Issue link: https://securitytechnologyexecutive.epubxp.com/i/107544
GET WITH IT By Kevin Beaver, CISSP Contingency Planning How to incorporate physical security into your business continuity efforts C "You have to fully understand which areas of your network will be most impacted during an event. In most cases, physical security systems will be near the top of the priority list." ontingency planning — whether you call it disaster recovery or business continuity — is one of those areas of business where a "good enough" approach just won't cut it. Yet, I often see organizations with disparate plans, teams that don't communicate and the like. Consequently, there are often large security gaps. It has occurred to me recently that physical security — namely physical security systems for access control and video — are particularly vulnerable in the event of a natural disaster or terrorist attack. Are you prepared to keep the organization running? Will your network, and thus your physical security systems, be able to withstand an unplanned outage? Will your business be able to resume operation if employees cannot get back into the building? What's going to happen with data center access and video surveillance? Here are three actionable areas to help ensure your physical security systems are covered under the umbrella of your business contingency plans: 1. Know what you've got. The general rule of thumb you can't secure what you don't acknowledge applies here. You have to know what's where. I often see physical access control and video systems that have been installed by a thirdparty systems integrator and nobody claims internal ownership in the corporate security or IT departments. The systems sit there on the network, unaccounted for, waiting to be exploited. All it would take is one disastrous event to send people scrambling trying to figure out how they systems operated and who knows how to get them going again. You have to fully understand which areas of your network will be most impacted during an event. In most cases, physical security systems will be near the top of the priority list. 2. Make sure the details are documented. Response and recovery procedures are the core of your contingency plan and, odds are, you already have a large piece of this completed. But what about the specific details related to your physical security systems — are they a part of your documentation as well? This includes network diagrams, system model numbers and firmware/ software versions and configuration information. In fact, making periodic backups of your system configurations can be invaluable in the event you need to restore existing systems or install new ones. Vendor and systems integrator contact information is nice to have in a pinch as well. 3. Don't overlook third-party facilities. Contingency planning also reaches to physical security controls in remote facilities. To the greatest extent possible, make sure you ask tough questions and ensure your vendors, such as hosting or co-location providers and cloud service providers, are in check. This is especially important if you have rack-level physical security equipment housed at these offsite locations. As painfully boring as it may be to delve into disaster recovery and/or business continuity plans, it must be done. Your organization cannot afford to be caught off guard. We've seen enough disasters in the past that we have good baseline to know what to plan for. Don't overlook the importance of your physical security systems in your contingency plans — they are perhaps the most important link binding all security components together. The smart approach is to expect it to spill. This means acknowledging that the odds are something will happen that takes your physical security systems offline and requires subsequent recovery. Your goal is to ensure the hassles, the security control gaps and the business risks are going to be minimized. The continued convergence of IT and corporate security combined with the overall complexity of your information systems makes this more important than ever. ❚ Kevin Beaver is a consultant with Atlanta-based Principle Logic LLC (www.principlelogic.com). He has authored/co-authored 11 books on information security, including the best-selling Hacking For Dummies as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he's the creator of the Security on Wheels information security audio books and blog. Follow him on Twitter at @kevinbeaver and connect to him on LinkedIn. Today's Homework: Inventory your physical security systems and update your plans. Many network diagrams are outdated. Even if someone else is responsible, do yourself and your business a huge favor and document the physical security systems on your network. Be sure to include system location and functionality along with who is responsible for day-to-day oversight 24 and administration. At the very least, take the information you gather and add it to your disaster recovery and/or business continuity plans. If you don't have the time to formally integrate the information into the plan details, simply insert it into an appendix. Get started today! SECURITY TECHNOLOGY EXECUTIVE • January/February 2013 www.SecurityInfoWatch.com