How Integrating Physical and Information Security Mitigates Risks
Though both are critical, physical and information security remain separate entities at many organizations. However, you can get a better grip on overall risk by integrating the two. Austin Recovery, a drug and alcohol treatment center, successfully took on the integration challenge-- and what it learned can teach corporations valuable lessons.
Tue, September 04, 2012
CIO — The night watchman and the IT security guy rarely work together even though their jobs, at the core, are similar: to protect the company. At many organizations, physical and information security remain separate entities by happenstance and by history. By integrating the two, however, companies can better protect the assets, employees and valuable data that keep the business going.
The integration is a first step towards assessing the overall corporate risks that threaten a company. Yet enacting a plan that conceives security as a cohesive, whole means overcoming entrenched resistance to integrating physical and information security, says Jonathan Ross, president and CEO of Austin Recovery, a drug and alcohol treatment center that recently finished such an integration.
Austin Recovery rolled out RedCloud's physical access control systems to secure the campus buildings and doors, linking the technology with its internal human resources directories. Austin Recovery employees with the proper authorization can control the RedCloud system through a secure Web interface.
The security lessons Austin Recovery learned during the integration can show corporate enterprises better ways to lock down information and protect employees and customers.
Realize You Need Help
Rehabilitation centers, like other health care organizations, must comply with Health Insurance Portability and Accountability Act (HIPAA) and other regulations intended to protect personal and medical information, and Austin Recovery works hard at this. Yet the general atmosphere there sometimes collides with the sense among security professionals that data, systems and the physical facility can be better battened down, Ross says. "The helping professions are a challenge. There's a sense things should be open."
As we should know by now, many industries allow too much openness, or at least a habit of leaving holes unplugged. Companies in retail, financial services, oil and gas, hospitality, food service, manufacturing and elsewhere suffered a combined 855 data breaches in 2011, according to Verizon, which works with enforcement agencies in four countries to produce an annual report on breaches.
About 10 percent of these data incidents also involved a physical breach, such as getting physical access to a device or system with sensitive information or swapping legitimate access codes for fake ones, to gain entrance to an office or machine.
Keeping physical and information security separate, as so many companies do, can create gaps between the two entities that let intrusions go unnoticed, says Michael Assante, president and CEO of the National Board of Information Security Examiners, a research organization that focuses on professional development of security specialists. The separation can also lead to ineffective response once an incident is discovered, he says.