Don Ulsch, risk management director for audit services provider Jefferson Wells, says enterprises that treat physical and information security as separate disciplines are making a mistake. Critical controls, like background checks, must be integrated into a corporate security policy because they could impact IT.
What mistakes are enterprises making when it comes to integrating physical and information security? I've seen cases where companies focus their background checks on the executive level and miss the relatively low-level employee who may end up with high-level access to critical information. This could be someone who takes the fingerprints of contractors, new employees and visitors, and enrolls them into the biometric ID system. Though that person is low-level, he is coming into receipt of a high number of private identifiers like a fingerprint. Whenever someone's enrolled, the fingerprint appears on the monitor before it's encrypted. The administrator can't print or e-mail that image and can't copy it into a Word document, but he can get a high-resolution digital photo of it and turn it into a data file. Over a year, the person could aggregate several thousand fingerprints.
How would the average background check miss someone like that? The person is deemed low level and they have not had a background investigation, or they received a standard local court of jurisdiction check. But the person could be a felon convicted and arrested under federal standards. Because no federal court background investigation was authorized, the company never learns about the federal convictions.
How widespread is this kind of security gap? In almost any company we go into, we find issues where there is the real potential for significant legal, reputation or financial damage over something like this. And it revolves around a lack of integration between physical security, IT security and risk management. Historically we have a lot of separate security and risk checks, but only recently have we looked at tying those components into one entity.
Which threats are overlooked? Internet-enabled camera phones are a problem. Should you allow them into meeting rooms where sensitive information is being shared? These are things companies need to address in their security policies.
Blogs also constitute a real threat in terms of leaking sensitive information. In one company I dealt with, an IT architect disclosed sensitive information on a blog. He was blogging with friends trying to figure out a specific problem. Once a hacker on the other end gained his trust, the architect disclosed his company's security architecture. Less than 24 hours later, his company was hit with a massive attack.
Read the complete interview at searchsecurity.com/ismag