Continuing from last month, protection systems integrate people, procedures and equipment to safeguard assets against theft, sabotage and other malevolent attacks. Organisations typically have two major protection systems, one for physical security and one for IT security.
Standards
The benefits of standards have already been proven in the IT world. The past decade's growth in information systems and networking has required product and system providers to embrace standards. In general, the physical security industry is just starting to catch on to their importance. (The Security Industry Association's Open System Integration and Performance Standards [OSIPS] initiative is less than two years old.) However, a new forum has now been established to accelerate the introduction and adoption of security standards: the Open Security Exchange.
In a move uncharacteristic of the security industry's earlier days, four companies announced the formation of the Open Security Exchange on April 16, 2003. The OSE is a cross-industry collaborative group whose purpose is to define best practices and promote vendor-neutral specifications for integrating the management of security devices and policies across the enterprise. The four founding companies were Computer Associates International, Gemplus, HID Corporation and Software House.
The OSE's initial press release stated that it was "created to address today's most significant security challenge - the lack of integration between various components of the security infrastructure". By promoting more effective exchange of enterprise-wide security data, the OSE intends to enable organisations to significantly reduce both their exposure to a diverse range of threats and their total operation costs. At the announcement of the group's formation, Russell M. Artzt, vice president of Computer Associates International, said, "[Physical] security has not been dealt with in the same way that, for example, network and systems management have been dealt with over the last 10 years.
"People - IT people and physical security people - are very much aware of the problems in security, the complexities, the exposure to risks. And today we have really dealt with antivirus systems, firewall systems, but our IT organisations realise very well today that security needs to be managed much better. How do we deal with all the various security management problems coming in from firewall systems, [network] access control systems, physical access systems, antivirus?" asked Artzt. "The ability to understand security management across all these security technologies and disciplines is very, very important."
Initially, the Open Security Exchange will focus on the integration of physical and IT security technologies. Its first release is a 39-page specification called "PHYSBITS - Physical Security Bridge to IT Security." The specification can be downloaded from the OSE website. PHYSBITS presents a vendor-neutral approach for enabling collaboration between physical and IT security, including security management integration on three levels:
1. Common administration of users, privileges and credentials.
2. Common strong authentication for access to physical facilities and cyber systems through the use of dual-purpose credentials, and
3. Common point of security management and event auditability.
This specification is not just for those involved in the technical aspects of physical and security integration. The initial 10 pages of the specification have to do with security management. These 10 pages are a must-read for every person involved in managing physical and/or IT security.
The OSE's development of specifications and best practices will provide valuable tools that organisations can use to integrate security management. It will also establish a common ground for vendors that provide products and services in support of that objective.
Is physical security reluctant to embrace IT?
Physical security systems already embrace information technology, and many security products are based on information processing, networking, or some other aspect of IT. Organisations and their security personnel definitely rely upon the computing and networking capabilities of their physical security systems. There is no reluctance there.
But to date, nearly all of the talk about integrating physical and IT security has been at the technical level. Since the technology integration itself takes place in the IT domain (networks, databases, and information exchange) and the results are displayed or managed on computers, it is only natural for the physical security folks to think to leave such matters in the hands of IT. It is not really a reluctance to discuss the issues, as much as it is a recognition that such discussions - as they have been conducted - are not likely to be productive. A good understanding on both the physical and IT sides of the security management issues involved will make productive communication possible, and that is what is really needed.
Furthermore, widespread incorporation of information technology is blurring the distinction between physical and IT security. The figure below shows the primary areas of IT security. Infrastructure protection includes physical security measures. Business continuity involved physical security managers long before IT became involved. Information protection includes the performance of background checks for personnel as well as investigation into suspected or documented problems or incidents. These tasks have long been the province of physical security managers working with their HR departments. Overlaps in security functions exist in both directions - another reason to step back and take a wider look at the overall picture.
Getting up to speed
The rapid pace of technological change has made it difficult for security managers and physical security practitioners to keep up with IT technology issues, because IT technology is not their primary field. Many IT practitioners are familiar with information protection and rules-based systems, but they lack experience in thinking in the broader context of physical security.
In addition to the Open Security Exchange there are other places to turn for help, and one of the primary sources is ASIS International, which has member councils for many fields, including the Physical Security Council and the Information Technology Security Council. If you are involved in any aspect of security, join ASIS and get in touch with the security council for your area of practice to learn about events and publications of interest. Local ASIS chapters facilitate information sharing, so you should join the chapter nearest you and actively participate in its activities.
If the professional organisations in your industry do not have security issues on their radar screen, you should not find it hard to nudge them in that direction by participating in security-related initiatives. Often the resources of such organisations are under-utilised, because members do not let them know what issues they want help with in regards to security.
Benefiting from experienced professionals
Most security consultants themselves need to get up to speed with regard to integrated security management. However, there are a few firms who have already gotten started along this line, such as Control Risks Group, a leading international business risk consultancy (www.crg.com) and Pinkerton Consulting and Investigations, a global provider of corporate security services (www.ci-pinkerton.com).
Pinkerton and Computer Associates have joined forces in a strategic alliance to enable customers to better mitigate business risks through the protection of cyber and physical assets. The CA/Pinkerton alliance was created in response to organisations' growing concerns about the effectiveness of their security management operations. Pinkerton has worked directly with CA to develop security policies for CA's eTrust 20/.
"CA and Pinkerton are responding to a revolution in thinking about security challenges that is leading to the convergence of physical security, cyber security, and business continuity planning under a single executive," said Ty Richmond, senior director with Agilent Technologies, the world's leading designer, developer, manufacturer and provider of electronic and optical test, measurement and monitoring instruments, systems and solutions. "By leveraging CA's eTrust enterprise security management solutions and Pinkerton's end-to-end corporate security services, security executives should be better positioned to minimise corporate risk and protect the interests of their shareholders, customers, and employees."
Organisational readiness
Jeffrey A. Smith, the Western regional manager for General Dynamics Network Systems, has been dealing with critical security and IT projects for more than a decade. "The role of standards is critical, but you do need more than that," Smith said. "Without standards to point to and work from it is difficult to foster agreement between physical security and IT. You need to develop a roadmap that both can follow to implement the standards. Standards provide a basis, and roadmaps provide a way to accomplish things organisationally."
Since few companies have travelled down the physical and IT security integration road, roadmaps are only now being developed. However, knowing that sooner or later they will have to make the trip, organisations can start preparing for it without having a completed roadmap on hand. There are two reasons to start preparing now for the integration of physical and IT security:
1) It is not an instant process.
2) The preparations alone will benefit the organisation.
Phil Mailes, formerly of Lenel and now with S2 Security Corporation, relates a story that illustrates these points. "During a deployment of a physical access control system the customer wanted to import employee information into the system so as to negate the need for time-consuming keyboard input. During a roundtable kick-off meeting this issue was discussed. Initially it was suggested that the HR database should be the source of this information; however, it was then indicated that contractors, for example, were not on the HR database. The next suggestion was to use the e-mail directory, but again there was a problem in that not everybody had access to e-mail, ie, cleaners or shop floor operatives. The final suggestion was the IT database, but again, not everyone had a log-on account.
"Finally, as the company had recently deployed a cashless vending system, it was decided to use this as the source database. Investigation of the various databases found that there were serious errors in all of them. In many cases people had left the organisation and had been removed from the HR database, but were still active in the IT and e-mail databases and so still had access to corporate resources. If they were so inclined they could have logged in and deleted files, for example. I have since found that this situation is not unique. In fact, many organisations have multiple legacy systems where the integrity of the data is questionable."
Preparing for integrated access control management
The following list provides a few preparation steps that must be performed in advance of any physical and information systems access control integration project.
* Locate all of the identity-related organisational databases, reconcile them, and if appropriate upgrade them to current levels of best practice and best product. (One approach is to implement an identity management system. This is not a small step and requires thorough analysis and planning).
* Document your existing policies, processes and procedures for physical and IT security.
* Discover, by interview and observation, any unknown or little-known de-facto policies, processes and procedures affecting security, and document these as well.
* Review the assignment of responsibilities for implementing and monitoring the policies, processes and procedures. Make sure the assignments are consistent with the current organisational structure and staffing. Verify that each person with responsibilities understands them and has the resources, authority and management support necessary to carry them out.
* If higher-level business security processes are not defined, work to define them at the general business level.
* Pull all of the above information together to establish an up-to-date baseline picture of the organisation's security, including identity management.
In addition to the immediate benefits, these steps will provide valuable input to future security initiatives.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version