Managing Network Risk

As security technology has continued to change and advance, security directors have been presented with a vast array of choices in designing and implementing a physical security program. The range of options can be a bit overwhelming at times, but...

Unplanned network outages are also a concern. Your role is to determine the impacts of a network outage for your security operation. This forces you to consider such features as store- and-forward systems to ensure that no loss of data occurs. Alarms and other critical features should have built-in redundancy. Check with your network administrators to determine if the network itself has built-in redundancy that you can take advantage of. If not, you may need to consider alternate means to get the signals through during system outages.

Finally, you need to manage your system impacts and growth. Ask for network utilization reports showing what your security systems are using. Look for patterns of growth or unusual activity to help alert you to problems before they get serious. For instance, say you have two office locations, the main office and a satellite office. Each of them is covered by streaming CCTV signals for 10 cameras.

The network in the main office is large and has excess capacity along with built-in redundancy, so your use of the network does not present any significant challenges. However, the satellite office is small, and the network there is sized accordingly. It is not a redundant system. You use a good deal more of the network than many of the other users. The impact of adding a new camera in the main office may be trivial, but in the satellite office it could be significant. Bottom line: You need to know what you're using, track it, plan for growth, and manage it accordingly.

Network Security Risks
If you have a background in information security, then the information that follows in this section of our discussion will be a basic review of standard network security risks. If you don't have that background, return your trays to the upright position and hang on to your seat-the ride may get a bit bumpy. The important issue for the physical security director is that if you are using the corporate network to deliver your physical security program, you need to be assured that the following issues are being dealt with appropriately in your company.

The following examples are not intended to be an exhaustive list of network security concerns, but they represent a selection of the issues that should be addressed in a well-constructed information security architecture. The details, components and control options will depend upon the individual business's risk management decisions. Any risk management decision should consider the value of the information protected, the cost to recover or restore damaged or lost data, the cost of downtime, the nature or impact of the exposures, the frequency of the exposures, the cost to customer confidence and public perception, the liability and regulatory impacts associated with losses, the impact on third parties, the impact on customers, and the cost of establishing and maintaining the controls.

User Authentication - Includes logon IDs and passwords. The use of logon IDs and properly configured passwords for access to resources from within the central network is sufficiently secure. Remote access and access over non-trusted (public) networks should require two-part authentication techniques such as RSA's SecurID. The key concept is to have the ability to verify the identity of the individual who has requested access.

Authentication may need to be layered depending on the business risk analysis. Principal layers to consider are network-level access, operating system access, critical network appliance components, application-level access, and hardware-level access.

Data Integrity - Protects the information from unauthorized modification and deletion. Only those with a recognized business need are given access to certain information. Your physical security data should not be accessible to other parties.

Data Confidentiality - Involves controlling disclosure of information to unauthorized individuals. Confidentiality can be both a legal requirement and a business expectation. It can become an issue for information that is normally well protected within the computer system or application, but that becomes easily accessible when sent over the network, particularly if any of that information is transmitted over a non-trusted network. In this case encryption standards may need to be employed.