Information security and physical security are frequently viewed as either conflicting or as far removed from one another as the sun is from the moon.
It is generally accepted that physical security is concerned with the protection of physical assets such as the facility and the people, whereas information security is solely concerned with the protection of information. This would include intellectual property of the organization as well as the supporting data.
With this being the case, it is not unusual to hear an IT wizard declaring that the physical security group "Should be required to have a clue!" or a physical security expert claiming "The IT people just don't get it!" However, the two groups can usually agree about having a lock on the server room door.
Although this conflict can be attributed to differing priorities, it may be exacerbated by factors such as competition for limited resources, increasing demands for assurance and in some cases, business instability.
The 2001 Information Security Industry Survey showed a disturbing shift. As expected, more companies spent more than $1 million annually for security of their information. The unsettling news is that there was also a 20 percent increase in companies that decided to spend less that $100,000. The security budgets of 29 percent of the respondents had been cut or frozen and of those, only 24 percent were ever restored to their original funding levels.
This impacts the organization well beyond the information security department. In order to illustrate this, let's go back to basics and look at what security really is.
Security is a very broad field that touches every aspect of a business, from business continuity planning to liability of the organizational entity as well as its senior management. The field is usually divided into approximately 10 interrelated and interdependent domains. Each domain is concerned with applying controls to some aspect of the business. The unifying principle throughout the domains is controlling access to assets in such a way that the confidentiality, integrity and/or availability of the asset are protected. In the case of confidentiality, this would mean controlling people, programs or processes that have access to sensitive information. For integrity, it is controlling people, programs and processes that can modify the data, and for availability, it is controlling which people, programs and processes can use the asset and for what period of time.
With this clearly stated, it becomes obvious that information security and physical security may have different foci, but the same mission: controlling access to organizational assets. This mission dictates that both physical and information security groups put aside their differences and work together to enhance overall security. Composing a standard defense-in-depth or layered security strategy, familiar to both groups, can do this. However, to make it both more effective and efficient than usual, it should be composed of elements of both disciplines, selected to complement each other. Each layer in the defense should have controls that are designed to prevent security breaches, detect breaches (in real-time if possible) and respond in an appropriate manner. In some situations, such as transaction processing, it is also important to have corrective controls in place.
Physical security is the foundation of many of the other security domains, including information security. If it is weak that weakness will become a vulnerability in the information security. For example, consider an organization where the information security is very well implemented. One of the controls is that changes to the system can only be made from the console inside the server room. Suppose, due to a physical security weakness, an intruder could gain access to the console and from there compromise the system and get sensitive information. In this case, despite the technical network controls, there was vulnerability due to the physical security breach.
Other concerns include not only the theft of equipment, but also the search for technical vulnerabilities through physical means. This might include dumpster diving to gain contact lists, proprietary information and passwords. Social engineering is also a typically successful approach to bypassing information security controls. In our last example, the control (passwords) was in place, but it had been poorly implemented. Poor implementation is a weakness in any type of security. Controls must be applied consistently and according to an overall plan that is in accordance with the organizational security policy.
The security policy is the architecture upon which the entire security of the organization depends. It provides the blueprint for selecting appropriate controls, as well as the framework for their implementation. Without a comprehensive policy (or the heroic efforts of a few globally oriented individuals) security will continue to be implemented by domain, thus leaving huge vulnerabilities.
The creation of a sound policy is the responsibility of senior management. This is a step in showing 'due care' and in meeting the legal and regulatory responsibilities concerning data integrity, confidentiality and privacy. This also demonstrates management support for security, avoiding situations such as those that spawned the listing of "the lack of management support" as one of the top three obstacles to effective security in the 2001 Information Security Industry Survey. The policy also sets the stage for security professionals to apply their expertise in protecting organizational assets. When implemented n such a way as to integrate security specialties, the policy will allow for a security organization that will be more effective and make the most of available resources and budgets. A well-written policy will identify the roles and responsibilities of both the physical security team and the information security team.
Even the most well written policy coupled with enthusiastic and collaborative security experts may not be sufficient to protect organizational assets from even a single untrained or unaware individual. It is critical that organizations provide security awareness for their employees. Unfortunately this method of risk mitigation has fallen by the wayside, as organizations have increasingly chosen to spend their training budgets exclusively on training for discrete skills, such as application training or programming skills, and have eliminated the internal security training that taught employees organizational awareness, specific concerns, procedures and solutions. This type of training was intended as a way of reducing unintentional security breaches and bypasses, which resulted in a cost-effective strategy of risk avoidance.
With user education and sound policies to create the framework, physical and information security can interleave skills and controls to form effective, repeatable and consistent security for business assets throughout the organization.
Thresa Lang is a security and training consultant, who also teaches information systems protection at the George Washington University. She is a Cisco Certified Network Associate (CCNA), a systems analyst and a CISSP instructor.