This column’s question relates to physical security supporting the mission of IT security:
Q: In our company, physical security system networks are independent of the business network. I suspect that there are benefits to convergence collaboration, but I’m not sure where to start. What should I consider first?
A: Desktop security is one of my favorite starting points.
Often I find that IT departments have their hands full with projects and operations, and have a hard time monitoring for compliance with corporate desktop security requirements. In reality, IT departments rarely have the personnel to inspect employee desk and workstation areas. Most companies have IT policies that assign the managers in each functional area to act as custodians for company computer equipment, but without some means of inspection and reporting, it is hard to effectively carry out such a scheme.
The nature of the desktop/work area inspections depends on the security measures specified in IT policies. Three common policies are the Acceptable Use Policy (acceptable use of computers, networks and information systems resources), the Clean Desktop Policy (about not leaving any confidential or private information on the desktop or in unlocked drawers), and the Information Security Policy.
Typical requirements for such policies include:
• Personnel must not leave their desktop computer or workstation unattended without logging out or locking their workstations.
• A screensaver with password protection must be used.
• Passwords must not be written down on sticky notes or paper slips.
• Desks and filing cabinets must be locked at the end of the work day.
• Portable computing devices such as laptops and PDAs must be locked away when not in use.
• CD/DVD discs and USB drives must be secured in a locked drawer.
• Desk drawers that contain company restricted, confidential or private information must be locked when the desk is unattended.
Putting Security Officers to Work
IT has an electronic equivalent to security patrols: network monitoring and scanning software. But this of course doesn’t help with physical desktop inspections. That’s where security officer physical patrols can provide extra value to the company, by adding a desktop inspection element to the security patrol plan. It is usually feasible to divide the building into sections whose desktops can be inspected in 15 to 30 minutes so that one or two areas can be inspected per patrol.
Before enacting the inspections, establish the actions that will be taken when violations are found, and provide notification to employees in advance; otherwise, employees will feel blind-sided and this will have a negative repercussion on Security and IT. It helps to collaborate with area managers about the actions that will be taken for specific violations, so that any concerns can be raised and exceptions can be identified. For example, an exception might apply to laboratory workstations that must be left running unattended when performing 24-hour actions.
When violations are found, typical actions are to log off computers and workstations that the user left running and logged in, and confiscate sticky notes or papers containing passwords (placing them in a sealed envelope that identifies the owner and storing securely). Unlocked drawers may have a piece of yellow tape placed across them. If confiscated, laptops must be securely stored and easily available for pickup so as not to inhibit employee work.
Very often, the first few patrol inspections find a number of violations. After word gets around, personnel begin to take the security requirements more seriously. Be sure to keep statistics on the type and number of violations found. It is a good ROI point for Security and IT both to be able to report 100-percent compliance with desktop security policy when achieved, and monitor it on an ongoing basis.
One company required repeat violators to attend a “Desktop Security Class” — which was in reality a company-sponsored pizza lunch where a security officer briefed the offenders on the rationale behind the policies, and the potential consequences of not rectifying computer and data vulnerabilities.
Write to Ray about this column at [email protected]. Ray Bernard, PSP, CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For more information, go to www.go-rbcs.com or call 949-831-6788.