Contingency planning — whether you call it disaster recovery or business continuity — is one of those areas of business where a “good enough” approach just won’t cut it. Yet, interestingly, I often see organizations with disparate plans, teams that don’t communicate with one another and the like. Consequently, there are often large security gaps.
It has occurred to me recently that physical security — namely physical security systems for access control and video — are particularly vulnerable in the event of a natural disaster or terrorist attack. Are you prepared to keep the organization running? Will your network, and thus your physical security systems, be able to withstand an unplanned outage? Will your business be able to resume operation if employees cannot get back into the building? What’s going to happen with data center access and video surveillance?
Here are three actionable areas to help ensure your physical security systems are covered under the umbrella of your overall business contingency plans:
1. Know what you’ve got. The general rule of thumb you can’t secure what you don’t acknowledge applies here. You have to know what’s where. I often see physical access control and video systems that have been installed by a third-party systems integrator and nobody claims internal ownership in the corporate security or IT departments. The systems sit there on the network, unaccounted for, waiting to be exploited. All it would take is one disastrous event to send people scrambling trying to figure out how they systems operated and who knows how to get them going again.
You have to fully understand which areas of your network will be most impacted during an event. In most cases, physical security systems will be near the top of the priority list.
2. Make sure the details are documented. Response and recovery procedures are the core of your contingency plan and, odds are, you already have a large piece of this completed. But what about the specific details related to your physical security systems — are they a part of your documentation as well? This includes network diagrams, system model numbers and firmware/software versions and system configuration information. In fact, making periodic backups of your system configurations can be invaluable in the event you need to restore existing systems or install new ones. Vendor and systems integrator contact information is nice to have in a pinch as well.
3. Don’t overlook third-party facilities. Contingency planning also reaches to physical security controls you may have in remote facilities. To the greatest extent possible, make sure you ask the tough questions and ensure your vendors such as hosting or co-location providers and cloud service providers are in check. This is especially important if you have your own rack-level physical security equipment housed at these offsite locations.
Either way, the strongest of contingency plans can be made to look amateurish if you don’t consider all the elements. Leave no stone unturned.
As painfully boring as it may be to delve into your disaster recovery and/or business continuity plans and shore up the weak areas, it must be done. Your organization cannot afford to be caught off guard. We’ve seen enough disasters in the past dozen years that we have good baseline to know what to plan for. Don’t overlook the importance of your physical security systems in your contingency plans. They’re arguably the most important link binding all security components together.
The smart approach is to expect it to spill. This means acknowledging that the odds are something will happen that takes your physical security systems offline and requires subsequent recovery. Your goal is to ensure the hassles, the security control gaps and the business risks are going to be minimized. The continued convergence of IT and corporate security combined with the overall complexity of your information systems makes this more important than ever.