetration tests, employees have allowed the technician to place hacking devices and collect data. They have often left their desks unattended, allowing the technician access to their computer and the physical information on their desk. In some cases, the bogus technicians have even been given access to data centres containing all of the organisation’s confidential information.
When penetration test are carried out, weaknesses and vulnerabilities are exposed. As stated, these weaknesses and vulnerabilities often exist as a result of human error. In all forms of risk management, whether it be information or physical security risk management, employees or human factors are the ultimate source of risk. In order to merge the physical and information security elements into a successful system, measures must be taken to reduce human error and its associated risk. This can be possible if sufficient effort is put into raising the level of awareness of the organisation’s security policies and procedures and staff training to minimise human-factor risks.
Both information and physical security managers should develop training sessions tailored to the responsibilities of employees and which highlight vulnerabilities such as those revealed by penetration testing results. Successful training will embed a culture of risk management regarding both physical and information security, and ensure that employees consciously consider the risks their actions often pose to the organisation.
Beyond training sessions, additional policies that include a disciplinary process should be put in place. A disciplinary process for breaches of an organisation’s security is necessary to establish the importance of security to the organisation. The objective of the disciplinary process is to bring attention to, and have consequences for security breaches.
This article has focused primarily on the role of physical security in the protection of information. Often, the notion of information security is viewed as complex and consequently left to the IT guys. However, although some aspects of information security requires a deep understanding of technology (both hardware and software), the general idea of protection is similar to that of physical security. For example, requiring employees to have a unique, user login and password to access a company computer and the local network is no different from requiring an employee to enter the office using an ID card with a photograph. In order to ensure a proper bond between information security and physical security, the physical security managers should familiarise themselves with the controls put in place to protect information outside the realm of physical access.
The purpose of this article is to stress the importance of the unification of information security policies and physical security policies. In order for an organisation to protect one of its most important assets, information, that unity between the two disciplines is necessary. Through penetration testing, education, awareness and disciplinary action, when necessary, security managers can ensure the well-being of the information, staff, and assets held by the organisation.
Matthew Arnold serves as the Global Sales and Marketing Manager for Stiki – Information Security. He is responsible for global marketing, business development, and account management for RM Studio risk management software. Matthew holds
a Master of Business Administration in International Business from the University of Tampa.He can be contacted at: Stiki – Information Security Phone: (+354) 570 0600 Email: matthew.arnold@stiki.eu Website: www.riskmanagementstudio.com, www.stiki.eu