Function Over Form
In the quiet predawn hours of a Saturday morning, my team and I broke into a building in an industrial park south of Los Angeles that housed several companies providing credit card and bounced-check processing services. But the motive of this break-in wasn’t malicious; in fact, it was court ordered. We were investigating the theft of a company that had allegedly been stolen, in its entirety, two years before.
How can a company be stolen? According to the majority owner of the original company, two employees with minority shareholdings had simply taken the hard drive from the company’s server and left behind an empty hard drive with identical specifications as a replacement. This allowed them to walk away with the company’s clients, the vendors, and all planned transactions.
Better coordination between physical and IT security could have helped the company avoid being wiped out by clever thieves. For example, an integrated vulnerability assessment would have highlighted the risk of the potential loss of the hard drive. In addition, the company’s policies would have ensured there was a procedure in place to back up the hard drive and securely store-it off site.
Clearly, convergence is about more than simply deciding who’s in charge of security; physical security professionals and IT professionals must understand how they can assist their counterparts in protecting corporate assets, whatever their form or format.
To see how that might be done, let’s look at a company (which we will call The New Company) that came into existence as the result of two multibillion dollar corporations divesting themselves of two $400 million divisions and merging them into a single operating unit. The New Company, with some 6,000 employees and 200 branches and two main offices, needed completely new organizational structures such as a treasury function and a security organization.
The company’s blank canvas provided a unique opportunity to shape a program that would remove the boundaries between physical security and data security. I was charged with creating the security master plan.
My premise was that electronic crime does not simply occur; it evolves. Thus, early detection of the evolving attack is the most efficient approach to combating such crimes. These attacks take place in both the domain of physical security, as well as in the domain of data security.
Sensitive data exists in electronic form both at rest and in flight, as well as in physical form as customer contracts, reports, and so on. The same data moves between and across these two forms over its life cycle.
Given these interactions, it would be imperative to avoid ‘security myopia’ in which physical security professionals ask questions and get answers that pertain only to physical security, and data security personnel likewise focus on securing information in its electronic form.
The next step was to create an integrated security function by identifying specific guidelines for the interaction and collaboration of physical and data security personnel. This collaboration focused on the areas in which physical security has the most value to offer data security. These areas are: vulnerability assessments; policy-writing and IT change procedures.
Vulnerability assessments. One of the first missions was to conduct an integrated vulnerability assessment to consider both physical and data security. The key difference between traditional vulnerability assessments and integrated assessments is that in the latter, attention is given to identifying the places or functions in which conversions of data forms occur. Each conversion, from electronic to physical and vice versa, is a fork in the road, and each fork should be examined in both directions, forward to the intended treatment of that information (such as continued storage or authorized destruction) and backward to the origination of that information asset.
Take, for example, work done by a sales person at The New Company. He or she writes a paper contract in the field that contains detailed, sensitive data on a client’including name, address, phone number, customer account or Social Security number’so that a credit check can be performed. The contract is written on multipart sheets. One is sent to the accounting department, one goes to a branch office, one is directed to shipping, one may stay in a box in the trunk of the sales person’s car.
Ultimately this customer’s information will be transferred to the company’s database. All of these different versions of the same information constitute assets, and if this customer information is lost or stolen, it doesn’t matter whether it was in its physical or electronic form at the time’the liability remains.
The vulnerability assessment should look not only at the location of data at one point in time on a computer system, but also at how that information got there. It should be protected in all its forms along the continuum.
Other data conversions might include: USB drive to Excel worksheet; paper to scanned image; and from a PDA to an enterprise database server. Again, the assessment should pursue each thread to its conclusion. For example, when the data from the PDA, which might be used by the sales person in the field, is communicated to the enterprise database server, the assessment should consider what remains on the PDA and how is it protected against misuse or theft.
In my experience, data security personnel, if left to their own devices, often do not conduct formal vulnerability assessments. When they do, they almost always ignore physical data.
Policies. After vulnerabilities have been identified, policies to address those concerns must be written. Many organizations have two sets of security policies and procedures, one for physical security and another for the IT group; however, few IT organizations have policies for change control (explained in more detail below) and it is during these procedures that the greatest vulnerabilities occur.
The New Company also has two sets of security policies, but these fully contemplate and complement each other. Together they define baseline control measures that all employees should be familiar with and should consistently follow.
The policies establish a standard of due care to prevent problems, such as hacking, fraud and embezzlement, theft, industrial espionage, violence, sabotage, errors and omissions, and system unavailability. Each of these could materialize as the result of a physical attack, an electronic attack, or a combined physical and electronic attack, and understanding this and preparing for it is a way of preventing security myopia.
The enterprise security policies address all workers and cover in detail all business activities. Matters covered range from hiring procedures to use of the corporate network, including e-mail, password management, remote computing, and network access control.
An additional set of policies aimed at the organization’s 250 IT managers and staff addresses the more technical aspects of IT security. This document addresses subjects such as backup media management, virus scanning, and intrusion detection.
Change control. Change control is typically an IT responsibility; when some aspect of the network or computing infrastructure undergoes a change, such as the addition or removal of a server or a software application, when a router or firewall is reconfigured, or when a tape backup is performed, change control policies dictate the steps that must be taken to ensure that a properly trained and authorized person performs the change; that nothing on the network is inadvertently altered or disabled; and that critical data and functions remain unimpaired.
Physical security can play an important role in change control, as it does at The New Company. For example, it can take responsibility for ensuring that only authorized personnel conduct the procedure, or can oversee the process of delivering tape backups to a secure location. Physical security officers are also trained to evaluate the security of a location where backup tapes will be held.
Information ownership. Together, the organization’s policies distinguish owning information from being the custodian of information. The owner, typically the business unit, controls who has access to the information and what rights they have with it. This process can involve physical security personnel who have responsibility for securing the organization’s intellectual property and thus need to know who has access to sensitive data.
IT is the custodian of information; its task is to make sure that data is preserved and administered in line with the owner’s expectations. Many companies do not make the distinction between owning and having custody of information, thus leaving an organization at the risk of appearing negligent should information security be breached. The New Company’s policies make this distinction clear.
Legalissues. Security policies need to define the minimum controls necessary to prevent legal problems that might arise from the insecure handling of customer information or third-party data. Legal problems might include allegations of negligence, breach of fiduciary duty, or privacy violations.
Companies must be aware of their obligations under legislation, such as the California database disclosure law that requires companies that do business in California to notify customers if any of their personal information is exposed. Other measures that impose on companies a duty to protect consumer information include Health Information Portability and Accountability Act (HIPAA) for healthcare organizations, Gramm-Leach-Bliley for businesses in the financial sector, and regulations of the Federal Trade Commission. Clearly, IT and physical security programs must be coordinated to ensure that legal obligations to protect data are met.
In addition to actually securing the company, policy statements are designed to serve as evidence of management’s intention to safeguard sensitive and proprietary information, including the legal assertion of trade secret protection. Integrated policies help to serve as evidence that internal control processes are in place.
These policies can provide a competitive advantage with regard to unauthorized disclosures of information assets that are protected by legislation. For example, assume that both The New Company and its competitor experience a loss of their customers’ financial identities through similar attacks. It’s plausible that both companies will be found responsible for the loss, but it is also likely that The New Company will escape punitive damages, because it can show that it has an enterprise security plan that integrates’or is working toward integrating’physical and IT security.
As long as the company is working toward that plan’even if it’s a seven-year plan and hasn’t been completely accomplished yet’the company can show it wasn’t negligent. Thus, it will have eliminated its largest liability.
Oversight. The New Company’s policies identify a number of activities performed by data security personnel, that require approval of the Enterprise Security Department. For example employees must get authorization from security before they are allowed to take a company laptop home.
Good relations. Many physical security professionals dread talking with IT personnel about technical issues. They must overcome this problem.
The first step in showing the value of physical security is creating good interpersonal relationships with IT colleagues. Security pros can then ask specific questions to learn more about IT policies and to ensure that physical security issues are addressed.
Physical security professionals could ask how the backup process works and where and how tapes are stored. While IT typically has its own policy for how the backup process works, often this department never considers that the tape containing all of the company’s most sensitive information is a physical asset that can easily be compromised. After gaining an understanding of the process, the physical security manager will be in a position to suggest whether there’s a physical aspect that can easily be comprised. After gaining an understanding of the process, the physical security manager will be in a position to suggest whether there’s a physical aspect that must be addressed such as by suggesting that a security officer be on hand while the backup tapes are transferred to the secure offsite location.
The increase in the number and type of electronic crimes, new legislation, and the reluctance of insurance companies to assume the full risk of information loss are all forces working to reshape security as a profession and to push the two branches of security’physical and IT’toward convergence. Security professionals and their companies need to ensure that this convergence is embraced and properly implemented.
Joel Rakow, Ed.D. is the eCrimes Practice Lead for Tatum Partners, LLP. He is a Secure Access Member of the FBI Infragard and has served the State of California as the chief technical executive for the court-appointed Receiver, State Court of California. He is the security representative on the Adobe Software CIO Advisory Council and a member of ASIS International. .