When it comes to securing the assets of any enterprise, today’s security manager is confronted with an ever-changing set of tasks. While physical asset protection may be familiar ground, the ‘wireless’ economy has thrust upon us a new realm of security challenges.
The first step in securing your organisation is to conduct a risk assessment. This will identify all the assets that may have value, or that may damage the organisation’s ability to operate should they be stolen or corrupted. Physical assets are easy enough to define, although some critical information assets may be more difficult to identify.
One way to get started is to ask everyone what information they need to do their jobs. Once you’ve identified the information to be guarded, determine its source (including where it is stored and through what method it’s delivered for use). Next, identify the impact on the enterprise should that information be stolen or corrupted, along with who – both inside and outside the organisation – poses a potential threat to its safety.
The next step is to develop a security policy. Based on the risk assessment, this will describe what is acceptable use of your organisation’s assets, and how an individual gains access to them. There should be a section that covers how to treat information, and procedures for protecting it. Also, decide the potential consequences of policy violation.
A security plan should then be put in place. This will identify specific steps that the organisation will undertake to protect its assets, how it will respond to the threats identified, and how it will educate staff on the acceptable use and protection of those assets.
Electronic access control and CCTV
The fundamental building block and backbone of all asset protection. Electronic access control systems, of course, dictate the access to physical areas and facilities in a building. They can be used to provide an audit trail of who has gone where and when.
Knowing and controlling who is visiting whom within an organisation is achieved through the specification of visitor management systems. These can be integrated with electronic access control systems to provide a database record of an organisation’s visitors. Authentication is the process of verifying that somebody is who they say they are, and is often defined by something they possess (a card) and/or something they know (a password). The most secure authentication incorporates a third element: a physical or biometric trait such as a fingerprint.
Radio-frequency identification technology (RFID), infrared, bar code or multiple technologies can all be used in asset tracking systems. In a typical system a tag with an identifier will be placed on an asset. That asset’s information is stored in a database (along with the identifier). Readers strategically placed throughout a facility will then record the asset’s movements.
The more sophisticated systems will allow the security manager to link assets with certain individuals or groups of individuals such that only staff authorised to do so can move an asset like a computer around the building.
Let’s not forget video surveillance, an excellent deterrent. To make life easier digital systems can integrate with some electronic access control systems. This avoids watching hours of tape when investigating an incident.
When looking for a solution to the information security side of asset protection there is just as much to consider as with physical asset protection. A firewall, for example, acts as a filter – or access control system – for a computer network. It allows data to enter user-definable portions of the network from specific addresses and/or users. Any attempts to breach the firewall are usually displayed in simple text-based messages on a central management console.
A Data Network Intrusion Detection System (DNID) can consist of a hardware component/ appliance and a software component, or may be purely software-based. Intrusion detection systems analyse computer network activity at the data packet level, looking for anomalies in network activity or predefined "attack signatures" that indicate a hacking attempt. They are used inside a network and behind your firewall.
Of all the threats that your company’s information may be exposed to, the one that’s almost guaranteed is some form of computer virus. Anti-virus systems scan incoming e-mail to each client (user) for known viruses, then either sanitise the content or warn the user that a virus may be present. You should make them a priority for every computer that accesses the company network.
Data encryption software allows users to encrypt their files, e-mails and other electronic data so that unauthorised individuals cannot use it if it’s stolen or intercepted. Today’s encryption software focuses not only on preventing unauthorised use but also on making it easy for users to encrypt their data.
Virtual Private Networks (VPNs) are another useful tool. VPNs are essentially a private network on a public network infrastructure. If anyone accesses your network via the Internet or a dial-up connection, you should consider using a VPN. VPNs encrypt the data that is transmitted between the two parties such that, if it’s intercepted, it is then rendered useless.
VPNs are vital if anyone in your organisation is going to be sending sensitive information from a remote location outside your network.
Public-Key Infrastructure (PKI) addresses the management and issuance of digital certificates. Digital certificates are a type of authentication where an individual keeps with them one piece of a mathematical key ("private key"). The other part of the key (the "public key") is kept on the organisation’s PKI server or on a trusted third-party’s server. In simple terms, when the private key matches the public key authentication is established.
Evaluating systems integration
It’s important for security managers to understand the difference between loosely integrated and seamlessly integrated systems.
A loosely integrated system will often provide the user with multiple points of command, control and monitoring over the various subsystems attached.
While this approach is better than a slew of separate, stand-alone systems, it’s not ideal. There are still multiple databases collecting and storing their respective data, which leads to data synchronisation problems.
Most importantly, security incidents in the real world tend to have many events and data transactions within the various systems associated with a single incident. With loosely integrated systems, all the forensic data will be in different databases, requiring somebody to sift through the data and attempt to correlate these separate transactions into a cohesive reconstruction of what has actually happened. In turn, critical data that could tie things together may well be overlooked.
Seamlessly integrated systems provide a single Graphical User Interface for all the individual sub-systems, while storing all the transactional data in a single database.
A core advantage of seamless integration is the real-time linking of events within the various IT subsystems, allowing actions in one system to trigger actions within another. For example, when an employee leaves an organisation, their access control card is deactivated. At the same time, their network access privileges are removed.
Managers should not fall into the trap of thinking that asset and information protection is all about physical security or information security. It’s about security. Period.
Technology is not a threat. It will help spawn the ‘new breed’ of security professional. A professional who will enjoy dominion over all aspects of security within their organisation.
EBOOK: Lessons from IFSEC 2023 – Big Tech, Martyn’s Law and Drone Threats
Read IFSEC Insider’s exclusive IFSEC eBook and explore the key takeaways from the 2023 show!
Navigate the impact of Big Tech on access control, gain insights from Omdia’s analysts on video surveillance trends, and explore sessions covering topics like futureproofing CCTV networks, addressing the rising drone threat, and the crucial role of user proficiency in security technology.
There's also an exclusive interview with Figen Murray, the driver behind Martyn's Law legislation.
