Meeting of the Minds—The Integration of Physical and IT Security Plans --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

Meeting of the Minds—The Integration of Physical and IT Security Plans

Meeting of the Minds—The Integration of Physical and IT Security Plans
Posted: May 26 2004
James Gordon

Introduction

John is an executive with ABC Company who travels frequently. David is his coworker and is often covering for John when he’s out of the office. Recently, John flew to a conference in Barcelona. Late one evening, he used the company laptop to log into his account and access his email account back in the home office.

That same day, David also logged into John’s account. However, David did so from John’s computer in his office. David used John’s login information, which John had taped to his computer monitor so he wouldn’t forget it. David downloaded several sensitive company documents onto a CD. David handed in his resignation a week later and went to work for XYZ Company, ABC’s direct competitor. He took with him ABC’s trade secrets, unbeknownst to ABC.

Anyone looking at the security logs for that day would have seen two activities—one remote and one from the home office. That may have been enough to send up a red flag; however, the time difference between Barcelona and the home office may have indicated to security that John was accessing the accounts from home on the company laptop, something that IT security may have decided not to ask John about. Yet, if there had been a physical security plan built into the IT security plan, someone would have noticed that John was not in the office that day—he hadn’t swiped into the building. Also, physical security checks of the workstations would have turned up John’s login information taped to his computer monitor.

Today’s Security Situation

That scenario is not uncommon. In fact, many cases exist where a simple hole in security resulted in a major loss to an organization in either dollars or intellectual property. What’s worse—those holes do not have to exist. A fully integrated plan that includes both IT and physical security can effectively address common gaps in security measures.

According to research conducted by Pinkerton Consulting, only 36 percent of companies surveyed have formal procedures for their physical and cyber-security departments to collaborate their efforts. Yet even this collaboration falls short. Truly effective procedures require an integration of both departments.

Downsizing and solvency issues accentuate the threats to the organization. Functions normally conducted in-house are outsourced. Outsourcing the data center, the security background checks, the physical security all leave large gaps in communication and leave large gaps in areas that could easily be covered by an effective security plan. Yet in many instances, those gaps are overlooked. The number of breaches of security was reported in the 2003 Computer Security Issues & Trends study to be on the increase.

This is despite a large number of security measures already in place. The FBI study shows that 99 percent of companies surveyed already have anti-virus software on every computer. Ninety-eight percent say they also have firewalls on every network, and 73 percent say that the organization uses intrusion detection. Yet there is a slight increase in the number of denial-of-service attacks reported, 42 percent over 2002’s 40 percent, and incidents of system penetration have gone down only 4 percent. While the security measures are being implemented more diligently, the financial implications are staggering: over $200 million has been lost to companies in the first half of 2003, $70 million of which was due to theft of proprietary information. Computer crime: Internet/Intranet security ranks third on Pinkerton’s list of top security threats of 2003.

Integration of physical and IT security functions is not a failsafe method. In fact, integration can increase a company’s risk unless the integration process is managed properly. Proper procedures for monitoring both the computer activity and the physical activity may already occur, but without a clear plan for communicating information to each department in the event of a questionable activity, the door could be left wide open for a major breach.

IT & Physical Security Defined

Historically, physical security has protected the building, the employees, the assets o the company and the visitors to the facility. The largest task for security is managing the flow of people and goods in and out of the facility. Swipe cards, paper logs, human intervention are all methods of limiting access to those who belong in the building or have been approved for entry.

IT security protects the information resources of a company, primarily the computer and telephone systems and the data networks tied into both. It involves managing the flow of information, as well as human access, into and out of the facility’s IT system and networks. Firewalls, network logins, policies and procedures all help to maintain a safe computing environment for the company. As the IT function evolved over the years, security became a big part of its role, but only on the electronic side—firewalls, passwords, virus scans, etc. In many cases, IT focuses 100 percent of their efforts on the network, overlooking the physical threats to the network and resources.

The goals of both security areas are to prevent theft, sabotage, or other attacks from reaching into the company and affecting its business or its employees. In many cases, the departments work independent of each other, which creates gaps in security due to lack of communication between the two departments. For example, in a case of employee termination, the physical security department makes sure the employee is monitored until he/she leaves the property. However, that employee may still have access to the company database if IT has not been notified of the termination and has not removed that employee’s access/logins.

Regulations—Are You Compliant?

New issues exist for companies, thanks to the passing of a number of privacy regulations designed to protect employee and customer information. The Health and Insurance Portability and Accountability Act of 2003 (HIPAA), Gramm-Leech-Bliley Act (GLB), and Sarbanes-Oxley Act (SOA) all cover the proprietary information that companies collect from customers and employees and its own financial information, such as financial information, health information, and the company’s financial statements.

HIPAA
With the enactment of the Health and Insurance Portability and Accountability Act (HIPAA), companies were suddenly faced with protecting their employees’ private information. Thanks to HIPAA’s broad parameters, there is widespread debate on what constitutes a breach in privacy. Is it a plan sponsor providing an employee’s information to the insurance carrier? Is it posting an employee’s birthday in the company newsletter?

Despite the lack of clear boundaries, HIPAA is clear on one issue—an employee’s private information held in a database must be secured. Should a breach occur, the company is liable for any damages that stem from that breach. And the company could face costly litigation as a result. Civil penalties for noncompliance start at $100 per violation on and top out at $25,000 annually. Criminal penalties can reach $250,000 and up to ten years in prison if a person’s personal information is compromised. Consider that one database could hold the private health information of all your employees. If that database is compromised, the costs to the company could be crippling.

Case in point—Jane is a plan administrator for her company’s health plan. Jane’s job is to input changes into the employee records for the company’s self-insured plan. Jane has access to all the company employees’ health information. While Jane’s computer is protected with password logins and Jane is diligent about keeping her logins private, she’s forgotten that there are hundreds of sensitive employee documents sitting on her desk on a zip drive diskette. Ruth, a disgruntled employee who was passed over for the same job Jane was given, steals the diskette from Jane’s unlocked office. Ruth then posts personal information about many of the employees on the company bulletin board, as well as posts anonymous information about certain employees on the company Intranet. The costs to Ruth once she’s caught can be crippling. The costs to the company that Jane and Ruth work for will most likely be astronomical. While Ruth will be fired, her crimes were committed while she was an employee. The liability will be shared between Ruth and the company. Jane may also face charges for her negligence.

Gramm-Leach-Bliley Compliance
The same holds true for banks and financial institutions. The Gramm-Leach-Bliley Act requires financial institutions to protect nonpublic personal information for distribution beyond the financial institutions network. At its core, GLBA seeks to establish the appropriate security and confidentiality measures to protect the confidentiality of customer records and information.

In February 2003, a hacker successfully accessed over 8 million Visa and Mastercard accounts by breaching the security system of a company that processes credit card transactions on behalf of the merchants. The cost to both Visa and Mastercard to reissue those cards could top $200 million. The civil penalties for noncompliance of GLB are as follows:

1. The financial institution shall be subject to a civil penalty of not more than $100,000.00 for each violation. The officers and directors of the financial institution will be personally liable for a civil penalty of not more than $10,000.00 for each violation.

2. The financial institution and officers and directors will be subject to fines in accordance with Title 18 of the United States Code and imprisonment for not more than 5 years or both.
3. Termination of FDIC Insurance and suffer, cease and desist orders barring policies or practices which violate the Gramm-Leach-Bliley Act.

4. Each incident is treated as a separate violation so the resulting civil penalties could amount to millions of dollars.

5. Removal of the financial institution’s and bank’s management including directors, officers and potentially barring them, permanently, from working in the banking industry.

6. Fines of up to $1,000,000.00 for an individual or the lesser of $1,000,000.00 or one percent of the total assets of the financial institution.

Sarbanes-Oxley Act
The Sarbanes-Oxley Act is the government’s response to the accounting scandals that rocked corporate boardrooms in some of the largest companies in the world. The law now requires sworn oaths by CEOs and CFOs that their financial statements of their public companies are accurate and complete. Sarbanes-Oxley ensures that internal controls are in place to secure financial information.

Thanks to Enron, WorldCom, etc., SOA was enacted in an attempt to make top management accountable for the financial records within an organization.
With numerous accounting issues plaguing the corporate world today, it is easy to see the effects of a violation of Sarbanes-Oxley. How do security plans figure into this? The law makes top corporate officers personally responsible for accounting issues, which means that those managers will have a particular interest in the security of the computers that store the information and keep the books balanced.

Civil penalties are steep. Sanctions for intentional or reckless actions include temporary or permanent revocation of Board registration or an individual's license, and civil fines of up to $15,000,000 for firms and $750,000 for individuals. Experts contend that without strong IT security processes and technology, full compliance with SOA mandates will be impossible.

All companies should conduct a review of their existing security processes for compliance with SOA. Also, plans should be developed that include regular audits to ensure that the plans have been implemented properly. SOA compliance requires companies to demonstrate that polices are enforced. Companies need to ask themselves:

· How do regulatory requirements impact my business? What should I change if anything?
· What is my exposure for not complying?
· What should I do with the security and business data I am collecting?
· How will a recent merger or acquisition affect my policies? What is my incremental risk exposure?
· What can I lawfully monitor in my organization?

Integration Roadblocks

Arguably the largest roadblock to integration is getting both security departments to cooperate. Each team is accustomed to working independently and with a different set of rules, guidelines, policies, and issues to deal with.

Lack of consistent standards in one or both areas can hamper integration efforts, as can conflicting standards. Also, too much emphasis on the IT side can create serious security management issues. Still another roadblock is lack of a clear plan for the organization.

Elements of Effective Integration

Effective integration begins with cooperation. Each department has to communicate its special situations and needs, as well as where its gaps in security may reside. The key to the integration is to realize that it is management of the two areas that is integrated. Each department does have separate functions, but the key to successfully working together is to understand each function and to effectively manage the processes designed to close the gaps in security.

Policies and procedures will include both elements of security. Guidelines should be set up to show the steps taken for each security issue the company faces. Benchmarks in this area are difficult to follow. Deviations in business practices and in company requirements exist that make it necessary to customize the policies for each unique business security situation.

Deciding on who will implement what plan is critical. Having sound policies and procedures work only if someone implements them. Also, integrated contingency planning is a key component to effective security management.

Audit logs exist on both sides of security. IT security has accounts showing logins and attempts to connect to the company network. Physical has swipe-card data showing who attempted to gain access at what time in what department. If there is a denied-access entry door that someone has attempted to use, there will be an audit log of that attempt. That person should be questioned regarding that attempt. IT should then be notified of that attempt. Similarly, if an employee logs onto the protected network, IT should be notifying physical security and finding out if that employee is in the building. Both areas can utilize the audit logs in a collaborated effort to heighten the level of security for the organization.

Audit trails are the fingerprints and footprints that show the organization who has been in the network at which time and where they’ve gone once in. For example, the logs of Acme Company show that on a particular afternoon, someone accessed a restricted set of files using the account of an approved user. By the policies and procedures guidelines set forth by Acme Company, the IT department is required to monitor the activity in these files. However, no red flag goes up because the user has permission to access this area.

By integrating IT and physical security, a clearer picture of what occurred would appear. Acme’s physical security department would be able to see from the building’s access records who swiped into the building that day. From that, they would be able to see that the person authorized to view this information was not in the building at that particular time. A breach in security would have been identified and the contingency plan would have been set in motion. Acme Company would have been able to save itself from employee theft of trade secrets, espionage, or worse—business interruption due to someone planting a virus or “bomb” into the protected area of the network.

In high security areas, there should be some other function between the swipe card into the building and the login and password. In a number of organizations, invalid entry into the building results in denial of login onto the computers. While this measure may be an impediment to the work process—an employee loses a swipe card or the swipe card is damaged and doesn’t work properly—an integrated security plan could include contingencies and overrides for this type of situation.

Every Function In Its Place

Baker Corporation has finally managed to integrate its security departments. It created a Corporate Security department, which in turn divided the security work into six key processes. Each process has several sub-processes and, at times, key projects. The six processes are:
· Information Security
· Computer Security
· Personnel Security
· Physical Security
· Loss Prevention
· Business Continuity
Each process handles certain areas of the overall security process. Within those functions, all departments follow a uniform policies and procedures code, as well as separate functions that tie into the policies and procedures.

Integration Checklist

Like Baker Corporation, organizations should identify their specific security needs. In order to plan and execute an integrated security management structure, the following questions should be addressed:

· Should my organization bring together physical and IT security functions?
· How can I prevent the theft of intellectual property and other assets in my organization?
· Are my physical security procedures enough to protect my data center & IT systems?
· How should I respond to security incidents in my organization?
· Is my corporate network vulnerable to wiretapping and sniffing?
· What about the perpetrators? How can I reduce the risk of employee/contractor fraud in my organization?
· What databases that identify users/employees exist and are they properly upgraded and maintained?
· What policies and procedures currently exist for both security departments?
· What unwritten policies or processes exist that affect security?
· Who handles what responsibility in each process?
· Are functions being performed properly?
· Does the personnel have the resources/support to effectively perform these functions?
· What contingency plans are needed in order to cover the integrated areas?

For Baker Corporation, they were able to identify their six key processes, which allowed them to identify sub-processes in each area. Information Security, for example, handled information protection related to: classification, labeling, storage, transmission, and destruction.

Going forward, Baker’s Information Security function will be responsible for security for: intellectual property and asset valuation, intellectual property classification management, protection standards and methods, competitive intelligence and counterintelligence, and employee and trade or process partner disclosure agreements. All of these processes feed into the main security procedure, set up under the Corporate Security banner.

The New Security Structure

Creating an integrated security management plan means creating a different security structure. Traditionally, both departments were separate entities, working independent of each other. A simple integrated security plan establishes a new structure:

Business Security Management
Physical Security - IT Security

As in the Baker Corporation example, the plan can drill down into sub-processes and identify the key components of each area’s expertise and security coverage.

Ongoing Implementation Issues

Effective security integration only works if each side acknowledges the holes that exist and work consistently at covering those areas. Many in IT and physical security areas feel that current security measures won’t allow breaches to occur. Yet many breaches still occur. Companies reported over 82,000 cyber crimes in 2002, over 30,000 more than in 2001. In the first three quarters of 2003, the reported incidents are nearly 115,000, according to Computer Emergency Response Team (CERT) research. Yet the FBI estimates that only 10 to 15 percent of cyber crimes are reported. Cyber crimes, despite the best efforts of both IT and physical security departments, are on the increase.

What’s needed is a plan that includes active monitoring of areas that historically were monitored, but with a singular way of thinking. Are audit logs on and monitored? If so, are the physical logs and IT logs compared regularly? Is the network activity monitored regularly? If the organization outsources its IT function, does that vendor understand what types of activities you expect to be monitored and how? Does physical security understand what information should be shared with the IT department? Understanding the answers to these questions, and implementing a sound plan with effective ongoing maintenance, will significantly reduce the risk of incidents and bring more value to the organization’s security departments.

Go Top