This is a point of policy and procedural convergence. For example, what kind of audit practice should be implemented to ensure that breaches or attack attempts are not missed? If an employee discovers there has been physical tampering of a laptop, where could it have occurred - was it at an airport or other location on a traveler security watch-list? Who will take the report? Who will investigate? Should employee instructions regarding travel security be revised?
The answers all relate to the value of the material being protected (both to the organization and to the attacker), and the impact of a breach or loss of data or a device. In other words, an information risk analysis is required to inform electronic and procedural security planning.
Most security measure selections are basic business-sense. Once you know the asset to be protected, its value to the business, the impact of loss or exposure, its vulnerabilities and attractiveness, the level of general attacker interest and likelihood of specific attack, then the degree and type of protections that various security measures can provide are one decision factor, along with the costs. The decision is a basic business decision.
If you have convergence experience you want to share, e-mail your comments to me at ConvergenceQA@go-rbcs.com or call me at 949-831-6788.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).