(16) Secret Weapon for Securing Security Systems!

I’m talking about physical security systems—like facility access control and video systems—which are increasingly being connected to corporate networks.

These systems are notoriously not secure.

Don’t take my word for it. Ask the Alliance for Enteprise Security Risk Management(www.aesrm.org), whose first focus group issued a report titled “Convergent Security Risks in Physical Security Systems and IT Infrastructures” (a PDF file).

Secret Weapon

This week it dawned on me that most security managers responsible for these systems have a secret weapon they can use to help them get their systems secure.

That secret weapon is thieir organization’s Network Security Policy and its related standards. (I call it secret because most practitioners responsible for physical security systems are not aware of this policy.)

Typically, such policy documents mandate that certain security measures be implemented for any device that connects to the corporate network. Thus security managers would simply be complying with corporate policy when they apply computer and network security to their systems.

Of course, the other way to look at it is that they are in violation with corporate policy if they do not secure their systems! But I prefer to hold the more productive perspective, that such a policy warrants that they take immeidate action, and that funds be allocated if necessary to support such an initiative.

Often corporate licensing for anti-virus software and other computer and network security requirements makes products available to the Security Department at no additional cost.

Recently I have seen corporate IT security policies whose definitions would apply to the equipment rooms housing the systems used for facility access control and security video. For example:

Data Center A facility or room used to house computer systems and associated components, such as telecommunications and data storage systems, for information and communications systems necessary for the operations of the business.
Device Any equipment that electronically forwards, stores, interfaces and/or facilitates access to corporate information assets. These include but are not limited to: desktop, notebook, laptop or tablet computers, and PDAs (Personal Digital Assistants).
Electronic Data Information assets which are stored and/or transported electronically using computer systems and devices.
Information Asset Any information that provides value to the corporation.
Network Equipment Rooms A room which is dedicated to securing both voice and data network equipment. Sometimes referred to as an equipment or communications closet.
Data Owner A individual within the corporation who has primary responsibility for information assets in the form of electronic data and for making policy compliant decisions regarding their use.
Availability Ensuring that information is available when and where it is needed.

Collaboration

Since the facility access control and security video data are critical data, by the definitions of most organizations the rooms housing these systems would be classified as data centers, and would be subject to the IT security and physical security standards established for data centers. Any rooms holding security system equipment (such as the control panels for access control systems) fall under the definition of a network equipment room (see above).

Most physical security practitioners can happily look to existing IT policy to find the requirements that apply to their systems. Most IT departments are happy to collaborate to bring these systems up to their standards. (After all, it is their job to secure the organization’s critical data systems.)

If you are looking for guidance on physical security and IT collaboration, download the two white papers I wrote for Intransa in support of an upcoming 2008 ASIS International educational initiative about putting physical security systems onto the corporate network.

One paper is for the Security Department (How Physical Security Can Transition to IT), the other is for the IT Department (How IT Can Support Security “Going IT”). [Note: you can scroll down on the Intransa Physical Security Document Library and page select both papers, and click Submit just once.]

If both departments apply the strategies and follow the recommended steps in these papers, their collaboration should go smoothly and be highly productive. You can download both papers from the same page – just check the box for each paper.

Now that you know about the secret weapon, let’s get those security systems secured now!

Best regards,
Ray Bernard

 

Leave a Reply

Your email address will not be published. Required fields are marked *