Get Physical About IT Security

Computerworld - A San Jose-based medical practice recently notified about 185,000 current and former patients about the theft of their personal information. Stored on two computers, the data was stolen from the medical office during a burglary that occurred March 28 .
Under California law SB 1386, the medical group was required to publicly disclose the computer security breach because the confidential information of California residents may have been compromised. Unfortunately, that law promises to teach both businesses and the public plenty of lessons about insufficient security practices like those highlighted in the San Jose case.
Let's face it: Hardware and software are usually less secure when they're located in an open workspace than they are when they're located in a separate computer room. Security is further decreased when the hardware and/or software is used within a network of computers that aren't housed at a single location. And the level of vulnerability is even higher when the network extends beyond the organization's premises. Some assets -- like hardware devices and data and software that are stored on file servers, PCs or removable media like tapes and disks -- need to be secured physically. Part of physical security is ensuring that only authorized personnel are permitted to transmit data and access devices on LANs.
The National Computer Security Center's "Glossary of Computer Security Terms" defines physical security as "the application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information."
According to security expert and author Kevin Beaver, CISSP, "You cannot have any sense of information security if you don't implement proper physical security measures."
Unfortunately, IT departments may disregard physical security, fearing that it's too expensive or too much of a burden. But effectively controlling physical access to an organization's facilities should be the security staff's top concern.
When it comes to physical security, most organizations use one or a combination of mechanisms. Security guards are at the front line and should be trained to restrict the removal of assets from the premises. Among other things, they should be trained to record the identity of anyone removing assets. In addition, an authorization procedure should be established for those occasions when removing hardware and software from the premises is necessary.

A traditional lock is, of course, one of the simplest ways to secure physical access to IT assets. This ubiquitous security system has effectively impeded access for centuries. While it's decidedly low tech, this approach nevertheless remains appealing to those on a budget, since it's