Basics

Physical and IT Security Convergence: The Basics

Here's the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to merge physical security and cyber security.

Page 3

Give me some more specific scenarios where this is necessary and worth the effort involved (because I suspect that effort will be big).

- Investigations.

Jim Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security program-to bring together disparate pieces of security, including physical and information security, under one roof. It didn't take long for the reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax's networks. Mecsics and his team went to work-they set up a plan, mapped out the bad guys' architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney's office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen). "That was a pure example of [the benefit of] us having everything under one umbrella," says Mecsics. "I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy," he says. Mecsics didn't have to get authorization from people's bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company's benefit.

- Terminations (and, conversely, new hires).

Also referred to as provisioning and deprovisioning. When your company brings new employees on board, they need all sorts of things, from network passwords to access cards to corporate credit cards. And then when they leave the company, the company needs to gets its belongings back and also shut off access to networks and buildings in a timely manner. Companies with a coordinated approach to provisioning and deprovisioning do those things efficiently. See BT's termination checklist, for example, at www.csoonline.com/read/090103/termination_checklist_1731.html) Those who do these things in a scattershot manner are more likely to leave the door open for ex-employees to abscond with materials or intellectual property.

Quick case study: Children's Hospital in Boston has a complicated workforce. It's a teaching hospital, so in addition to normal staff turnover, new physicians come and go "in waves," according to CISO Paul Scheib. Some doctors are actually employees of various foundations rather than of the hospital itself. To help keep pace with creating and managing new network accounts and assigning the right privileges, the hospital first implemented password-management software and later a more complete identity-management suite from Courion. While the impetus was on the hiring end of the employee lifecycle, Scheib says a big payoff is that access can be shut off in a more timely manner when an employee leaves the organization. And Scheib finds himself working closely with the hospital's physical security group to integrate door access badges into the identity management approach. In the past, Scheib notes, "we had our information and they had theirs"-there was very little sharing of information. "Now we're working on a metadirectory project and starting to map both physical and infosecurity data and to define roles that require physical access to high-security areas such as surgical suites." Children's Hospital has no organizational initiative dubbed "convergence"; it's just security people recognizing the efficiencies of working together.

- Business continuity.

Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it this way: "Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective."

- Dealing with camera phones, USB tokens and other gadgets.

An employee (or visitor, or janitor for that matter) connects a thumb drive to his work PC, copies a database with juicy customer details, and walks out the door. Or he uses a camera phone to wirelessly e-mail a surreptitious snapshot of your company's R&D area. Are these digital threats? Or physical ones? Who cares! Again, good communication between the information security and physical security functions will help you craft intelligent policies and enforcement measures to stop this kind of incident.

- SCADA and process control systems.

At manufacturing companies and utilities, Supervisory Control and Data Acquisition (SCADA)systems sit directly at the intersection of the physical and digital worlds. They are used to electronically control and monitor the actual machines that mix chemicals, control temperatures, and so on. Typically, network security professionals don't know much (if anything) about securing SCADA, and process engineers don't know anything about information security.

For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers. In the past, the engineers took care of the systems themselves. "When I joined the company six years ago, it was hands off, you have no authority here," he says. "After 9/11, they were asking for my input. It was a major shift." Antonides boned up on process control networks, and now he works in tandem with the engineers to do cybersecurity vulnerability assessments at the plants.

What are the roadblocks and potholes we need to plan to avoid on our way to convergence?

- Turf battles.

Many employees, both managers or lower-level employees, will be unhappy with any change to their turf. They're not going to like whom they report to, whom they have to work with and the new projects they're assigned to. Egos will be bruised, if not battered.

When Mecsics consolidated security functions at Equifax, he had to deal with pushback from certain process owners. For example, the CIO was reluctant to turn over control of his systems to Mecsics. So Mecsics used a personal approach in which he listened to their concerns and tried to win their hearts and minds. "I said, 'I'm not going to do anything to hurt your system or inhibit your business processes. I'm here to protect you so our CEO isn't standing before a congressional committee someday explaining why credit reports are in front of some gym locker,'" he says. He used the same approach with HR, which, prior to his arrival, handled all company personnel issues. Mecsics convinced the HR leadership that the security organization should take over responsibility for developing background check policies. He also assuaged their fear that he was coming in there to steal people from their department.