By Stephen Purdy
Published in the March 2003 issue of Today’s Facility Manager
What comes to mind when thinking of information security?
- Is it protection of computerized information designated as sensitive?
- Perhaps it is protection from unauthorized access to a network.
- Is it shredding sensitive documents or controlling the disposition of excessive copies made at the copy machine?
- Is it having a screen saver set up with a 30-minute period of inactivity before it activates?
- Does it include sound proofing rooms so the discussions in important meetings cannot be overheard in the room next door?
- Is it protecting personnel files to ensure the privacy of confidential employee information?
The answer to all of these concerns and practices is “yes.” However, the real issue is how the responsibility for information security is going to be administered across multiple departments and venues within a company.
Before fms can begin to allocate responsibility, they need to have a clear understanding of fundamental information security concepts. In the abstract, information that needs to be protected is that information which, if compromised, could result in corporate liability or cause irreparable harm to the revenue earning potential of the company. As an example, a corporate adversary could use sensitive financial information to achieve a competitive advantage. Or, information that pertains to security systems and security procedures, building diagrams or blueprints, or even infrastructure support (electrical, HVAC, network diagrams, etc.) could be exploited to impact operational integrity, employee safety, security of corporate assets, and business continuity. Sensitive information that requires protection may be contained in printed or hard copy documents, and/or in an automated environment.
As a business issue, information security usually falls under the purview of the security, IT (information technology), MIS (management of information systems) departments, or a combination of these areas. However, these security measures impact the entire organization including the FM department.
Defining The Mission Of Information Security
Every department uses and controls information in both hard copy (physical) and electronic form. This information requires various levels of protection. It is crucial to identify the information that requires protection. And it is just as important to determine the levels of criticality of information so appropriate controls may be implemented. These controls should be consistent with legal requirements outlined in various laws and regulations relevant to individual industries, agencies, or corporate entities.
Within relevant laws and regulations (Title 18 United States Code (USC), Sections 2701), concepts of confidential and proprietary information are defined. These codes include requirements for their protection and enumerates the information so administrative or judicial relief is available if unauthorized access or compromise is discovered.
Also, for government agencies and contractors, concepts of classified, unclassified, and sensitive-but-unclassified information are defined in a number of federal regulations. There are specific requirements for operational security controls.
Laws that regulate consumer privacy, such as the Financial Privacy Act, Fair Credit Reporting Act, etc., define what kind of information requires special protection. The regulated information does not have to be computerized. Many human resources or personnel departments store personnel files in hard copy form in file cabinets. Privacy laws identify certain medical and personnel information as confidential and require businesses to restrict access to this information.
The Computer Security Institute (CSI) annually conducts a computer crime and security survey. “Based on responses from 538 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities, the findings of the 2001 Computer Crime and Security Survey confirm the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting.”
Highlights of the 2001 Computer Crime and Security Survey include:
- 85% of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months.
- 64% acknowledged financial losses due to computer breaches.
- 35% (186 respondents) were willing and/or able to quantify their financial losses. These 186 respondents reported $377,828,700 in financial losses. (In contrast, the losses from 249 respondents in 2000 totaled only $265,589,940. The average annual total over the three years prior to 2000 was $120,240,180.)
As in previous years, the most serious financial losses occurred through theft of proprietary information (34 respondents reported $151,230,100) and financial fraud (21 respondents reported $92,935,500).
Fms can make a significant contribution to the fulfillment of corporate responsibility to protect proprietary information by implementing controls that enhance the efforts of owner’s to provide the required information security. In a recent International Facility Management Association (IFMA) survey, a majority of fms felt employee safety and security was a high priority at their facilities.
It is a natural fit for fms to be involved with all aspects of security. The variety of information security measures at the disposal of fms is as broad as the nature of the information itself. However, controls generally fall into one of three categories: 1) policies and procedures, 2) physical controls, and 3) information technology controls.
Sample Controls Affecting Information Security
1. Policies And Procedures
- Define the information to be protected and its level of sensitivity.
- Develop a corporate document destruction and shredding policy with accompanying procedures (e.g., document shredding contractor and distributed shred containers for proprietary documents).
- Develop security operating procedures.
- Develop or contribute to employee security awareness training.
- Develop specific requirements for marking and disseminating corporate proprietary and trade secret information.
- Develop policies regarding employee responsibilities not to create unauthorized copies and disseminate proprietary, confidential, or otherwise restricted sensitive information.
2. Physical Controls
- Establish a hard perimeter for access to the facility through which all who pass shall be positively identified upon entry and exit. Utilize access control technology, video cameras, and alarm sensors on all perimeter access points.
- Create a public area for receiving visitors, deliveries, merchandise pickup, etc., with a positive access control from that area to internal office or operational sections.
- Place specially marked containers within the facility for the collection of discarded sensitive documents. Schedule regular document destruction services.
- Train employees to discard only worthless paper documents in routine trash.
- Control access to internal office space through card access and key control systems.
- Avoid providing contractors with a master key (this includes contract cleaning staff). Key management strategies should include a proprietary keyway hierarchy for office and supply rooms. Perimeter door keyways should be on a secure key blank–rather than standard key blanks.
- Restrict employee access to the building via selected controlled entrances.
- Conduct occupant facility orientation sessions on a regular basis. Use these meetings to pass critical information to employees or tenants.
- Maintain control over access to critical infrastructure rooms (electrical room, HVAC, telephone room, network switching/router closets, etc.) through card access or a strict key management system.
- Provide auditable access control to network operation centers and technology support or data storage centers. Use of video cameras to document access is recommended.
- Provide auditable access control to areas where sensitive corporate documents, patents, trade secrets, etc., are stored in physical form.
- Provide auditable access control to personnel, medical, and other confidential employee or customer physical document and record storage areas.
- Restrict access to building blueprints and floor plans to authorized personnel only. Request that unauthorized copies not be produced and disseminated. Request that copies be returned when they have served their purpose.
3. Information Technology Controls
- Mandate the use of screen savers on employee desktop and laptop computer systems assigned to FM staff.
- Inventory desktop software and hardware.
- Store critical data on a protected network drive that is routinely backed up as part of the network operations recovery plan.
- Require only authorized software be used on assigned computers.
- Utilize authenticated and secure access for users requiring remote access to FM information.
- Provide access to information technology closets to authorized personnel only.
Developing A Strategy
It is essential that organizations formalize the process for developing an information security strategy and gaining support from senior management. Without doing so, the efforts will be unfunded and met with futility in implementation across departmental lines. The net result will be an information security posture only as strong as the weakest link, which is often reduced to physical security measures. Organizations should be aware that comprehensive information security includes both high tech (such as firewalls, anti-ping devices, and virus protection) and low tech components (such as access control and security personnel).
The next critical issue is to define what must be protected. This helps in developing a clear understanding of the mission. Procedures for securing the information can then be developed and unilaterally adopted. Training and employee awareness programs can be developed with a consistent focus.
It is important to involve a variety of operational staff in the initial stages, especially people from human resources, personnel, and legal departments. Their guidance will be invaluable in establishing information security performance and compliance standards that can be adopted throughout an organization. Clearly, this is not a task that any one manager should take on alone. Input from all operational divisions is essential.
Everyone processes a variety of information that should be considered proprietary or confidential and not intended for public circulation. The general rule, if fms don’t want to post the information in the newspaper, they need to control its dissemination.
Management has seen–all too often–collections of office trash bagged for disposal and centrally collected on a loading dock waiting for the trash truck. The bags are left unattended and frequently contain sensitive information about the company–customer lists, pricing information, vendor information, sales forecasts, merger and acquisition memos, product design documents, etc.
All of this information should be controlled through a shredding program. Each department manager should develop procedures for the identification and destruction of sensitive documents consistent with corporate policy guidance.
Fms can be the glue to tie all these efforts together by providing document disposition support. They see a wide variety of problems and incidents as a result of their corporate function. This experience is invaluable in employee awareness programs. Within the FM staff, procedures can also be developed to minimize the risk of exposure of information that should be restricted from public access (floor plans, blueprints, contractor schedules, approved contractor lists, corporate telephone books, etc.). Significant compromises of corporate resources have been documented by people rummaging through corporate trash (a practice known as dumpster diving) resulting in thousands of dollars in losses.
Employees have been known to steal office equipment (cameras, calculators, etc.) by throwing them in the trash with the intent of retrieving them at a later date (perhaps with the help of an accomplice who picks the discarded item from the trash). In another case, a computer hacker rummages through the trash and picks out computer printouts and a company phone book.
The hacker begins placing pretext phone calls to secretaries to “socially engineer” the secretary into divulging inside information about the computer network, phone system, and key employees. The hacker uses the information to initiate a denial of service attack on the computer network and wages a war-dialing campaign to discover modem lines that could assist him or her in penetrating the network through dial-up maintenance ports.
Beyond Scrap Paper
Keep in mind that paper is not the only media through which information is exchanged. Computer disks, tapes, and discarded computer hard drives are often loaded with corporate information. Providing information cleansing services or guidance to users and the IT department can save companies from a potential compromise. Every computer system that is replaced should be checked to ensure that it no longer contains sensitive information before its final disposition.
Visitor logs, surveillance tapes, card access logs, and alarm system logs are also sensitive and can be used to exploit a weakness in the security coverage of a facility. This information needs to be protected and access restricted to authorized personnel only.
These are just a few of the measures that impact information security. There are literally hundreds more that may be a part of an overall security or business continuity program. One of the best approaches an fm can have with regards to information security is not to be trapped into a restricted thinking process. Creative, outside the box thinking helps immeasurably to keep the progressive fm ahead of the game and a valued corporate asset.