• United States




How Integrated are Your Physical and Technical Controls?

Feb 18, 20093 mins
Business ContinuityData and Information SecurityPhysical Security

It’s often forgotten there are three types of security controls.  Administrative controls in terms of policies are easy to remember, since this is usually first on an auditors list of requested artifacts.  IT staff is typically all over technical controls, at least to the limits imposed by budgetary constraints.  However, physical security, that legacy security control which has existed since the time of the first burglar, is often left on its own.  The steps needed to mesh physical, administrative, and technical controls are often not included in information security strategies.

A prime example of how this becomes a problem surfaced recently during the Los Alamos computer theft. 

The problem was that the theft was treated as a property management issue rather than a cyber security incident. And that was just the tip of the iceberg. “LANS has reported that 13 computers have been stolen or lost in the past 12 months, and that 67 computers are currently ‘missing.’ The magnitude of exposure and risk to the laboratory is at best unclear as little data on these losses has been collected or pursued given their treatment as property management issues as well.”

Source: Physical Security and cybersecurity go hand in hand, William Jackson, Government Computer News, 17 February 2009

The private sector has its problems too, as I explored in Anatomy of a physical security breach.  In this case, equipment was stolen from a data center while security guards were on duty.  However, it appeared there was a lack of overlapping preventive, detective, and response controls as well as weak guard policies.

The most insidious physical security breaches, however, are those which go unnoticed.  In many cases, technical controls are so strong only physical access to a device will provide an attacker with access to sensitive information.  Keeping an attacker far away from servers or end-user devices is a key element in any security program.  Otherwise, information can be removed from where it’s processed or stored and carried from the building in a number of ways, all very difficult to detect.

It isn’t that information security managers don’t understand these things.  Rather, organizations fail to understand the close relationship between physical, technical, and administrative controls.  In many cases, physical and information security efforts are managed by different directors, in two different chains of command, with different assigned priorities. 

For example, a security vendor was recently asked to perform a penetration test of a major corporation.  However, the IS director requested that the effectiveness of entry control at the corporate headquarters building not be checked.  Neither the IS director nor the IS security manager had any control over building security.  Further, there were issues in the relationship between building management and IS, so the IS director was hesitant to cause further tension.

During the penetration test, however, two consultants “inadvertently” walked past the security desk without being challenged, gained entry to the data center, and sat there for about 15 minutes before an engineer happened by and asked who they were.  This demonstrated a clear lack of physical security enforcement, but it was never reported to building services nor included in the test report.

Most security managers don’t have the clout to force collaboration with facility security.  However, there is a clear need to do so.  I guess all we can do is continue to tell the story to executive management and hope they eventually see the value in treating physical and technical security as two sides of the same proverbial coin.


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.