• IT & Physical Security-When worlds collide

I’m an IT guy. Been one for a long time. The trouble is, the phrase “IT guy” (referring to both men and women) has become too much of a generic term. It can range from highly trained software programmer with a master’s degree to a high school drop-out who hooks up the printer in your office. No matter what category an IT guy falls into, there has always been one clear understanding; you hear “IT” and you immediately think about computers. But times…they just might be a changin’. Over the past year, more and more corporations are changing the job function of many IT professionals. IT managers, who once were responsible for keeping their network up and the data secure, have started discovering a whole new job description tacked onto their job requirements.

The IT guy has now discovered that he is becoming more responsible for the physical security of the facility in which the company data is housed. It all stems from the simple concept that the IT guy has been told to make sure the data on the network is secure. He budgets for his Firewall, IDS / IPS, Anti-Virus, Anti-Spam, Anti-Spyware, VPN, patch management, policy management, etc. and then proudly declares to the board, “We are secure.” Each day he reviews his logs and smiles as he sees the thwarted hackers rejected by his superior security technology. Then, one morning he shows up to the office and sees the front window of the building has been smashed out. This is not the sign of a start to a good day.

After the dust settles and a complete inventory has been taken of the office, it is discovered that several desktop computers, laptops, and servers have been taken. Among those missing are servers that held a complete backup of the entire database. The thousands of dollars spent on network security equipment have just been bypassed by a big rock and a car with a good sized trunk. And at just that moment, the job function of the IT guy became a whole lot more complicated.

He must now guarantee the physical security of the data that he was originally hired to protect from all points of risk. This scenario has been played out all over the United States. Corporations are realizing that the IT staff needs to take greater responsibility for the complete security of the data, including the physical security. Of course there are generally others who already had that responsibility to some degree and therein lies one of the many hurdles to a simple convergence of IT and physical security.

Brawn vs. Brain. Who is responsible for physical security?
Often times the physical security of a facility is controlled by the building management and/or owners of the building. Because this management is not controlled by the corporation that is leasing space in the building, the security policies and procedures mandated by that corporation do not necessarily need to be adhered to. Nor, in many cases, is the management company even aware that these policies exist. Most contracts are very clear to state that the management of the building is not responsible for the loss of or damage to anything. This means that if their security is poor and a corporation is burglarized, in almost all cases they will not be held responsible. In addition, because they do not follow they same strict policies that the corporation might require, huge gaps in security can develop.

In one incident that I am aware of, a janitor at the facility was responsible for issuing key fobs to allow access to the facility. The janitor was employed by the building management, not the corporation that was leasing the space in the facility. The key fobs that he controlled gave access not only to the main facility, but to every secured door in the building. Of course, different key fobs had different access levels allowing proper access to each area. As time passed, and the janitor became friends with employees, he would change access levels for them without authorization. Because he controlled all reporting, as well as all management of the key fobs, it did not become exposed until a terminated employee was caught on an internal surveillance system using his key fob to access a restricted area and remove confidential documents and files. This type of compromise was a direct result of the lack of physical control by the leasing corporation.

There are also problems with disagreements between employees in the IT department and those currently responsible for general security in the corporation. Even in organizations where there has yet to be a breach, the simple mention of the two coming together can cause a wave of anger fueled by confusion.

Smart cards, for example, are introduced into an organization. During the initial setup, the IT department controls the testing since the equipment falls under its control. As the technology starts to be rolled out to other departments, controlling software and physical access begins to involve the physical security staff. Now, who controls the software, as both physical and network access is at stake?

It is a valid question and without a pre-existing dialogue it will most often lead to anger, resentment, and passive-aggressive behavior. My favorite example of that is when the IT guys in one organization I was reviewing, showed me how they would enable and disable access to one of the security guards as he attempted to enter the facility. He would swipe his card over and over all being caught on closed circuit TV as the IT staff rolled on the floor laughing. Then, when he was finally let in, his access was immediately restored and his card was working again.

There is no doubt that IT and physical security are on a collision course, but it doesn’t have to end with full scale employee warfare. I have been to many organizations where, through proper planning and open development, all employees involved have come together to create a very tight security routine.

Getting on the same page
The first step is removing control from any third party. If the access to any part of your facility is controlled by anyone other than your organization, you already have a security issue. Third-party security firms hired specifically to protect your organization are excluded from this rule as they are required to follow the policies mandated by your organization. However, in all other cases, the physical and network security must be maintained by employees who know, understand, and are held responsible for following the organization’s security policy. In addition, common areas such as reception desks, that can be accessed during off hours by non-employees, must have strict security enforced at the desktop and network level. Often-times these computers and or network access points have complete access to the internal network leaving room for compromise.

Next, a risk assessment must be conducted to outline critical and non-critical data and equipment. Before you can secure a facility, you must have a documented outline of what you are trying to secure. Obviously the same level of security is not needed for a basic employee workstation as would be needed for a main database. However, if that workstation has database access or maintains even limited confidential information, then it must also be considered a risk and therefore receive a higher level of security.

Placing both data and equipment into a chart ranging from low to critical for security, is a simple start for a large organization. However, this is a cumbersome undertaking and should be done professionally or assigned a team to guarantee a comprehensive unbiased assessment.

Once the risk assessment has been completed, a meeting with both IT and physical security representatives is necessary to outline who is responsible for which areas. More importantly, the group needs to make a determination of what new equipment will be required to produce the level of security required. This should not be seen as a simple one hour meeting. In most cases, several meetings will be required with research assigned to employees from both groups. In addition, who will control the different portions of the security must also be addressed. I have found that during these types of discussions, having a non-biased influence helps keep things on track. I have attended several of these meetings as a representative from a security firm, to offer input and advice. By having no bias, I can give suggestions and point out concerns without anyone in the groups feeling under personal attack. Most organizations have a security firm they have worked with in the past. In most cases, they will have individuals who are more than willing to assist in this development stage.

Often times, both IT and the physical security guys will play active rolls and may cross paths with regards to certain security aspects. In my opinion, this is an extremely good idea. This eliminates one single group from controlling the keys to the castle. By having two departments with overlapping duties, there is less likelihood of missing equipment and fewer errors, and provides an increased level of security awareness on all sides.

The day of the convergence between IT and physical security is upon us. To continue to maintain a separation of duties is to live in corporate denial. With so much at stake, the time needed to build and deploy a well-trained, cross-departmental team is far less than the time wasted by data compromise or in-staff fighting and the revenge of the nerds.

If you enjoyed this article, be sure to check out Stickley's book "The Truth About Identity Theft"