BriansPost.docx

Hello everyone, 
I would like to format this week’s post a bit differently. This week, we are to address, what we believe to be, the characteristics of a good physical and technical security relationship.
Integration
          Worldwide, physical security professionals provide protection to various organizations. Inside the walls of these organizations, information technology (IT) professionals further the protection of the organizations by helping to ensure their information remains secure. Additionally, IT professionals support the physical security professionals in their security efforts, creating a sort of ad hoc symbiotic relationship. However, to ensure organizations are best served by their security professionals, better integration and coordination is needed to ensure the ad hoc nature of the relationship becomes one of consistent and defensive mutualism. 
Beginnings
          In other courses, you may have learned that loading docks are very susceptible to theft. Many companies have little to no security enhancements in these locations. In addition to physical theft, logistical theft is common. To clarify, physical theft, in this forum post, refers to the removal of an object at the loading site; logistical theft refers to intentionally manipulating a shipping bill or delivery receipt to account for fewer items than are present. However, after reviewing this week’s reading of chapter 11, I am compelled to believe that the security of the loading dock is critical when considering IT. 
          Despite Google searches providing little apples (fruit, but changed for a 2-level IT joke purpose), the loading dock may be highly vulnerable to the cooperate espionage threat. When a shipment arrives, it may or may not be exposed to security functions, other than closed-circuit television (CCTV). The company uses the delivery of an expected product as an ersatz authentication process. Think: “as long as the 24 Macbook Pros are here, they were the ones we ed.” However, this shouldn’t automatically be the thought. While I personally believe the following is a farfetched idea, our textbook may suggest otherwise. It is simply not out of the realm of possibility that one shipment is rerouted to a different location, where the 24 Macbook Pros have been switched out with ones that have been tampered with by, let’s say, French “consulate” personnel. After all, the company is not concerned with the serial numbers matching between the initial and the received product (nor does this routinely happen anyways). 
          Improved integration may not prohibit false items from being delivered, but it may help. I would suggest having physical security inspect each bill of sale/delivery receipt. Moreover, I would recommend that security write down the driver/delivery crew’s names, employee ID number, vehicle information. The information should then be cross-checked with the shipping company for verification (no “mom and pop” companies should be used). While this process will not eliminate the vulnerability, it may reduce it. Security should remain on-site to ensure the cargo is not tampered with until received by properly identified IT staff.
Middle
          Physical security provides security services to the IT department. It attempts to verify the authorization of entry by way of  authentication, as verified by identification (and/or access lists). In return, the IT department assists the physical security team by maintaining CCTV records and updating authentication & authorization access rosters for radio frequency identification (RFID) cards. RFID cards lessen the burden that traditional lock systems can gift. Despite the advanced technology that RFID cards may have, they do have vulnerabilities. Some RFID cards can easily be copied. Simply put, the ID’s internal information is copied and pasted onto another card. Even RFID cards that have higher encryption levels have vulnerabilities. If the card does not require a pin or biometric confirmation, the card’s lack of a second-tier authentication is a vulnerability. Physical security can reduce this vulnerability by verifying the name on the RFID card (and any image) with the holder’s employee badge. However, physical security provides protection beyond identification verification. 
          Security policies affect security operations. Ensuring IT server rooms and other assets are in controlled spaces is one function. However, physical access to controlled spaces may be dictated within the key custodian security policy. The key custodian policy will identify the individual responsible for maintaining the key to the IT space. Additionally, the policy will identify who possesses the master key and, if applicable, the grand master key. The policy should also prohibit the loaning of a key that is assigned to an individual. The latter element is identical to the usual IT policy of not sharing your digital key: the IT system’s password.
End
     Security policy should ensure that personnel files, sensitive information, and security vulnerability assessments are secure when not being accessed. This includes mandating sanitized desk spaces, providing locked drawers, promoting shredding, and requiring secure storage areas (Wimmer, 2015, pp. 170-171). The utilization of these policies and items helps to reduce access by discharged employees, especially those discharged under more unfortunate circumstances. Although this is under the “end” section, it takes place in the beginning. Proper background investigations for employees in sensitive positions, or those who have access to sensitive areas/information, may highlight questionable relationships, habits, or employment/financial history. IT can assist the physical security team by removing discharged individuals from the digital authorization lists used for the IT authentication and authorization processes. 
Conclusion
          This short [ 🙂 ] forum post is not all-inclusive. There are a variety of considerations involving the relationship between physical and IT security that I did not address here. Frankly, none of us can include every possible consideration in a single post. However, I hope that I have highlighted a couple of common topics and, perhaps, introduced a fresh perspective. 
My best to you,
Reference
Wimmer, B. (2015). Business espionage: Risks, threats, and countermeasures. ProQuest Ebook Central. https://ebookcentral.proquest.com/lib/apus/reader.action?docID=1997675