This month’s column is prompted by feedback from collaborations between physical/corporate security departments and IT departments regarding compliance (or lack thereof) with corporate IT policies that apply to the handling of secure data. The IT departments in most medium and large organizations (and even some small ones), have three critically important policies that directly impact security departments:
• Computer and network use policy — What is and is not acceptable use of the organization’s computers and networks;
• Information systems security policy — Typically requiring anti-virus and other computer and network security be applied to computers and networks; and
• Data classification policy — How data is categorized based on criticality and sensitivity (such as confidential, private and trade secret), to facilitate its protection.
The names for these policies can vary. Some examples are: “Acceptable Computer Use Policy” or “Electronic Media Use Policy”; “Data Security Policy,” “Information Security Policy” or “Network Security Policy”; and “Data Classification Security Policy” or “Data Classification Standard.”
There are many reasons why it is important for security directors and managers to study and understand these policies, as they apply to all computers and networks owned by the organization. Many policies forbid copying organizational non-public data (that would include video stills and clips) to USB memory sticks and other media. The policies also make the manager of a department responsible for policy enforcement.
Data classification and information systems security policies usually establish the concept of “data owner,” “data steward” or “business owner of data” — meaning the data owner is responsible for identifying all of the data that is generated and/or used, and collaborating with a designated person in IT security to correctly classify the data and establish appropriate protective measures. For example, some security investigations material falls into the category of private employee information. Many policies mandate that such information is handled in very specific ways, for both electronic and paper information.
Here are some of the stories from security managers:
Q: |
Have any unexpected outcomes resulted from your physical security and IT department collaboration?
A: |
According to IT policy, the data generated by our security systems is classified as “Sensitive Information and Critical.” Critical information, by policy, is required to have high-assurance storage (such as RAID hard drives) and specific data backup procedures. Here we had been trying to sell management on the need for upgrading our access control and video front-end systems, and all along there was corporate policy mandating that we upgrade them!
— Security manager, Global high-tech company
A: |
We have been sharing video clips with production area managers to support their safety and quality investigations. We recently learned that, according to company IT security policy, the CDs are supposed to be labeled with our company name and the words “Sensitive Information.” We are supposed to have a log of the CDs we issue, and we are also supposed to have written procedures established for destroying the CDs after a certain amount of time. Had any of the information been misused (for example, posted on You Tube), I — the security manager — would have been culpable for non-compliance. Our DVRs store about 30 days of video, and old video is overwritten, so although we didn’t have a written policy covering data destruction, we did in effect have a general 30-day policy.
— Security manager,
Global manufacturing company
A: |
Our corporate data security policies have specific requirements for any network equipment rooms housing equipment through which confidential or private data is transmitted — this includes some means of physical access control and a log of persons physically accessing the rooms. Our IT department was actually in violation of its own policies, so we added card readers and door monitor switches to all of the equipment rooms. We created a report in the access control system that prints out a log of access granted and denied to all IT rooms, and we run that monthly for the IT group. When we were done with this project, we had established an excellent rapport with the IT group, which now wants to put network cameras in a few critical equipment rooms, where multiple contractors have access to the rooms and on occasion IT equipment has been damaged with no clues as to how it happened.
— Manager of security systems,
Engineering services firm
New Question
Q: |
What benefits have you experienced from collaboration between physical security and IT?
If you have experience that relates to this question, or have other convergence experience you want to share, e-mail your answer to [email protected] or call 949-831-6788. If you have a question, we don’t need to reveal your name or company name. I look forward to hearing from you!
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 18 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.
