Wednesday, April 19, 2006

Converging facility and information security

Convergence in this case refers to a coming together of physical and information security practices within organizations. This “coming together” is being driven by two trends: increasingly sophisticated network-based management of facility infrastructure and the increasing importance and sophistication of physical attacks against IT infrastructure. This merger is a difficult one, as facility and information security come from different cultures, and corporate turf wars make either side wary of reliquisinhg their traditional control.

Facility infrastructure requires measures to protect physical assets, through guard services, intrusion alarms, CCTV surveillance, and facility access control systems. Included among the physical assets are information technology resources such as servers, network devices, and communication lines. Denying potential attackers physical access to network equipment is essential to securing that equipment.

Facility access systems themselves are increasingly managed using shared information technology resources. Servers using off-the-shelf operating systems, network connections relying on IP and shared with other data and management consoles based on common Web browsers are becoming common. A compromise of network security could result in ineffective or compromised facility security systems.

Information security and facility security share common concerns. Both protect valuable organizational assets. An attack against one can compromise resources that are the responsibility of the other. A breakdown of facility security can compromise information systems, and an attack against information systems can harm facility security.

Information and facility security convergence implies formal coordination between facility security operations and information security. In some cases, information and facility security functions may be merged and managed under a single executive. More commonly, these functions continue to report to separate executives, establishing formal and informal coordination on matters of common concern.

Some of the benefits of coordinating facility and information security include:

  • The ability to provide a common security program to support an organization-wide risk management program. This facilitates executive level visibility to security issues, and allows for coordinated strategies for asset protection.

  • Having a one-stop-shop for resolution of security issues particularly at the executive level. This assumes a corporate culture that values an explicit organization-wide risk management approach.

  • Increased information sharing among staff. While upper management benefits from increased coordination at top levels, information sharing among middle management and technical staff can improve the delivery of security services.

  • More versatile staff, cross-trained in facility and information security disciplines. Staff may perform roles involving both information and facility security such as investigations and audits.

  • Monetary savings by being able to optimize the use of technology across the board for asset protection.

  • Areas of common concern include investigations, hiring and termination processes (or “user provisioning”), business continuity, and industrial/facility control systems. The user provisioning process is of particular interest, as it opens up use of a single identifier for both facility and system access, relying on a common directory backend for authentication and authorization.

    More information on facility/information security convergence may be found at:,10801,108571p2,00.html