Example #1: Physical Security Systems on the Network
Problem: The Security Department has been putting cameras and servers on my corporate network, and now I’m supposed to be responsible for them. How do we establish who is responsible for what? How do I get the appropriate security measures applied to the systems?
Question: How does IT normally handle it when people want to put systems or devices on the corporate network?
Answer: Service Level Agreements (SLAs) and standards. SLAs establish the level of service to be provided by IT, and standards set the minimum requirements for what can go on the network.
Recommendation: Do the usual. Negotiate an SLA with the Security Department like you usually would with any other department, and identify or develop an appropriate standard for the Security Department servers and equipment. If the systems don’t currently meet the standard, set a time frame for compliance that’s realistic and apply what security measures you can in the meantime (which you should be able to do according to the terms of the SLA).
Example #2: Protection for both Electronic and Physical Forms of Intellectual Property
Note to non-IT folks: Please bear with me through the following paragraphs. The numbers are just titles and sections of an information security standard. You can follow it without having to know the standard at all.
Problem: We have an IT security team that is applying ISO 27001 to develop an Information Security Management System (ISMS) for our intellectual property protection. But we also have physical forms of information to protect, including physical drawings and product prototypes in Engineering. What system or standard do we use for the security controls for the physical information forms, and who applies it?
Questions: How would you normally proceed with asset identification if there were only electronic information assets to be protected? How would you apply physical security controls to the physical IT infrastructure involved?
Answers: As described in ISO 27001, we would create an asset inventory per ISO 17799:2005 clause 7.1 – Inventory of assets. We would also apply ISO 17799:2005 clause 9 – Physical and environmental security for the information systems physical infrastructure.
Recommendations: Do what you would normally do. In the asset inventory, include the physical information assets like product prototypes and any other physical forms of information. Follow through as you normally would collaborate with your corporate Security Department about applying the physical security controls in 17799 clause 9. Ensure that the facility areas containing physical information forms are also subject to the appropriate types of security controls listed in clause 9, plus whatever additional controls your corporate Security Department recommends for physical protection.
If you haven’t collaborated with the Security Department before, simply outline the ISO 27001 process for the physical security folks, and show them ISO 17799 clause 9. They will understand that and be able to collaborate and synchronize with your project. Educate them on the basics like you would any other participant in your project.
Learning Opportunity
It can be helpful to view the initiative not just for its immediate objectives, but also as an opportunity to learn more about how cross-functional initiatives can be successful within your organization. People who can work effectively across functional area boundaries are valuable in just about any organization.
The Usual Successful Actions
When cross-functional collaboration is required, take whatever successful approach has worked for your organization in the past. If the initiative is something more than a very part-time effort over a couple of weeks, consider slightly formalizing it as a task force, collaboration team, cross-functional project or whatever works within your organization. If it is going to take time away from other responsibilities, it should at least have the approval of the participants’ managers. If the initiative requires input from stakeholders from various business units, a senior sponsor may be required to “bless” the initiative and request participation from the business units. If you haven’t been involved in an initiative with that broad a scope before, seek advice from the senior sponsor on interacting with the business units.
The key is to identify the usual successful approaches to performing the actions and collaborations that your initiative requires, and apply them as appropriate. Also, be sure to find the best way to say “thank you” to everyone who contributed.
A Helpful Reference
A very good reference for Physical Security and IT collaboration is the book Physical Security for IT by Michael Erbschloe. If your organization has an IT department, and you currently don’t have an element in your physical or IT security program that thoroughly covers physical security for IT infrastructure and data, then this book will give you the lay of the land and help you identify opportunities for improvement.
