In the past, physical security and information security of an enterprise co-existed independent of each other. While merging them may seem sensible and cost-effective, security experts caution against convergence without evaluating associated risks.
A report from the Alliance for Enterprise Security Risk Management (AESRM) details the risks and vulnerabilities that organizations should look out for when making the move.
Converging physical security with IT involves taking devices such as smart cards and biometric devices, closed circuit televisions, alarm and sensor systems, and other electronic access controls and putting them onto the corporate IT network.
The potential risk areas outlined in the report include privacy and confidentiality, fraud prevention, the potential for identity theft and network availability.
For instance, converting security monitors into IP-based cameras would give the company the ability to transmit images from those cameras through the company network, which could affect network availability, said AESRM chair Ray O’Hara.
Convergence without proper evaluation and planning could also lead to turf issues between people who are in charge of physical security and the IT network staff, he added.
“There [may also] be a collision of the industries where the security people would say, ‘We don’t want the IT people having access to [these devices],’ and the IT people would say, ‘If you’re going to put it on our network, we’re going to have access to it,’” explained the AESRM executive.
Convergence of the physical and digital world of security may also raise ownership battles that can lead to increased isolation rather than collaboration.
“In a lot of places where you have a strong physical security component and information security program, the worst that happens is they shut each other out and say, ‘This is our problem; we’ll take care of it,’” said John Miller, president and founder of InfraGard Long Island Members Alliance Inc., a chapter of the cyber crime security initiative set up by the FBI in 2001.
AESRM’s O’Hara said creating a “risk council” of people involved with the management of the physical security and the IT infrastructure could ensure that the company can mitigate the risks and attain the expected benefits from the convergence.
The AESRM report was put together by physical and IT security practitioners.
QuickLink 064323
— with files from IDG News Service
