P1: JDV
Michael WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 16:10 Char Count= 0
82 PHYSICALSECURITYand isolated to the extent possible. Fire divisions inhibit
the spread of fire. Other construction techniques brace for
earthquakes or high winds.
Once assets are in place, the physical perimeter of the
organization must be defined; beyond some point, the re-
sponsibility for physical security switches to others (e.g.,
ISPs and civil authorities). This footprint (often a collec-
tion of widely scattered toeprints), determines where cer-
tain physical access controls can be installed.
Physical security doesn’t stop at the door. Events
outside—riots, dust storms, rolling brownouts—can dis-
turb operations inside. Physical security policies must
provide for timely, two-way flow of information (e.g.,
monitoring of weather forecasts and prompt reporting of
internal incidents to relevant authorities).
Moreover, there is a virtual perimeter far more vast
and complex than the geographic perimeter. Wherever
the organization’s employees carry assets, physical secu-
rity is an issue. Although physical access controls, such
as biometric devices on laptops, help, mobile assets are
at greater risk and, therefore, in greater need of encryp-
tion and redundancy. Crafting and communicating clear,
effective policies regarding off-site resources are critical.
In the end, the competence and trustworthiness of em-
ployees are the best defense.
Even if employees leave all physical objects at work,
their knowledge remains with them. The usual nondisclo-
sure agreements must be complemented by policies re-
garding appropriate usage of newsgroup bulletin boards.
Policies for work-related behavior should address the
following:- access to facilities and services (when and where who
can do what); - appropriate use (how each allowed service may and
may not be used); - integrity of accounts (leaving computers unattended,
lending accounts); and - data management (backing up files, recycling and dis-
posing of media).
The most ticklish of these is appropriate use. Some
employers prohibit even personal e-mail saying, “I have
to work late.” Others seem not to care about misuse of re-
sources until glaring abuses arise. Neither policy extreme
is optimal; research has shown that productivity is actu-
ally best when employees are allowed modest time for per-
sonal e-mail and Internet access. An alternative to written
policy (and some form of enforcement) is to block specific
Web sites or to allow only specific sites. The former is in-
adequate, and the latter is too restrictive in most cases.
Yet another alternative is filtering software for Web usage
or e-mail. If activity monitoring is used, notification of
employees is not legally required. Nonetheless, it is best
to spell out both what an employer expects in the way of
behavior and what employees might expect with regard to
what they may see as their “privacy.” In practice, monitor-
ing should be used to control problems before they get out
of hand, not to ambush employees. Activity monitoring as
described actually covers a small fraction of the spectrum
of security-related behavior.Appropriate-use policy raises issues larger than the im-
pact on profitability. Allowing an organization’s resources
to be used to illegally duplicate copyrighted material con-
tributes to a large and growing societal problem. There
is an ethical (if not legal) obligation to consider not only
theft of one’s own bandwidth, but also the theft of an-
other’s intellectual property.
Every policy needs to be enforced, but the difficulty
of doing so ranges from trivial to highly impractical.
Whereas compliance in some areas (e.g., periodic chang-
ing of passwords) can be enforced automatically, check-
ing to see where passwords have been written down is a
completely different matter.
Additional security policies should be written specifi-
cally for human resource departments (e.g., background
checks for certain categories of personnel), for managers
(e.g., activity monitoring protocols), and for IT adminis-
trators (e.g., least privilege, to name only one of many).
The final component, as noted before, is education and
enlightenment with regard to physical security. Policies
cannot work if employees do not understand the policies
andtheir rationales. Policies that are considered to be
frivolous or unnecessarily restrictive tend to be ignored
or circumvented. (Doors will be propped open.) That be-
lief in policies must come from the top. This may require
educating and enlightening corporate leaders, who must
then lead by communicating down the chain of command
their belief in the importance of physical security.CONCLUSION
Physical security tends to receive less attention than it de-
serves. Yet cybersecurity depends on it. The two pillars
of security must be balanced to defeat malicious insid-
ers and outsiders. Ultimately, physical security is the
greater challenge, because nature can be the biggest foe.
Physical security involves a broad range of topics out-
side the normal sphere of IT expertise. Consequently, to
obtain the best protection, professionals in other fields
should be consulted with regard to fire detection and
suppression, power maintenance and conditioning, ac-
cess to and monitoring of buildings and rooms, foren-
sic science, managerial science, and disaster recovery. A
basic understanding of how these areas relate to physi-
cal security facilitates communication with consultants.
Combining information with the imagination to expect
the unexpected leads to better physical security planning
and practice.
The scope of physical security is wider than is imme-
diately evident. It concerns an organization’s resources,
wherever they go. An asset often forgotten is employees’
knowledge. Equally important are their intentions. Thus,
physical security involves everyone, all the time. It relates
to intangibles such as trust and privacy, and it must look
inward as well as outward.GLOSSARY
Class A fire Fire involving ordinarycombustibles(e.g.,
wood, paper, and some plastics).
Class B fire Fire involvingflammableorcombustibleliq-
uid or gas (e.g., most solvents).