Contingency planning — whether you call it disaster recovery or business continuity — is one of those areas of business where a “good enough” approach just won’t cut it. Yet, interestingly, I often see organizations with disparate plans, teams that don’t communicate with one another and the like. Consequently, there are often large security gaps.
It has occurred to me recently that physical security — namely physical security systems for access control and video — are particularly vulnerable in the event of a natural disaster or terrorist attack. Are you prepared to keep the organization running? Will your network, and thus your physical security systems, be able to withstand an unplanned outage? Will your business be able to resume operation if employees cannot get back into the building? What’s going to happen with data center access and video surveillance?
Here are three actionable areas to help ensure your physical security systems are covered under the umbrella of your overall business contingency plans:
1. Know what you’ve got. The general rule of thumb you can’t secure what you don’t acknowledge applies here. You have to know what’s where. I often see physical access control and video systems that have been installed by a third-party systems integrator and nobody claims internal ownership in the corporate security or IT departments. The systems sit there on the network, unaccounted for, waiting to be exploited. All it would take is one disastrous event to send people scrambling trying to figure out how they systems operated and who knows how to get them going again.
You have to fully understand which areas of your network will be most impacted during an event. In most cases, physical security systems will be near the top of the priority list.
2. Make sure the details are documented. Response and recovery procedures are the core of your contingency plan and, odds are, you already have a large piece of this completed. But what about the specific details related to your physical security systems — are they a part of your documentation as well? This includes network diagrams, system model numbers and firmware/software versions and system configuration information. In fact, making periodic backups of your system configurations can be invaluable in the event you need to restore existing systems or install new ones. Vendor and systems integrator contact information is nice to have in a pinch as well.
3. Don’t overlook third-party facilities. Contingency planning also reaches to physical security controls you may have in remote facilities. To the greatest extent possible, make sure you ask the tough questions and ensure your vendors such as hosting or co-location providers and cloud service providers are in check. This is especially important if you have your own rack-level physical security equipment housed at these offsite locations.
Either way, the strongest of contingency plans can be made to look amateurish if you don’t consider all the elements. Leave no stone unturned.
As painfully boring as it may be to delve into your disaster recovery and/or business continuity plans and shore up the weak areas, it must be done. Your organization cannot afford to be caught off guard. We’ve seen enough disasters in the past dozen years that we have good baseline to know what to plan for. Don’t overlook the importance of your physical security systems in your contingency plans. They’re arguably the most important link binding all security components together.
The smart approach is to expect it to spill. This means acknowledging that the odds are something will happen that takes your physical security systems offline and requires subsequent recovery. Your goal is to ensure the hassles, the security control gaps and the business risks are going to be minimized. The continued convergence of IT and corporate security combined with the overall complexity of your information systems makes this more important than ever.
Today’s Homework: Inventory your physical security systems and update your plans.
Many network diagrams are so outdated they are more of a disservice to the business, especially after an outage or disaster. Even if someone else is responsible, do yourself and your business a huge favor and document the physical security systems on your network. Be sure to include system location and functionality along with who is responsible for day-to-day oversight and administration. At the very least, take the information you gather and add it to your disaster recovery and/or business continuity plans. If you don’t have the time to formally integrate the information into the plan details, simply insert it into an appendix. The most important thing is to have the information documented and available. Get started today. You’ll thank yourself when the time comes.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic LLC (www.principlelogic.com). He has authored/co-authored 11 books on information security, including the best-selling Hacking For Dummies as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he’s the creator of the Security on Wheels information security audio books and blog. Follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.
