Are We Too Trusting?

Choose an area of interest:

Member Sign Up
Member Log On
Edit Member Profile
Newsletters
Editorial Inquiries
Privacy Policy
Reader Profile
About Us
Contact Us
Advertise

Newsline
Columnists & Columns
Newsletters

Resources/Tools
Associations, Societies & Firms
Federal and State Link Library
Newsletters & Journals
CPA Exam Study Guides
Glossary of Terms

Search Jobs
Post Resume
Career Resources
Post Jobs/Search Resumes
Professional Designations
Internships
Colleges & Universities

Login to Professional Education Center
Login to FMN Online
Login to CPA Report Online
Login to FMN Self-Study PEC
Login to CPA Report Self-Study PEC
FMN Video Subscriber Center
CPA Report Video Subscriber Center
Accounting & Finance CPE Programs
Corporate Training
Ethics & Compliance
Association Reseller Program
e-Learning Consulting
Engineering Education Programs

Professional Education Center

Choose an area of interest:

Byte of Success
Are We Too Trusting?
Protecting assets: a safe framework for the IT environment

July 2003 When I was a kid, the gas meter and electric meter were located in our house. When the meter reader would visit each month, he would knock on the back door, call out "gas man" and we would let him in to do his job. As I got a little older, this process changed; we started to require the flashing of gas company identification to enter our house. Our community threshold and expectations of trust had fallen.

Recently, a senior analyst with Gartner described the methods of a security consultant for a specific project. This consultant created an official looking badge on his home computer, added a "swipe bar" made out of electrical tape, and visited his client’s site. The front desk personnel did not stop him with his ID as he easily slipped into through the company’s front door. Next he walked to the door of the data center, waited for some folks to come by, and pretended to be having a swiping problem with the card entry system on the door to the center. The trusting employees let him in explaining, "I guess the system is misbehaving again." Once in the data center, he promptly instructed everyone to leave, explaining that he was there to fix something. After all of the IT staff in the data center had left, he promptly called the client’s CEO. The consultant said, "I have complete control of your data room!"

Right after September 11th, we became concerned and suspicious about all of our physical security. However, our underlying complacency made it easy to forget the message of not trusting anyone completely in our IT environments.

This is particularly important to discuss when considering that security spending remains one of the growth areas in many IT budgets. Though a periodic reminder of IT security priorities and ongoing vigilance is always appropriate, let’s spend some time addressing the most basic weakness – physical access to our IT assets that can undermine any other investment we make to protect those assets. Those assets are human capital (people), hardware (machines), and data (physical and near physical access to large quantities of data).

Before defining specific steps to better safeguard our assets, we must define a framework for imposing those instructions.

"Don’t judge a book by its cover." In Israel, the vulnerability of physical access translates into daily risks of being in the proximity of a bomb. Suicidal bombers dressing to blend into their surroundings by appearing to be Orthodox Jews or even Israeli soldiers is not uncommon. People dressing as employees, confidently acting as employees, and even disgruntled employees pose serious threats to the safety of these IT assets. We must have processes that impede the access and decrease the exposure to such people. Note: This is a learning process and will never be perfect.
There is such a thing as suspicious behavior. Everyone should feel a duty not to tolerate strange behaviors, even by fellow employees, without asking questions. The threat is not just theft, but vandalism, corporate espionage, and breach of customer/client/patient confidentiality. Political correctness has no place in protecting assets, though some instances require conversations with corporate counsel or even law enforcement personnel.
Training. We need training in the workplace to be more skeptical of people’s intent without becoming paranoid. Our employees must create an atmosphere where people are sensitive to the risks of simple things like leaving fire exits open unattended, but still enjoy working there. We must feel safe and cared for.
Processes must assess the likely vulnerability of suspicious behavior. The new airport model seems to waste thousands of hours by assuming we are all risks. Lifetimes are being wasted in lines. Should we be scanning the shoes of everyone entering tall building or airplanes because of one failed hijacker who was (surprise!) acting strangely? Imagine the economic impact to consumerism if malls or casinos imposed the same rules as the TSA! There must be a logical association, some human ROI, between the practicality of security procedure and reduction of risk.
Any security adds an administrative burden (think insurance). Remember to budget for IT security to include physical security or to include it more globally in the budget for each building housing your three types of IT assets.

Things to do
Having established the framework, the following should be considered in all IT environments.

Safeguard access to backup tapes and make sure that they are all accounted for and cannot easily disappear.
Make sure that your wireless and mobile users are not introducing risks by behavior.
Have an established process to revoke access to anyone fairly quickly. This includes access to buildings, rooms, and even hardware or data. You should have a basic IT security breach / IT loss protocol.
Establish reasonable after hours policies. Just as auditors typically frown upon employees who never take off even for vacation time, there maybe some concern about personnel who always come into the office over weekends and holidays.
Use and change locks appropriately. Keys should be periodically updated or entry codes changed, especially after disgruntled people leave. Why invite trouble?
Make sure that alarms work and know what they protect. Codes should also be updated in a timely fashion to reflect any new threat.
Reduce theft by using common sense. Keep equipment away from uncovered windows. Lock the equipment in a room, especially overnight. Tone down the room identification to be sure that it is for people who should be in the building, but may get lost. Room labels like data center for rooms that are not obviously the data center is advertising for trouble.
Consider establishing a sign in / sign out process for more sensitive IT areas. In some environments this adds to the accountability. One way to automate this may be archiving the card entry cards read.

Being sensitive to IT security by budgeting and maintaining tools like firewalls and anti-virus software is not enough. We must focus foremost on the easiest attack point, physical access, and once that is robustly secured move on to the more creative and difficult entry points.

CHAIM YUDKOWSKY, CPA, CITP is Chief Information Officer at Textilease Corp., a uniform and first aid services company serving the Southeast. He may be reached at 301-937-4555 or cyudkowsky@ByteofSuccess.com. Chaim is available to speak to your group or business on a variety of technology topics.

		Related Stories

		Total Cost of Aggravation Quotient On the Job Training The Evolution of the E-Meeting


		Related Courses

		Professional Education Center

Would you recommend this article?

5 (yes, highly)
4
3
2
1 (no, not at all)

Comments: