Recently I noticed that in helping people resolve issues relating to the convergence of physical security and IT (roles and responsibilities as well as technology), my recommendations had one key theme in common: do the usual.
Example #1: Physical Security Systems on the Network
Problem: The Security Department has been putting cameras and servers on my corporate network, and suddenly now I’m supposed to be responsible for them. How do we establish who is responsible for what? How do I get the appropriate security measures applied to the systems?
Question: How does IT normally handle it when people want to put systems or devices on the corporate network?
Answer: Service Level Agreements (SLAs) and standards. SLAs establish the level of service to be provided by IT, and standards set the minimum requirements for what can go on the network.
Recommendation: Do the usual. Negotiate an SLA with the Security Department like you usually would with any other department, and identify or develop an appropriate standard for the Security Department servers and equipment. If the systems don’t currently meet the standard, set a time frame for compliance that’s realistic and apply what security measures you can in the mean time (which you should be able to do according to the terms of the SLA).
Example #2: Protection for Both Electronic and Physical Forms of Intellectual Property
Note to non-IT folks: please bear with me through the following paragraphs. The numbers are just titles and sections of an information security standard. You can follow it without having to know the standard at all.
Problem: We have an IT security team that is applying ISO 27001 to develop an Information Security Management System (ISMS) for our intellectual property protection. But we also have physical forms of information to protect, including physical drawings and product prototypes in Engineering. What system or standard do we use for the security controls for the physical information forms, and who applies it?
Questions: How would you normally proceed with asset identification if there were only electronic information assets to be protected? How would you apply physical security controls to the physical IT infrastructure involved?
Answers: As described in ISO 27001, we would create an asset inventory per ISO 17799:2005 clause 7.1 – Inventory of assets. We would also apply ISO 17799:2005 clause 9 – Physical and environmental security for the information systems physical infrastructure.
Recommendations: Do what you would normally do. In the asset inventory, include the physical information assets like product prototypes and any other physical forms of information. Follow through as you normally would to collaborate with your corporate Security Department about applying the physical security controls in 17799 clause 9. Ensure that the facility areas containing physical information forms are also subject to the appropriate types of controls listed in clause 9, plus whatever additional controls your corporate Security Department recommends for physical protection.
If you haven’t collaborated with the Security Department before, simply outline the ISO 27001 process for the physical security folks, and show them ISO 17799 clause 9. They will understand that and be able to collaborate and synchronize with your project. Educate them on the basics like you would any other participant in your project.
The Usual Successful Actions
When cross-functional collaboration is required, take whatever successful approach has worked for your organization in the past—a task force, steering committee or whatever.
Your management security stakeholders can be of help—they will generally know (or be able to find out) what approaches have worked in your organization for whatever types of challenges you are facing. And if it is truly something entirely new, they can help to decide on a good approach and provide guidance from a higher perspective organizationally.
The key is to identify the usual approach or the usual successful actions, and apply them as appropriate. In many highly successful organizations, including Microsoft, this is a key core strategy: success breeds success.
Best regards,
Ray Bernard