The best strategy is to ally physical security with IT and meet regularly to assess identification responsibility and common interests, according to David Kakish.


Advances in information technology (IT) are driving surprising change in surprising places, including the systems that control commercial and industrial facilities, identity management or access to them.

Furthermore, white collar crime, which used to refer to low-tech transgressions such as embezzlement or fraud, has also gone high tech.

So, the chief security officer’s job is expanding, often to include responsibility for investigating breaches of security as well as increasingly sophisticated approaches to physical plant security.

THE INTERSECTIONS

Certainly, personnel authentication and facility access control are major intersections between physical and IT security. The evidence:
  • Surveillance video is starting to run on Internet Protocol (IP) networks, with security video output being converted to digital information for storage and retention, as well as the increasing popularity of IP-based cameras.

  • Smart card and biometrics identification systems, growing in popularity to protect facilities and IT networks alike, rely on secure databases to store the unique markers for authorized personnel.

  • Security departments have long been a fixture in employee hiring or layoff processes. Today, with so many employees working on corporate networks, it’s a good idea to partner with IT to have a clear understanding of exactly what network access employees are issued, to check against if and when they leave.
These trends suggest that CSOs must invest in understanding fundamental aspects of IT security, at the least to ensure that their physical security technology infrastructure is as secure as the facilities they are assigned to protect. This is a triple challenge, because:
  • The pool of employees accessing the corporate network in any organization changes constantly, which increases the network’s vulnerability to security breaches.

  • IT security threats from outside the network evolve constantly.

  • IT security architectures therefore evolve constantly.


About the Source

Security Magazine thanks David Kakish, security technology specialist with CDW Corporation.

Look for three elements – monitoring, technology and security that go from end-to-end.

SIDEBAR: Banking on Proactive IT Security

The bank needed an additional layer of network security and found an answer.

As the largest independent cattle lender in Texas, Amarillo National Bank is among the largest family owned banks in the United States.

Bill Davis, data security officer for the bank, supervises security for a 620-node Microsoft-centric network that supports more than 500 employees in its central bank in Amarillo and branch banks throughout the city. Specifically, Davis was looking to add an additional layer of network security to his existing infrastructure that consists of firewalls, anti-virus and in-house IDS using the SNORT open source engine.

Davis emphasized, “Not only must we protect the integrity of our information, but we also have to demonstrate due diligence in meeting state and federal regulations.”

To maintain a strict segregation of duties, for example, Davis does not report to the bank’s CIO or IT department but rather to an executive vice president of the bank. Plus Davis has to produce regular reports for review by a data services committee established by the bank’s board of directors.

“I liked the idea of a managed service,” Davis said, “but the conventional managed service option proved far too costly.” Instead, Davis selected Alert Logic Threat Manager as the solution to complement his existing security infrastructure by providing an extra measure of security at critical choke points in his network.

Besides the added layer of internal network security, Davis appreciates the easy-to-use interface of the ID solution. He also noted the convenient reports he is able to generate himself, including incident summaries as well as vulnerability trends over time.

“I can produce reports on demand, and answer ad hoc queries by internal or external auditors,” Davis said. “I like having a solution that’s easy to manage myself, and one that can deliver reports to help demonstrate policy compliance and show that our security program is working.”