Corporate Security Sweep Uncovers Token Violations

Computerworld - The terrorism alerts over the past few months have dramatically increased management's focus on physical security at my company. My team doesn't directly cover physical security, but our scope does extend to all of information security, not just IT or computer security. This means we're responsible for protecting information that's printed out or in transit, as well as data that resides within our information systems.
This can lead to overlap with the physical security team as well as security gaps, so we work very closely with the other team to try to avoid these problems.
They focus on guarding people, buildings and property. They also have stronger ties to law enforcement and the government. So while they deal with things like detecting phone taps and meeting-room bugs and handle the disposal of confidential materials, we cover information labeling and disclosure processes. While they stop social-engineering attackers from talking their way onto the premises, we handle social-engineering attacks via the telephone or e-mail.
Making a Sweep
Given the increased awareness about physical security, I decided to have my team carry out one of our regular sweeps of the building. I wanted to measure the access available to malicious intruders or insiders in search of confidential information or intellectual property.
The results would be anonymous to avoid creating scapegoats. Our goal was to inform management of the current level of exposure and to make sure that we would be included in future awareness-raising activities.
First, we had to agree on procedures that wouldn't put users at risk of disciplinary action, and I needed to find a way to protect my team. People have a high level of attachment to their work spaces: They see the space as theirs and are fiercely protective of it. Our tests might result in someone blaming us for thefts or claiming that we damaged their machines.
So I put a few simple ground rules in place. The first rule was not to touch anything. That meant no lifting keyboards and no opening drawers. However, the staff could take photographs, so there would be no debate about what was discovered. And to make sure we didn't get busted for snooping, we had a physical security team member with us at all times. I knew we wouldn't find everything, but at least we could do a swift, repeatable exercise and track our success at changing attitudes over time.
The good news is that only about 3% of work areas had problems. The bad news is that the problems we