The key areas that all security managers should be mindful of when designing any security plan are: information security, physical security, security operations, security governance, business continuity, and security management. According to Barr (2010), to establish an effective security plan, security managers must evaluate and set priorities by asking a series of questions, namely any incidents over the past year, what threats are currently being profiled by industry experts or in the media, any high-end security measures are being utilized within the organization, like biometric identification; are partner enterprises monitoring and adjusting their own security posturing.
Proactive vs. Reactive Security Measures
There has been a trend in recent years as the two sides of enterprise security, physical and information, have merged into one singular concept what experts refer to as security convergence. The explanation is that each side has become interdependent on the other. This fact is examined by James Barr in his 2009 white paper report Security Convergence. In the report, Barr (2009) states that “…enterprises are rethinking the separations between physical security and facility security functions and information security functions.”
Security measures can be classified into two different categories, proactive and reactive. Security managers have the critical need to establish a security plan that balances proactive security and reactive security.
Proactive security measures constitute what security managers have in place to counter anticipated security breach attempts. Proactive measures include firewalls, packet sniffing protocol software, fences, surveillance devices, and biometric identification access protocols.
Reactive security measures are the countermeasures in place to respond to security breaches. This can include alarms, anti-malware applications, etc. Gen. Eugene Habiger, USAF (Ret.) surmises that the main problem with heavy reliance on reactive measures is that network specialists seek to address vulnerabilities with bolt on security measures, or software patches…and fail to address the underlying problem which is failure to adequately secure the physical assets (2010). In simple terms, many organizations worry about closing the barn door after the horse has escaped.
If security managers can reduce access to an organization’s IT infrastructure, they can seal off several potential avenues of compromise, particularly from within an organization. Physical security, as part of the overall IT security plan, is a facet to be ignored at a security manager’s peril.
The Importance of Physical Security Protocols to Network Security
Many hackers rely on breaches of physical security to aid in their overall intrusion attempts. It is not unknown for these crackers to penetrate the organization undercover as delivery personnel in attempt to uncover security lapses to access the network through a variety of social engineering methods.
Social engineering is the act of manipulation by the hacker through various electronic and personal means. The goal is to manipulate employees into giving away information, including passwords and other user information so that the hacker can breach the network.
Good physical security practices can go a long way to reduce overall risk. Maintaining server farms behind locked doors with restricted access to only authorized personnel is an excellent first step. The physical information infrastructure must be hardened to prevent breaches from within and without the organization. Another essential element to physical security is the installation of perimeter barriers around the organization’s most sensitive areas.
Effective physical security practices can go a long way to add to an organization’s overall network and information security plan and must not be overlooked. When a VA employee had a laptop stolen from his home possibly compromising personal information pertaining to 26 million US vets, the VA’s information only security measures were effectively thwarted by the absence of physical security surrounding the laptop, like the ability to track the device once lost or stolen.
In contrast, at AAI Corporation’s headquarters in Hunt Valley, Maryland, research and development engineering labs and their supporting computer system architecture are housed in a separate building that most visitors would never be allowed in unescorted. Even AAI employees who are not connected to the sensitive program research being undertaken inside the labs are considered unauthorized personnel.
In many cases, an organization will spend millions in hardening their computer system networks with the latest and greatest security software and firewalls but fail to adequately assess the physical properties of their systems. Physical security is an important function of the organization’s overall security plan. It can protect the organization’s physical IT assets and its people from potential security breaches.