|
Since the advent of computer systems and widespread use of the internet, the function of Information Security Officer has been artificially separated from the Corporate (or Physical) Security function. Now, in an increasingly networked, post 9-11 world, these two security areas are moving closer and closer together. As both private corporations and government agencies struggle with the demands of maintaining a heightened level of security, issues of how information security should interact with physical security move into the spotlight.
There are several reasons for this convergence between information security and physical security. One of the primary reasons is because physical security elements have become increasingly computerized and networked. Physical lock and key systems have been replaced by smart cards that not only allow employees access to different areas in a facility, but also may keep audit trails of where employees spend their days.
Another example of this trend is surveillance cameras. Surveillance cameras, also known as CCTV (Closed Circuit) cameras, are used to record everything that they see on VHS tapes. The obvious problem with VHS tapes is that someone has to change the tapes frequently, that is, take out the full tape and replace it with an empty tape. Time and time again, computers and other company property would disappear at precisely the moment that the tape switch took place. Many companies have now switched to newer digital technology, which eliminates the need to change tapes and creates a continuous audit trail. Of course, this record has to be protected, because it can't be locked up in a cabinet like the old VHS tapes.
Smart buildings are another example of old technology that has been replaced with digital, networked technology. Coordinated by a single network console, the smart buildings today can control access to different areas of the facility, control fire alarms and security system alarms, as well as control the heating and air conditioning units within the facility. A major provider of physical security solutions describes their product as "offering an all-encompassing security environment for multi-server enterprise system topology, central server systems, and mobile enterprise systems"; supporting applications for access control, alarm monitoring, ID management, physical asset management, digital video surveillance, recording/ archive management, smart card, biometrics and visitor management functions.
These new technologies for physical security have taken the practice of physical security to a new level, yet many of the practices that are commonplace in information security have not been adopted in this new environment.
Degrees of Separation Between Information & Physical Security
Prior to 1995, the information security management and physical security management were completely separated. The information security officer position started with simple data center security, and then grew into the information security environment in which computers were on every desktop and eventually linked to the internet. Because the computer systems operations were managed out of the MIS (Management Information Systems) department, the security function was also created at this level in the organization.
By contrast, the physical security officer was usually a former policeman, or someone with a military background, whose main responsibility was creating and/or managing a uniformed guard service, keeping track of keys and managing a visitor badging program in the front lobby.
Today, the information security officer position has become increasingly technical and may have little knowledge, or interest, in maintaining physical controls such as barriers, badges, security alarms, or, as they say, "guns, guards and dogs". At the same time, the physical security officer has had to become more technical to manage the new electronic controls.
Many companies have created new management structures to support the integration of information and physical security. Often, the Corporate Security Director is responsible for both types of security, with the Information Security Officer and the Physical Security Officer both reporting to the same individual. In some of the organizations that were interviewed for this article, the security offices are co-located, to facilitate information sharing between the two halves of the security program.
|
