Computerworld - At a small company, the information security manager is sometimes also responsible for physical security. At very large corporations, the physical security -- sometimes called safety and security -- is a completely separate department, responsible for hardware such as biometric ID or badge systems, security cameras and the management of guards. Safety and security departments handle investigations of physical breaches, such as theft, and workplace violence.
Typically, the managers and staff assigned to the physical security department have completely different backgrounds from their counterparts in information security and have a different set of skills. One group deals in things like the Reid interview technique, proximity device criteria and perimeter security, and the other in things like routing, Unix administration, buffer overflows, span ports and rogue access points. In short, these two staffs speak different languages.
Don't get me wrong -- information security and physical security must work side by side. In my case, I will be working very closely with the physical security manager on many of the intellectual property initiatives I've been asked to tackle. We've already developed a strong relationship, but in every organization big enough to have separate security departments, it's necessary to draw a line in the sand. For some companies, the line is thick and definitive, while in others, it's very thin. But in either case, when you cross the line, you can create problems for the guy on the other side.
As I've mentioned in previous installments, I recently took a position as the information security manager at a fairly large company. Prior to my arrival, there hadn't been a dedicated information security manager on staff for almost a year. In the interim, information security responsibilities were absorbed by other departments. It was sensible and appropriate that the Unix team, network engineering and the help desk took on many traditional information security roles and responsibilities. And since there was no official point of contact for information security initiatives, the physical security manager took it upon himself to research a method to monitor employees' activities while they were logged into their workstations.
He did some research on the Internet and made some calls to colleagues. After that, he coordinated several rounds of vendor presentations and demos before finally funding a pilot program involving the installation of Digital Guardian from Verdasys Inc. in Waltham, Mass., on several desktop computers within the company. Digital Guardian, which can be installed either covertly or overtly, provides the ability to monitor a user's activity per a defined policy. The product can also be leveraged to control a user's desktop.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
