Today's facility manager is confronted with an ever-changing set of tasks when it comes to securing the assets of an enterprise. While the safekeeping of traditional physical assets is familiar ground for many, the new wired economy has thrust upon us a whole new realm of security challenges.
Although technology has simplified many activities within an organisation, and the Internet revolution has opened up new worlds of opportunity, these advancements have also put an enterprise's most valuable asset, information, at an increased risk.
Risk assessment
The first step in securing an organisation is to conduct a risk assessment. This is the process of identifying all of the assets that may have value, or that may damage the organisation's ability to operate should they be stolen or corrupted. In a risk assessment, physical assets are fairly easy to define because they are visible, tangible and appear on your balance sheets as capital equipment, inventories or negotiable instruments.
There are the obvious information assets such as product drawings, plans, schematics and customer lists. However, some critical information assets may be difficult to identify. One way to get started is to ask everyone what information they need to receive in order to perform their jobs. Once you have identified the information assets, identify their source, including where the information is stored and through what method it is delivered for use. Next, identify the impact on the enterprise should that information be stolen or corrupted. This exercise will help one to quantify the value of specific information assets and help establish a priority for their protection. The final part of a risk assessment will be to identify who - both inside and outside the organisation - poses a potential threat to the information.
The next step in securing your organisation is to develop a written security policy based on the organisation's assets and the risk assessment. Quite simply, it's a document that describes what is acceptable use of the organisation's assets, and how an individual gains access to them. It is advisable that the policy has a section that covers how to treat information regardless of format, and procedures for protecting the information. It is also a good idea to define in writing the potential consequences of policy violation. Once one has identified the assets, conducted a risk assessment, and developed a written security policy, the next step is to create a security plan.
Security plan
The security plan identifies specific steps that the organisation will undertake to protect its assets, how it will respond to the various types of threats identified in the risk assessment, and how it will create security awareness and educate staff on acceptable use and protection of assets. The importance of such training cannot be overemphasised.
A variety of tools are commercially available for protecting one's assets such as:
* Electronic access control - This is the fundamental building block and backbone of all asset protection. Available from a wide variety of manufacturers, electronic access control systems allows one to control who can access specific physical areas and facilities. These systems can provide an audit trail indicating who went where, and when. Use the risk assessment to determine which areas need to be under the control of an electronic access control system. Depending on the manufacturer, the system may offer integration with some, or all, of the other tools mentioned in this article.
* Visitor management - While most companies have visitors sign a register, and many issue them a 'Visitor' badge, this information is often kept in unusable formats (books stored somewhere), and can be virtually useless in attempting to conduct an investigation after an incident. Software-based visitor management systems are fairly new. Many offer integration into electronic access control systems and provide a database record of an organisation's visitors.
* Intrusion detection - Most access control systems offer physical intrusion detection capabilities as an integral part of their design. Some traditional intrusion detection systems can be integrated into a separate access control system for greater user flexibility and coverage. Again, using risk assessment, wherever one has assets, there should be intrusion detection.
* Asset tracking - Today, asset tracking systems are available that utilise radio-frequency identification technology (RFID), infrared (IR), bar code or multiple technologies. RFID and IR are preferred technologies for security applications because they can be read at a distance, often without anyone's knowledge. Asset movements can often be controlled with the same granularity that an electronic access control system provides for the movements of people, and an audit trail showing the asset's movement is often available as well. Sophisticated systems allow management to link assets to people, or groups of people, so that only authorised individuals may move an asset around a facility or remove it from a facility without triggering an alarm.
* Video surveillance - Whether older analog-based CCTV, or newer digital video recording and transmission systems, video surveillance not only provides one with evidence to investigate an incident, it can also be a strong deterrent to inappropriate action. One of the benefits that newer digital systems provide is the ability to integrate with some electronic access control systems.
* Authentication - Authentication, especially in the information world, is often defined by something one has (a card, token, key, etc), and something one knows (such as a password). Elaborate - and the most secure - authentication incorporates a third element: a physical, or biometric, trait such as a fingerprint, a voiceprint, hand geometry, iris print, etc.
* Firewall - A firewall is typically a computer network's first line of defence and is essentially a filter or access control system for a network that allows data to enter user-definable portions of the network from specific addresses and/or specific users. Attempts to breach the firewall are typically displayed in simple text-based messages on a central management console.
* Data Network Intrusion Detection Systems (DNIDS) are the information world's equivalent of a burglar alarm system. A DNIDS can consist of a hardware component/appliance and a software component, or it can be software-based only. Intrusion detection systems typically analyse the activity on a computer network at the data packet level, looking for anomalies in network activity or predefined 'attack signatures' that would indicate a hacking attempt. These systems are used inside the network and behind a firewall. Network intrusion detections systems will report when somebody is trying to access data that they are not authorised to view. Typically, DNIDS will annunciate suspected illicit activity on some form of Graphical User Interface (GUI). Many systems can block an attacker through manual intervention, or automatically based on user-defined severity.
* Anti-virus systems - Of all the threats information may be exposed to, the one that is most common is some form of computer virus. Anti-virus (AV) systems typically scan incoming e-mail to each client (user) for known viruses, then either sanitise the content so it is safe to open or warn the user that a virus may be present. AV systems are simple to install and use, and should be required for every computer that accesses a network.
* Encryption - Data encryption software allows users to literally encrypt their files, emails, and other data, so that unauthorised individuals cannot use it if it is stolen or intercepted. Today's encryption software focuses not only on preventing unauthorised usage, but also on making it easy for users to encrypt their data. Encryption tools are vital for any type of portable information asset such as a notebook computer.
* Virtual Private Network (VPN) - A VPN is essentially a private network on public network infrastructure. If anyone accesses a network via the Internet or a dial-up connection, one should consider using a VPN. VPNs encrypt the data that is transmitted between the two parties so that if it is intercepted, it is useless. A VPN is vital for security if anyone in an organisation is going to be sending or receiving sensitive information from a remote location.
* Public-Key Infrastructure (PKI) - PKI addresses the management and issuance of digital certificates. A digital certificate is a type of authentication which an individual keeps with him/her - typically on a token or smartcard - one piece of a mathematical key ('private key'). When the private key matches the public key, authentication (identity) is established, and one can be reasonably certain that the data being transmitted is coming from the authorised individual or site.
* Paper shredder - This is the lowest-tech solution on the list but one of the most important. Searching through an organisation's or an individual's garbage is one of the oldest and most effective ways of gathering information.
All of the systems mentioned are available as standalone products. Some combinations of these tools may be available in an integrated system from a single vendor. Some vendors even offer solutions that allow different systems from different manufacturers to be integrated together. It's important to understand the difference between loosely integrated and seamlessly integrated systems.
Integration
A loosely integrated, or interfaced, system will often provide the user with multiple points of command, control, and monitoring over the various subsystems attached. A seamlessly integrated system provides a single GUI for all the individual sub-systems, and also stores all of the transactional data in a single database.
Furthermore, the software architecture is such that updates to all or any specific functions are easily accomplished, without worrying about negatively impacting the unaffected portions of the system. One of the core functional and operational advantages that seamless integration provides is realtime linking of events within the various subsystems.
Probably the most significant advantage a seamlessly integrated system offers is in data forensics. For example, if there is a theft of a notebook, instead of all that data being stored in different databases and having to be correlated manually, there would be a single view of all the data associated with the theft of that notebook computer. Furthermore, with the aid of seamlessly integrated digital video, video clips specific to the alarms could be stored in the database, and would eliminate any guesswork about the relevance of the video evidence.
Conclusion
Where does the future lie? It is not about physical asset security. It is not about information security. It is about security, period. Information is as valuable as gold, and potentially a lot easier to steal.
Technology is evolving to encompass both information and electronic/physical security into single, seamlessly integrated, open architecture based solutions that support component pieces from different vendors, allowing the end-user to choose best-in-breed solutions. Technology, as well as the growing recognition by management that all assets need comprehensive and cohesive protection, will spawn the creation of the new security professional, who will have dominion over all aspects of security within an organisation.
For details contact Lenel Systems International on tel: (0944) 1932 874 773.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.