Wednesday, May 7, 2008

ERM - BC - COOP: Security, more than firewalls

If you asked most business managers if they have "security," many would say "Sure" and direct you to InfoTech.

Which is fine, but dangerously limited.

Security needs to include security from all dangers, InfoTech and otherwise.

Certainly information security needs to be implemented across the board - that means protecting servers, the data on them, email, and more. Firewalls, anti-virus, anti-this and anti-that applications all need to be in place.

But true security is more, and it focuses on people, an organization's most important resource.

Security starts before the parking lot and includes, for some organizations, restricting on-street parking (in cooperation with the local government).

I once worked for an foreign-headquartered international shipping company located next door to an insurance company staffed largely by former military types.

From time-to-time large trucks would park next to our building - the curb was less than 20 feet away.

I tried, without success, to get management to request the city to ban parking - at least truck parking - on the narrow street by the building. It was, if nothing else, a traffic safety hazard. What the execs, ensconced on the building's second floor, apparently failed to realize is that the small berm (rise) designed to force rainwater runoff would effectively push any blast from a parked vehicle up toward the second floor (hopefully sparing those of us on the first floor).

Another time I worked for a leading insurance company. This company (to its credit) had a "no tailgating" rule. All employees, including contractors, were badged; the badges opened the entrances to the buildings. The rule was that anyone caught tailgating - entering a building closely behind someone who had used his or her card to open the doors - would be fired. If the person who used his/her card to open the doors allowed the tailgater, that person also was fired. No discussion, just "good bye."

I think that is an excellent rule.

There was a State of Florida department with enlightened management that realized there were security issues to be considered in the parking lot.

All of the organizations so far had pretty good data security, but some realized security is more than just InfoTech.

Security also is more than "just" protecting personnel - employees and visitors.

It is making certain there is a level of personnel awareness, a "security consciousness."

Again, this goes beyond insisting that computers be protected with strong, regularly changed, passwords. It includes emails and phone conversations; it includes "clean desk" environments and secured documents (paper and digital) when an area is unattended.

Security includes personnel awareness training and knowledge both of the rules and why the rules.

The bottom line: Security is more than protecting the servers; it is protecting the organization from all threats and it is a job for everyone, from the newest intern to the most senior executive.

Most organization spend money to keep up to date with data security options.

Keeping "up to date" with physical security options usually is free; worst case, of minmal cost. Just ask the local constabulary. In most cases, the police - like the fire department - will send someone with all the expertise an organization needs to review current practice and recommend any needed enhancements.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

No comments: