Violence Predominates

The June-4 speech of US President Barack Obama in Cairo stating that the US was not at war with Islam has been widely acclaimed. Iranian President (Mahmood Ahmadiejad) was re-elected in a tense situation. History was made when the Israeli Prime Minister accepted the creation of a Palestinian state. For the first time, a woman Speaker took office in the Indian Parliament.

Terror situation in Afghanistan, Iraq and Pakistan continued to remain bad with repeated attacks on mosques and hotels. It is for the first time that the Taliban launched an attack on the soil of Pakistan-occupied-Kashmir. The Taliban had come to notice buying children at the rate between INR 500,000 to 2.5 million for converting them into suicide bombers. Reports of Muslim separatist insurgents recruiting at Islamic schools also came from Thailand. The Darul Uloom Haggania campus at Akara Khattak is being called the ‘university of jihad’. Religious tax, namely, ‘jiziya’ was imposed on Hindus in Khyber tribal region. The former chief of Bangladesh’s National Security Intelligence confirmed linkage between ISI and ULFA. The ULFA chief, Paresh Barua, is reportedly now in China. Danger of LTTE elements infiltrating into India as refugees has been indicated. The MI5 in UK started recruiting teachers for working as spies.

The left extremists intensified their activities in the states of Orissa, Jharkhand, West Bengal, Chhattisgarh and Maharashtra, resulting in the Government of India banning them as terrorist organisation. The area called Lalgarh (West Bengal) has been described as a ‘secret state’ belonging to the left extremists. Women guerrillas were sighted in Dhanbad area of Jharkhand, leading an attack on a police party, killing 10 policemen. In a welcome development, the Government of India approved a proposal for net-working of all police stations in the country.

The private security industry in Pakistan has been reported to be doing flourishing business. Leaders of the Central Association of Private Security Industry (CAPSI), in India, had called on the President of India on June 12, 2009. IISSM has extended support to 2009 Global Oil and Gas Energy Security meet, scheduled at Four Seasons Hotel & Resort, Sharm el Sheikh, Egypt, on October 12-14, 2009. Following some guidelines given by the Union Home Secretary during IISSM-2007, the IISSM had gone up to the government with a detailed proposal where private security could play an effective role in national security. The Director Generals of Police in the States had also been addressed accordingly. Now the State Security Associations have been requested by the IISSM to follow that up in their respective areas.

There is a telling account in the General File why we should be “masters of our mouths”. And, you may like to have a wink of sleep to help solve problems!

Thanking you and with best regards,

D. C. Nath, IPS (Retd.)
Former Special Director, IB (MHA), Govt. of India,
Executive President & CEO,
International Institute of Security and Safety Management,
New Delhi, India.

Go Top

Terrorism File

LTTE men may have infiltrated into India
New Delhi – As many as 300-400 LTTE militants may have infiltrated into India in the guise of refugee fleeing ...

Security File

Pak Army violates ceasefire, fires on Indian posts
Jammu/New Delhi – Pakistani soldiers on Wednesday fired seven rounds at Indian border posts in Copra, Rajouri sector ...

Industry News

Launch of Securitas India Website
Today , another and most important chapter is added to our journey from Walsons to become Securitas India...

General Information

Ex-Bangla spy chief confirms ISI-ULFA link
Dhaka – Pakistan’s ISI was linked to the sensational 2004 case of arms smuggling to ULFA militants in Assam from Bangladesh...

Appointments

P.V. Naik is new IAF chief
New Delhi – Air chief marshal Pradeep Vasant Naik on Sunday took over as the chief of IAF succeeding F.H. Major ...

Security Consultants Convergence - Security and Loss prevention – a case study

- Assoc Prof Kerran Campbell

Synopsis The Worlds airports were classified by Brig McKenzie–Orr in 1996 at the 3rd Asia Pacific Aviation Security Conference in Singapore that Airports were now Shopping Malls with Transportation attached. Airports were recently reclassified as the most secure shopping centres on the planet. The paper will examine the application of technology initially provided for aviation security purposes, however the technology has now been found to be invaluable in loss prevention. Those Airport vendors, many whom pay significant rents, deal in high value items in a crowded and pressured atmosphere benefit significantly from the secure environment in which they operate. The paper examines the risk management process adopted and the methods of validating the technology implemented. International Airports are a classic example of the convergence of these two facets of security.

1. Introduction The link between security and loss prevention has to some degree always been apparent. The loss prevention industry however have always dealt with threats of a unique nature that differed significantly from the general risk model and subsequent security methodologies that apply to the protection of assets and personnel. In recent times the advancement of technology, particularly with surveillance technology and video analytics has enabled the loss prevention and security personnel to work in a much closer relationship, as these particular tools used in the management of the threats applicable to their individual disciplines achieve similar outcomes. Loss prevention has unique threats that do not apply to general security. Indeed one could classify loss prevention as a micro discipline of security that has specific needs. Loss prevention applies to ALL retail enterprises, regardless of size or whether they deal directly with customers or in “e-retail”. In terms of the commercial impact of loss prevention the problem is one of global significance that cannot be ignored. Indeed appropriate loss prevention and can mean the difference between the commercial success and possible failure of the enterprise.

Notwithstanding the foregoing, I am of the opinion that the general proposition that there is not a convergence of security and loss prevention, it is not a necessity, and, where it does occur it only applies in specific applications.

2. Security and loss prevention It is worthwhile reflecting on the two elements being considered.

2.1 Role of security The role of security can generally be defined as the protection of assets and personnel. Regardless of the establishment or enterprise, or where these are located or operate across the globe there is a need to provide security resources to ensure that the expectations of all those who operate, work within or visit any type of facility can do so with a feeling of safety and well being. Security not only protects the human element it also protects the physical assets which enables the human element to live and function in today’s world. The extent and type of security applied depends on a multitude of factors, however can be seen as being primarily related to socio and geopolitical factors that apply to that particular location. The decision as to what extent and to how the security is applied is dependent on the threat assessment undertaken. The threat assessment process is generally very wide ranging, and considers a significant range of factors which generally take little account or no account of any factors associated with the retail process.

2.2 Role of Loss prevention The role of loss prevention can generally be defined as the managing the security of retail product through the supply, storage, display and sale chain. This also includes the threat opportunities that arise as result of the retail process, such as various types of fraud and embezzlement. The extent and type of loss prevention security applied also depends on a multitude of factors, however primarily they relate to socio economic factors that apply to that particular location. The decision as to what extent and to how the loss prevention is applied is also dependent on the threat assessment undertaken. The threat assessment process is usually very targeted and based on information that take into account factors that are specifically associated with the retail process.

2.3 Examples of co-existence The following are some examples of where there are opportunities for the co-existence and even convergence of security and loss prevention. ?? Airports – These are considered the most secure shopping complexes in the world in security terms, however they are also one of the most vulnerable to loss. The security of Airports is specifically provided to protect the aeroplane, and in achieving this is required to comply with a raft of outcomes defined by ICAO. It is the comprehensive nature of this protection that ensures the general security of the shopping element of the complex exceeds that that may be achieved anywhere else in a non aviation environment. The Airport shopping facilities vary from those retailing general consumer items in mini markets, to some of the most expensive products available. Because of the very high cost of rentals in Airports, the space available for both storage and display is minimal hence the ability to develop physical defences into the loss prevention process is limited. In addition to the above the clientele in airports, due to the physical limitations that can be applied cannot be selectively controlled, hence the risks that apply and potential shrinkage that can occur can be considerable. Airports however are one area where the co-existence loss prevention and security is achievable. ?? Shopping malls – These are also facilities where the two disciplines can not only co-exist, they can also support and feed off one another. The security of mall facilities is provided to ensure the safety and security of mall patrons in the public and non specific retail areas within the mall, the surrounding car parks and associated facilities. In addition, specifically although not limited to the Western World one of the major tasks of the security solution is to enable data to be gathered to prevent the mall patrons from litigation against the mall for negligence of various types. The application of loss prevention, however is targeted at the actual retail tenancies, regardless of them being an anchor or minor tenancy. The application of loss prevention is usually provided by the retail facilities. The function of loss prevention is provided by the retail outlet staff, or security staff specifically provided and trained for this purpose. ?? Warehousing – Warehousing and distribution centres can in some instances be an element of the retail chain. They can also be parts of other commercial or industrial chains. Depending on the product being warehoused, there are also requirements for loss prevention, in addition to provision of general security. Where the facilities are divorced from conventional retail, the co-existence of loss prevention and security is more apparent. ?? Casinos - These are the ultimate example of targeted loss prevention. The security function for Casinos revolve around the protection of the Casino patron’s, the facilities physical assets, large amounts of cash, and the safety and ambiance of the facility to ensure they can entice patron’s to participate in the Casinos gaming. The loss prevention in Casinos is targeted to ensure the risk management targets applied by the Casinos are achieved. The two disciplines do not converge in Casinos, and indeed for integrity reasons deliberately do NOT converge.

3. Airport security – a case study An Airport as noted in clause 2.3 above is a prime example of the co-existence of loss prevention with general security. Major international airports are relying more and more on the revenue generated from ancillary services such as retail and parking to supplement the cost of supporting the costly elements of the Aviation process. Aviation PAX can be seen as almost the perfect passing trade for retail. A large % of PAX generally have the resources to enable expenditure on what could be described as luxury items, and/or in many cases due to being in holiday mode, make purchases of goods that they would not normally make in their daily life. Combine this with the fact the Passenger (PAX) are captive, i.e. they are contained within an area, (usually smaller than desirable) for a minimum of two hours between entering the Terminal secured zone, and departing the lounge for the aircraft. This time in the vicinity of the retail facilities can vary from Airport to Airport, and can be shortened depending on the screening solution applied to the terminal, however it can also be extended by aircraft delays. There is extensive research of the expenditure and revenue generated by airport facilities worldwide. In fact the Aviation industry is one of the more transparent industries in publishing this data. There is extensive documentation available of the costs and revenue per PAX, including the expenditure per PAX whilst in the terminal. It can be measured in $ per minute. The statistics, and particularly those relating to PAX expenditure drive elements of the Airports design and operation of Airports terminals. These target the minimisation of the time for aviation processes, including check-in, immigration, screening etc to maximise the time PAX can spend in the retail, and food & beverage areas of the Terminal.

3.1 Specific retail criteria for Airport Terminals Retail facilities in Airport terminal are generally different from that in normal main street trading and shopping malls. This specific criteria needs consideration to understand why and how the link between the loss prevention and security is closer in this particular application than in other areas of these disciplines. The specific criteria include: ?? The goods sold tend to be small volume and high value. Due to: o All of the goods bought into the terminal for sale require screening. o The cost of rental space being extremely high hence limits the display and storage space available. ?? The customers tend to be in high concentration, and hence many cases have customers competing for counter space, and viewing vertical stands in such numbers that make security observation difficult. ?? High value, small volume articles are prime targets for shoplifting. ?? Because airports can be a concentration of travellers from many nations they can be subject to higher levels of purchase and card fraud.

3.2 Security at Airports Security at Airports regardless of the location, is (or at least should be) risk based, with the proviso that the minimum criteria required by ICAO is applied. The quanta and type of security applied depends on the location of, and the geopolitical situation applicable to the airport. The security applied is always (in the first instance) targeted at the protection of the aeroplane. In addition although in aviation security (AVSEC) terms and in more recent times the protection of the airport and associated infrastructure also applies. To achieve the objective of protecting the Aeroplane in today’s aviation security environment the risk assessment almost always includes a broad range of threats each of which must be assessed and addressed. As a result of these varying threats, the application of security to protect the Aeroplane for practical reasons spreads a large net of protection to achieve that objective. As a result the level of protection actually achieved is structured and comprehensive and tends to protect the facility to a much wider degree than just the Aeroplane. The security at any Airport will always be underpinned by an airport security program that will guide the security governance of the facility. The program must be comprehensive to meet the obligations of International Civil Aviation Organisation (ICAO), and will address the security programs as well as the minimum physical criteria required. There is no specific need to apply the use of technology either for security or screening purposes, providing adequate controls are applied to achieve the required security outcomes. The reality of a modern Airport, and certainly one that would have the retail facility of the type being contemplated in this paper will require significant technology to support the management of the security.

3.3 Management The management as noted will always be applied in conformance with the Airport security plan. This plan however will address a number of security factors which could be said to assist in the, management of loss prevention for the retail elements of the Terminal. However these are a by product of the aviation security being applied, and up until recent times in almost all cases any contribution of security towards loss prevention has been co-incidental. However as the retail elements of Airports become an ever more significant element of the airport revenue stream, combined with the ever increasing use by security management of technology in general terminal areas, airport authorities are starting to increase consideration of assisting in loss prevention. It makes good business sense to use resources, (providing these are not utilised at the expense of the primary objective of protecting the Aeroplane and airport assets) to assist in the protection of a tenant group who contribute to the bottom line of the Airport.

3.4 Planning and design The planning and design that applies to the Aviation security will, except for the general PAX terminal areas, support the loss prevention elements of the storage and support infrastructure for the retail process. The “non PAX” areas of the terminal complex are (usually) strictly controlled. These areas are locked and in many cases alarmed barriers between the PAX and “non PAX” areas. All personnel that have access to these areas have security clearances, and most have been subjected to checks by law enforcement of the country or jurisdiction where the airport is located. In addition to the above any storage areas that support the retail facility which are not located in the retail tenancy usually have sound physical security, and appropriate locking hardware. These are provided as a part of the terminal design to support the aviation security process, and the retail facilities obtain this as a by product of the AVSEC process. The physical planning and design for the retail outlets in the general terminal areas rarely have the opportunity to apply appropriate planning and limited physical protection for the retail process, other than in the merchandise display cases. There are however loss prevention techniques applied to the design of the display wall and customer service desks. This application of planning and design does usually impact on the structure of the terminal and applies only to the fit out and fabric of the tenancy. The majority of the security is provided by the staff either directly by physical or visual management of merchandise, or via securing display cases accessible to the PAX, or non retail staff, and has little reliance or base planning and design. The planning however does have an impact on the applied technology, and specifically in the integration of the technology into the physical elements of the terminal complex. Not only does this apply to the positioning of the cameras used into the CCTV system, but also integration of these cameras with the natural and artificial illumination of the general terminal and retail areas.

3.5 Technology It is the technology design that is being applied to contemporary airports that is facilitating the co-existence, and possibly in the future in this application the convergence of loss prevention and security. The contemporary solutions of technology being applied to airports are solutions that have optimum integration of the varying technologies that support the security solution. This technology is now mostly IP based and communicates over the Airport Campus area security solution. The fact that the IP based CCTV system communications over the IT network facilitates the installation of IP based cameras almost anywhere there is communications infrastructure available. As most airport terminal buildings are utilitarian, and are designed to accommodate future infrastructure, the addition of data outlets is a simple task.

3.6 Technology as an Aid to Management All technology applied as part of a security solution is nothing more than an aid to the management of the security of the facility. In particular in a major Airport the technology enables tasks to be employed that can: ?? Provide short and long term accountability for the staff operating, and/or observed by the technology ?? Enable security tasks to be undertaken more accurately.

Enable large amounts of PAX to be managed or processed swiftly, and depending on the security function being undertaken more accurately than if the task was undertaken by manpower alone The technology is primarily provided to ensure Aviation Security (AVSEC) is maintained, however a significant component of the technology in the Terminal building can also be deployed to assist in the management of loss prevention in the terminal and in individual retail tenancies. Regardless of the use the technology it will only function as an aid to the management of security, be it loss prevention or general security.

3.7 Specific technologies utilised for loss prevention The technology used in airports that can readily be deployed for loss prevention are: ?? Communications technology used by the retail vendors, with the ability communicate with AVSEC staff ?? Access control technology to manage access to “non PAX” retail storage areas ?? Intruder detection technology to manage securing of, and alarming of storage areas and of retail tenancies ?? CCTV of retail tenancies and adjacent general areas of the tenancies The use of the above for both loss prevention and security can be arranged with the airport authorities by layering, (albeit in a segregated manner) the loss prevention requirements of the retail vendors who operate within the airport.

3.7.1 Communications Technologies Airports have a number of communications systems that underpin the security operations, these include: ?? The public service telephone network – This comprises the normal telephone network that applies across the airport campus and connects those phones into the countries telephone system. This system is now starting to be IP based and if not already, will be layered onto the airports Information Technology (IT) campus network. ?? The mobile phone network - This again comprises connection via mobiles into the normal telephone network that applies across the countries telephone system. ?? A hard wired security intercom system – this is usually a dedicated telephone system that interconnects all security control locations, access points, access control points. And other strategically important security locations. This system also is now starting to be IP based and if not already, will also be layered onto the airports IT campus network.

A Ultra High Frequency (UHF) radio system – this is a mobile radio system, separate from the aviation radio system are used for security purposes and other operational purposes. Of the above the system most applicable to be used in loss prevention is the UHF radio system. Contemporary UHF radio systems have the ability to utilize multiple channels. It is possible to add channels to the existing systems to facilitate intercommunication access for retailer’s staff on security matters. There is also the ability to communicate with AVSEC staff to assist in specific issues of loss prevention.

3.7.2 Access control technologies The access control systems across the airport can be extended to be used by the retail vendors The systems can be partitioned and enable retail staffs access control devices to be programmed to access the retail tenancy and storage areas. It can also be programmed so that if there is any breach of the security of these areas there can be advice from monitoring AVSEC staff, or even via automatic advice from the system. The layering of the access control solution onto the airport system provides the ability to have monitoring of the retail element of the solution, as well as minimizing the installation of independent infrastructure by the retailers to achieve a similar outcome.

3.7.3 Intruder detection Technologies As with the access control system, the intruder detection installed across the airport can also be extended to be used by the retail vendors. This system can also be partitioned and enable provision of intruder detection equipment to be installed to protect the retail tenancy and storage areas. Again these can also be programmed so that if there is any breach of the security of these areas there can be advice from monitoring AVSEC staff, or even via automatic advice from the system. The layering of the intruder detection technology onto the airport system also provides the ability to have monitoring of the retail element of the solution, as well as minimizing the installation of independent infrastructure by the retailers to achieve a similar outcome.

3.7.4 CCTV equipment The CCTV equipment installed across the airport campus is one of the most important elements of the AVSEC technology that can be used for loss prevention. It is almost universal that all cameras are recorded, and this combined with the introduction by airports of IP based equipment, including mega-pixel cameras provides valuable tools in the support of loss prevention.

As noted previously the CCTV solutions in airports can easily be tailored for loss prevention. The IP based solutions lend themselves to provide individual monitoring of retail facilities if required, or by retailers themselves setting up an independent control location to assist in loss prevention across all tenancies Cameras can be targeted to specific high risk areas, and overlaid by video analytics which can trigger alarm images for closer scrutiny by observers. The ability to recall footage instantly, as well as review images from differing angles can assist in tracking potential or actual offenders. It can also track offenders who move into other areas of the terminal after the event.

3.7.5 Man Machine Interface The prime man machine interface in Airports concentrates on AVSEC. However as the solution is IP based it is possible to create other man machine interfaces specifically for retail, on either a global retail or on an individual tenancy basis. It is possible with minimal capital outlay to configure a control location to support the loss prevention process. This is a valuable tool that can be used in either real time or retrospectively as may be applicable to the size of the facility involved. There is also the ability to operate in co-existence with the AVSEC operations to support the common objectives of both security and loss prevention.

4. Summary Loss prevention will always apply specialised techniques to meet the unique threats that apply. These have some common ground with general security, however the necessity of convergence is not a reality and is most unlikely in the future. Arguments can be made for the co-existence for these two disciplines in certain applications however the convergence or even need for convergence of general security and loss prevention is not a proposition that can be supported.

- By Mr. Kerran Campbell, Assoc Professor, FIE Aust, FCIBSE, FISM, CPP,
Director, Campbell & Campbell, Australia.

Go Top

SECURITY CONVERGENCE -
PHYSICAL AND INFORMATION

B. G. Gupta, Information Technology Advisor

All organizations need to protect their corporate assets – whether by preventing the theft of office equipment, providing a safe environment for employees and their belongings, or keeping hackers, and industrial saboteurs from wreaking havoc with networks, applications, and databases.

Yet, because physical and logical securities have traditionally been handled by separate organizations and technologies, few companies could envision the benefits from their convergence.

The post 9/11 era has brought the issue of physical security to the forefront of new technologies development and set a collision course with Information Technology (IT). Since technological convergence does not automatically provide for a parallel organizational convergence - the change brought up confusion and frustration from both the IT professionals and the traditional asset managers. IT and Physical Security departments have been scratching heads over an uneasy task of trying to figure out how to solve the problems that keep appearing - how big are the companies that have the issues? How do we resolve these issues? Which side is responsible for physical security technology? Where is technology going?

According to the Global State of Information Security 2007, a worldwide study by PricewaterhouseCoopers, CIO Magazine and CSO Magazine, organizations are increasingly integrating physical and information security as they become more aware of the impact of privacy breaches.

This paper investigates and finds the extent to which this integration has already taken place and the present endeavor on part of the business and industry. It also explores and charts out a possible approach to achieve the workable integration in the immediate future.


Security in general can refer to a wide variety of security related activities depending on the organization. “Guards, gates and guns” are what usually come to mind, but physical security involves much more. Perimeter access control may be the most recognized component but the primary goal of physical security is the safety and protection of human life. This can take the form of emergency evacuation plans, fire suppression, controls to prevent accidents and executive protection, as well as keeping the bad guys out. Loss prevention is also a focus of physical security. The gaming industry has instituted highly sophisticated closed circuit television (CCTV) monitoring to catch cheats on the casino floor. Loss prevention is important to retailers as well. Also falling within the purview of physical security are activities such as fraud prevention, investigations and managing the processing of employee background checks for HR.

PHYSICAL SECURITY

Physical Security is the application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information. Physical Security reduces the exposure of assets to physical perils. They are implemented to protect the system resources themselves, the facility housing the system resources, and the facilities used to support their operation (such as wiring, backup media, and electric power). It prevents (1) Physical damage to assets, (2) Interruptions in information technology services, (3) Unauthorized disclosure of information, (4) Corruption of system integrity and (5) Theft.

PHYSICAL SECURITY CHECKLIST
The following is a series of practical steps one can take to help preserve the security of your organization. Many of the actions are common sense (if they seem simplistic, they are!) and will help your organization.

• Survey your building(s) and deal with obvious problems. Put decent locks on your doors, install strong windows, and make sure people shut up shop at the end of the day.
• Put servers and other vital specialist equipment in dedicated rooms with locked internal doors and no windows.
• Install appropriate air-conditioning and fire-detection systems in these special rooms.
• Avoid locating critical equipment near vents, pipes, kitchens, toilets, radiators and other similar hazards.
• Turn screens off at night (this prevents a tell-tale glow).
• Keep a list (or asset inventory) of all systems, memory, processors, serial numbers, locations and dates purchased.
• Put permanent labels on your valuable equipment. Perhaps try ultra-violet marking of equipment – this can help in recovering stolen items. Keep backups of your information well away from the source systems, and if possible off site.
• If you have multiple sites, spread computers across them.
• In shared, public or open areas (e.g. receptions) use cable locks to attach valuable equipment to desks.
• Minimize the amount of paper and sensitive information left on desks. Lock documents in cabinets (establishing a ‘clear desk’ policy if possible).
• If the company consists of more than about 15-20 people, issue visitor badges and encourage staff to challenge unaccompanied visitors.
• Escort all visitors – don’t let them wander around unsupervised.
• Keep a visitor book and log the times when visitors enter and leave the premises. Keep another signing-in/-out list for sensitive areas.
• Consider CCTV in critical areas and reception areas.
• Get appropriate insurance, even if your business is a very small concern.

INFORMATION SECURITY

Whatever the name given: information technologies security (IT security), cyber security or digital security, it concerns the security of digital information. Information security is an answer to the risks associated to the use of information and communication technologies (ICT) in every day activities. The objective of the Information Security is to minimize the informational risk and bring it under control in respect with an acceptable level.

PWC in its “Global State of Information Security Survey 2007 reports that after five years of conducting the “Global State of Information Security” survey, we have noted some critical trends in information security. We’ve also uncovered non-trends— numbers that remain so constant and predictable that we can now call them conventional wisdom. Here, then, are five pieces of wisdom based on numbers in the survey that never seem to change.

Spending lags: You’re always about 10 percent happier with security policy’s alignment with the business than you are with security spending’s alignment. Over the years, roughly 85 percent of you have said that your security policies are completely or somewhat aligned with the business, while just 75 percent said that about spending. After all, who doesn’t want more money?

Partners too: You’re more confident in your own security than that of your partners, suppliers and vendors. Once again, around 80 percent to 85 percent of you were either very or somewhat confident in your security, but when you were asked about partners and vendors, the number dropped to between 70 percent and 75 percent. Remember, you’re someone’s partner and he’s not too thrilled about you either.

Few are cocky: About one in 12 of you think very highly of yourselves. Since 2003, the number of respondents who claimed 100 percent of their users were in compliance with their security policies hovers around 8 percent.

Size doesn’t matter: Company size does not affect spending. When the information security budget is measured as a percentage of the IT budget, it remains constant no matter how many employees a company has or what its revenues are. Size of company matters less in security spending than in industry. Technology companies spend the most; nonprofits and educational enterprises spend the least.

Banks lead: Financial services companies are attacked more but suffer less. Over the years, respondents in the money business have reported more security incidents without an appreciable increase in losses or downtime as a result. They do this despite not having significantly larger security budgets than others.

Focusing more in information system and network security, the following guidelines from Organization for Economic Co-operation and Development, OECD’s 2002 guidelines for the security of information systems and networks – “Towards a culture of security”, are a starting point for examining security issues.

• Awareness: Participants should be aware of the need for securing information systems and networks and what can be done to enhance security;
• Responsibility: All participants are responsible for the security of information systems and networks;
• Response: Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents;
• Ethics: Participants should respect the legitimate interests of others;
• Democracy: The security of information systems and networks should be compatible with the basic values of a democratic society;
• Risk assessment: Participants should conduct risk assessments;
• Security design and implementation: Participants should incorporate security as an essential element of information systems and networks;
• Security management: Participants should adopt a comprehensive approach to security management
• Reassessment: Participants should review and reassess the security of information systems and networks and make appropriate modifications to security policies, practices, measures and procedures.

While evolving from the technical field to the management field, the IT security concept gave way to technological and informational risk management. This implies a global and coherent security approach, as evidenced in the adoption of international standards concerning security and security management (for example the ISO 17799 and ISO 27000 standards families).

For over 30 year’s security has been a camera, a monitor and thousands of miles of coax or a couple of contacts wired to an alarm system. The post 911 era has brought the issue of physical security to the forefront of new technologies development and set a collision course with Information Technology (IT). Since technological convergence does not automatically provide for a parallel organizational convergence - the change brought up confusion and frustration from both the IT professionals and the traditional asset managers. IT and Physical Security departments have been scratching heads over an uneasy task of trying to figure out how to solve the problems that keep appearing - how big are the companies that have the issues? How do we resolve these issues? Which side is responsible for physical security technology? Where is technology going?

SECURITY CONVERGENCE

It is a term that refers to the convergence of two historically disparate security functions -- namely physical security and information security -- within enterprises. Security convergence is motivated by the recognition that corporate assets are increasingly information-based. Whereas in the past physical assets demanded the bulk of protection efforts, today information assets demand equal (if not far more) attention. Physical and information security are both integral parts of any coherent risk management program. Convergence is so endorsed by the three leading international organizations for security professionals -- ASIS, ISACA and ISSA -- that they co-founded the Alliance for Enterprise Security Risk Management, in part, to promote it.

WHY CONVERGENCE?

All organizations need to protect their corporate assets – whether it’s preventing the theft of office equipment, providing a safe environment for employees and their belongings, or keeping hackers, and industrial saboteurs from wreaking havoc with networks, applications, and databases. Yet, because physical and logical security has traditionally been handled by separate organizations and technologies, few companies could envision the benefits from their convergence.

As a practical definition here, “converged security” refers to the integration of physical access systems and related technologies (such as magnetic cards and readers) with identity management and user authentication technologies (such as enterprise single sign-on, tokens, and proximity cards). This integration enables an organization to establish and manage a single, consolidated repository for all authentication credentials, and to have a centralized means of setting access privileges for both physical and logical resources. This identity-based convergence makes it possible for organizations to have:

• One identity-based system for managing all physical and logical access;
• A unified network policy for both network and remote access that leverages card status and location information from physical access systems;
• Exchange of events and alarms from the physical access system to the logical access system;
• An identity-based reporting system for use in forensic investigations; and
• A streamlined workflow for creating, deleting and modifying user identities from both systems simultaneously.

THE OPEN SECURITY EXCHANGE

The Open Security Exchange(SM) (OSE) is a not-for-profit association of security experts that provides a forum for end-users, manufacturers, integrators, consultants and allied organizations to mutually define opportunities for converging physical and IT security. Its goal is to help improve enterprise security through the collaborative development of reusable models, definitions, vendor-neutral interoperability specifications and best practice guidelines that accelerate the convergence of security systems. The OSE defines convergence as the migration of physical and IT security towards common objectives, processes and architectures. This migration includes:

• Objectives: Cost reduction/Revenue enhancement/Regulatory compliance, Improve asset/personnel protection, Improve operational efficiency of physical/IT security staff
• Processes: Collaborative planning between physical/IT staff on security strategy, Identify/eliminate security gaps, Best practices and policies for converged security
• Architecture: Strategic, tactical and operational security modeling, Interoperability standards and policies for physical and IT systems, Combined credentials for physical and logical security

Physical/IT security convergence will enable vendor-neutral interoperability among diverse security components to support overall enterprise risk management needs. As physical and IT security merge, networked computer technology and associated applications will provide enterprises with increased operational efficiencies and intelligent security.

ANNUAL GLOBAL INFORMATION SECURITY SURVEY 2007

In its 10th Annual Global Information Security Survey, which was conducted during 2007 Ernst & Young, said, “We have realized that the focus and drivers of information security may change over the years, but the need to protect information assets remains virtually important to businesses globally. Organizations are beginning to recognize that information security can deliver more than just protection for information.”

The survey, which was conducted between May and September 2007, interviewed 1,300 senior executives in more than 50 countries with India emerging the second largest contributor with 114 respondents.

The integration of information security in the overall risk management function is on an increase amongst Indian organizations. The survey findings indicate that Indian companies are increasingly using information security and risk management in a more strategic role of addressing business objectives.

According to the survey, the number of organizations that have fully integrated the information security function into risk management operations has increased to 39 percent in 2007 from 19% in 2006. Compliance is a major driver in this integration as indicated by 50% of the respondents in India.

The importance of privacy and data protection are considered to be top drivers for information security. Majority of the respondents from the top management, including 73% of the CEOs and 64% of CIOs, place considerable importance on protecting privacy related information managed by their organization. Privacy and data protection have emerged as the top three drivers for information security as indicated by 58% of the respondents.

Improving IT and operational efficiency are emerging as important elements of information security as identified by 79% of Indian respondents, compared to 69% globally. Availability of experienced IT and information staff is the greatest challenge in delivering strategic information security projects. While 63% of Indian respondents indicated the use of third-party services for information security design, the global usage is higher at 75%.

Meeting business objectives is a growing focus of information security. In India 47% of respondents are inclined to towards trying to achieve this. Globally, the trend is moving towards business objective alignment and not just investing new technologies. The survey indicates a decrease in deploying new technologies from 24% in 2006 to 13% in 2007.

Information security is still limited to the IT department. The survey indicates that information security personnel are three times more likely to meet with IT department on a monthly basis than corporate officers and business unit leaders. The survey also points out that 32% of the information security organizations do not meet with their board of directors or audit committees.

Lastly, organizations are demanding more than vendors and business partners in managing third-party relationships. In India, 39% and globally 48% of companies felt that the vendors and business partners should have their own information security and privacy policies and procedures in place.

4 Es OF INFORMATION SECURITY.

Towerwall combines assessment, remediation and support services with best-in-class technology to guide businesses through the evaluation, establishment, education and enforcement of sound security practices. It suggests that this could be achieved by the following:

Evaluate: Organizations are typically not aware of the risks introduced when critical information becomes integral within business processes. Without performing a detailed and comprehensive assessment, these risks will remain undetected.

Establish: Establishing a security roadmap, remediation plan and policies is crucial in mitigating the risks associated with protecting critical data. Based on the results of the security assessment, establish a blueprint that details overall security strategies and policies.

Educate: The resulting policies must be clearly and systematically communicated. Employees must understand and comply with information security policies, and must be made aware of the consequences of breaching these policies. On-going communication protects against improper usage and productivity loss, from potential legal and image problems, and from the compromising of intellectual property. Furthermore, internal security skills and knowledge must be continually improved.

Enforce: Organizations must be vigilant in enforcing IT security policies/procedures and in always looking for potential risks. Pro-active enforcement means that new threats are detected before they create problems, and that employees who violate policies are dealt with according to agreed upon compliance rules. Once the security infrastructure is in place, and policies have been effectively communicated, one has to provide on-going support for pro-active management.

BENEFITS OF CONVERGENCE INCLUDE

Stronger, more integrated security: When logical and physical access security components work together, organizations can use them to complement and reinforce one another. For example, a policy could be established that would allow a user logical access to applications only if that user had first swiped his or her employee badge that day when entering a facility or restricted area.

Greater control over all security: Convergence allows organizations to manage all forms of security under a single umbrella for maximum control.

Affordable, two-factor authentication: Having more than one means of authenticating users is an excellent way to strengthen IT security. Experts recommend multi-factor authentication (e.g. complex passwords and a second form of identification) as the best protection against unauthorized application access. Convergence would enable the magnetic striped badge to be used as the second authentication factor, sparing organizations the cost of additional smart cards, tokens, or biometric scanning systems.

Coordinated responses to problem or emergency situations: Physical and logical security should work in concert with each other. For example, when employees resign or are terminated, there is often a lag time of days or even weeks between when their physical access rights and logical access rights are terminated. This situation creates security gaps in which disgruntled former employees may continue logging onto the network remotely to steal or destroy confidential data. Convergence prevents this problem by allowing organizations to instantly lock-out logical access privileges the moment a user is terminated from the physical access system.

Regulatory compliance: In 2004, the U.S. Executive Office of the White House issued HSPD-12, which mandates a common identification standard for U.S. federal employees and contractors. Other governments and industry regulatory organizations are requiring similar standards. Converged physical and logical access technologies provide the two-factor authentication that ensures compliance with these regulations.

A solution to tailgating: Tailgating is a common security problem in which a person without an ID badge gains access to a facility by following closely behind another person who has just swiped his or her badge. With convergence, logical access security can be set up to alert corporate security whenever employees who have not swiped their badges attempt to log onto PCs, thereby providing a means to better enforce badge-swipe compliance.

All of these benefits – plus the better protection, cost savings, risk reduction, and increased compliance associated with them – make converged physical and logical security a worthwhile goal for any security minded organization.

REQUIREMENTS OF A CONVERGED SOLUTION

While all of these approaches can provide some degree of additional protection, they do not satisfy all the requirements of a truly converged solution. To fulfill the growing demand among companies of all sizes for a fully-integrated answer, a converged solution must:

• Approach security from a holistic view;
• Offer fine-grained, zone-based logical access coupled to a user’s badge status and location;
• Leverage existing security investments;
• Enforce both physical and logical security policies;
• Have monitoring and reporting capabilities in order to demonstrate compliance with acts such as Health Insurance Portability and Accountability (HIPAA), Gramm-Leach-Bliley (GLB), Sarbanes-Oxley (SOX), and HSPD-12;
• Be cost-effective for companies of all types and sizes;
• Be easy to deploy; and
• Deliver a measurable return on investment.

The notion of converging physical and logical access security is not a new one. It has actually been around for some time, but historically, implementation has been a problem. Because physical and logical security systems have had little in common technologically, integrating them was a costly and complex proposition. The lack of interaction between the physical security experts and information technology providers has also hindered convergence.

THE OBSTACLES OF CONVERGENCE

There are five aspects of the technological convergence that have created problems and conflicts for Security departments and IT departments:

New security systems require knowledge that is beyond security’s domain. Electronic security systems incorporate information technology elements (such as databases and computers) and require information technology infrastructure (such as local and wide area wired and wireless networks). Most of these elements have complex configuration and setup steps that must be performed by a knowledgeable person. Thus the procurement, deployment and maintenance of most security systems now require IT knowledge and skills. Security departments now must look to the IT department for help with many aspects of security projects. Unfortunately, there is a large communication gap, because the Security personnel don’t know the IT domain, and the IT personnel don’t know the Security domain. This is compounded by the fact that today many companies have not worked out an up-to-date and easy-to-understand Security Plan and Security Emergency Response Plan. Having these plans would help IT get an understanding of the purpose and activities involved in Security during normal business, off-hours, and emergency operations. Compounding the problem is the turf war. Like most industrial convergence there is fear of loss of power or control to the other side. Both IT departments and Asset Managers do not wish to lose control of their domain and are reluctant to give the other a foot hold. Of all aspects of technology convergence this is one that is the most unpredictable and the most difficult to overcome.

Security systems offer many non-security benefits. These are the new stakeholders throughout the organization, whose use of the systems requires extending the information technology elements and infrastructure of the physical security systems for non-security purposes. This introduces complex issues for budgeting, procurement, deployment and ongoing use of the systems. It also significantly expands the privacy issues.

The IT elements of security systems are used differently than the same IT elements of business systems. For example, the usage patterns for networked security workstations are very different from what is typical for business systems of networked PCs. This leads IT departments to misestimate the requirements for information technology elements and infrastructure of the security systems. This is most apparent in calculation of network bandwidth requirements, which is almost always significantly underestimated. Security departments, on the other hand, not being familiar with the IT domain, do not realize that these differences exist and usually fail to adequately, if at all, educate IT personnel about them.

Using technology blinders. It is very important when engaging in security analysis, and when discussing security with people outside of Security and IT, that enthusiasm for new high-tech security systems and products doesn’t create blinders that keep low-tech solutions out of view. This is a risk for those in both IT and Security who are immersed in technology on a daily basis.

There are no standards. For 30 years we had VHS cassettes as the core medium for recording video which made it very easy to select a product. Today, there are literally 1000s of products in the market with hundreds of digital formats. What is even worse is that no two products are a like. They all have nuances that set them apart. How do you choose? This is where a Security Emergency Response Plan will help even more.

MICROSOFT EXPERIENCE

A comprehensive security program for an organization includes both the physical security of facilities, such as restricting access to buildings and monitoring alarm systems for fire or break-ins, and logical security of IT resources, such as restricting access to sensitive data and monitoring network traffic for signs of suspicious or malicious activity. At Microsoft, the strategy for developing the processes and solutions that help provide physical security includes a partnership between the internal Global Security and Microsoft Information Technology (Microsoft IT) teams. This partnership takes advantage of the available technology and technical resources to provide a scalable system for life safety and facility monitoring that can be managed from virtually anywhere in the world.

Through the strategic deployment of security systems, the Global Security team is improving the way it protects Microsoft assets, information, and employees. By aligning physical security drivers and IT delivery mechanisms, the team can produce an environment where physical security and IT complement each other rather than compete with each other.

Microsoft encompasses more than 670 sites globally. The Global Security team must protect resources at those sites. This task includes monitoring more than 23,000 pieces of hardware: card readers for physical access, cameras, fire panels, environmental alarms, biometric security systems, duress alarms, and additional devices and sensors. Global Security must also manage more than 150,000 active holders of access cards and more than 20 million system events each month (for example, users who have misplaced their access cards, maintenance alarms, unauthorized access, building fires, or natural disasters).

With an enterprise as large as Microsoft, monitoring and protecting assets around the world is a challenge. The traditional security strategies were too cumbersome and costly to be effective. Microsoft developed the convergence of physical security infrastructure with IT practices by using off-the-shelf software applications wherever possible, to create a more streamlined, efficient, and cost-effective security solution.

Microsoft has experienced a variety of benefits from merging physical security with IT, including the ability to automate many functions and the increased ability to use monitoring technologies in forensic investigations. However, four benefits that have affected Microsoft the most are that the company has saved money, the security of the organization is improved, the security operations are scalable to meet growth needs, and there is more consistent and reliable delivery of security throughout the organization.

Reduced Costs: Centralized monitoring and management of physical security resulted in less need for on-site personnel, reducing licensing costs for hardware and software. Using equipment that connects to and communicates over the existing IP network infrastructure greatly reduced the expense involved with deploying equipment or establishing entirely new sites.

Improved Security: Using IT tools and technologies, particularly off-the-shelf software applications, enabled Microsoft to deliver physical security more effectively than it could with traditional methods. The integration of physical security and information technology systems also provided a more direct and immediate link between the role and status of an individual within the organization and his or her ability to access specific sites or locations. Using the enterprise network and IP-based camera systems enabled more sites to be monitored with fewer on-site personnel. Storing the recorded video data on DVRs allows for more efficient review of video feeds and helps the Global Security team operate more efficiently.

Scalability and Extensibility: Microsoft can quickly and cost-effectively scale its security needs as growth demands. With the core infrastructure in place, bringing additional sites online is relatively simple. Traditionally, Microsoft had to procure and implement new or separate systems for building alarms, physical access control, fire monitoring and alarms, closed-circuit cameras and recorders, and other systems, as well as having to hire or contract personnel to guard and manage the new site. Although some additional access control, alarm, and camera equipment is still necessary, the convergence of physical security with IT means that Microsoft does not need to start from scratch at each new site. The incremental increase to the existing infrastructure today is significantly less than with the old approach to physical security. Additional personnel may be required to handle the monitoring and response for the increased signal load that adding more sites creates. Managing the monitoring from centralized security operations centers enables the organization to better balance scheduling needs and training and ensures that additional resources can be added as necessary.

Continuity of Service: With regional security operations centers that are each capable of receiving and monitoring signals from the entire enterprise, the Global Security team can provide consistent service levels—even if a significant event causes a temporary spike in security events, or if an entire operations center goes offline. By using centralized policies and procedures, in addition to consistent training materials, the Global Security team can also ensure that the organization will receive the same service, delivered in the same manner, regardless of which regional operations center is monitoring and responding to the security events.

COOPERATION AND COORDINATION

IT can help establish network security requirements and provide network security tools that will be needed for the security network. They can help answer networking questions, and they can provide project support for specifications and for testing relating to the computer and network aspects of the project. In-house IT can provide ongoing support for security computer and network issues. As security systems incorporate more and more information technology, IT knowledge will become more important to security. Security should designate someone to be an IT liaison as a permanent role, not just for the duration of the next security project. Security system upgrades and expansions will need to be coordinated with IT, and security will want to stay abreast of network expansions in case they provide an opportunity for security to further its objectives. Similarly, IT should designate a liaison to security. Security will continue to expand, so it behoves IT to learn more about physical security. IT will have the task of augmenting security's network infrastructure based upon security needs. They may also have opportunities to piggyback off of required security network upgrades and accomplish some of their own objectives sooner, perhaps at a reduced cost. Security can contribute to IT's planning for physical security measures as part of its information security plan. Sometimes IT needs alone or physical security needs alone will not be a strong enough case for network upgrade expenditures, but together they can tip the scales.

Today's security systems are based upon information technology. This requires a good working alliance between security and IT departments. The result of this alliance will be, of course, stronger and more capable security systems.

CONCLUSION As reported by JBW Group of USA, information technology has transformed traditional business models and facilitated the creation of entirely new ones by integrating technology into business processes. With this integration, the lines between information security and traditional physical security have become blurred.

It has become a truism that physical security is a critical component of information security. Information security professionals have long recognized the importance of protecting the technology that supports critical business functions. The best technological controls can be rendered useless by introducing an internal wireless network to bypass a firewall or sitting down at the server console to bypass the virtual controls in place. With physical access to internal networks and servers, all bets are off. In the late nineties, a very popular commercial website was unavailable for several weeks, not because of remotely exploited vulnerabilities, but because someone was able to circumvent the modest physical security in place and steal the servers out of the data center. The role that information security plays in physical security is less frequently recognized. Often, technology is a critical component of physical security. A recent physical security assessment for a software development and system integration company highlighted good perimeter security; lighting and physical isolation of high security areas with only one exception, the desktop system that managed access control for the entire building resided in an un-monitored and publicly accessible lobby area. Anyone could walk up to the system and get to the software that managed access control for perimeter doors and secure areas within the building.

Security Convergence - Technological advances facilitate the leveraging of economies of scale by putting voice and video over IP networks. Closed circuit video surveillance that used to travel over dedicated coaxial cable now shares bandwidth with data and voice on common IP networks. Many business processes now rely on technology and similarly, information security and physical security have become inextricably linked.

Comprehensive Solution - The most effective approach to assessing the physical security needs of your organization is a comprehensive and holistic one. Physical security should not be considered in isolation but as a critical component in a comprehensive framework that recognizes and supports the organization’s strategic business objectives. An international standards-based approach provides many advantages over technology-focused, proprietary and other approaches by providing a measurable, repeatable, scalable and continually improving security program. The security framework can also be assessed by an independent third-party and certified as conformant. Certification by an accredited certification body provides a level of assurance to customers and business partners that the organization is effectively managing security.

International organizations have established standards and guidelines for physical security as part of an overall security management program that also includes information security and meets governmental requirements and consumer expectations. The following are examples of internationally recognized standards and guidelines that are used to implement management systems to effectively manage physical security. These are complementary to related ISO standards.

- BS 25999-1:2006: Business Continuity Management Code of Practice (management system for disaster recovery and business continuity)

- BS 7799-3:2006: Guidelines for Information Security Risk Management (management system approach for the assessment and treatment of risk)

- ISO/PAS 28000: Specification for Security Management Systems for the Supply Chain (management system specification for physical security)

- ISO 22000: Food Safety Management Systems - Requirements for Any Organization in the Food Chain management (system for preventing the introduction of food safety hazards)

- OHSAS 18001: Occupational Health and Safety Management (specification for health and safety management systems)

“As with business processes that rely on technology, so too, information security and physical security have become inextricably linked.”

- By Mr. B.G. Gupta, Director, SCI Software India Pvt. Ltd., India

Go Top