US PHYSICAL AND IT SECURITY WORKING TOGETHER TO PREVENT THEFT http://www6.lexisnexis.com/publisher/EndUser?Action=UserDisplayFullDocument&orgId=563&topicId=13688&docId=l:524914723

Physical And IT Security Are Already Interwoven At Some Companies;
CS asks: How are these partnerships paying off in your organization?

Patrick Murphy, CPP, security director, Marriott International Inc./Washington:

The IT department in regards to credit card information is becoming more stringent, and also in relation to the physical security of the IT equipment that contains [guests'] credit card information. And so, I have been working with our IT department in creating their standards in regards to the physical protection of the IT servers that contain the credit card information.

John Martinicky, director of global security, International Truck and Engine/Warrenville, Ill.:

Corporate security and IT have had a close working relationship for a long period of time. We find a partnership works best. Security is responsible for data protection and while there are many similarities [between IT and security], there are differences as well. IT is responsible for controlling passwords, access, firewalls and, from a technical standpoint, the protection of the data that resides on our computer. Corporate security is always responsible for background checks, drug testing and investigations into policy violations.

The computers by themselves don't cause harm; it all centers around people. Where that threat exists, corporate

security is responsible for identifying those risks from a prevention and investigative standpoint. We work with IT when investigations require identifying what people are doing withcomputers during and after work hours. Our partnership is strong on the investigative side and the protection of physical assets and intellectual assets that people - employees or outsiders - may put at risk. We had a situation several years ago where somebody was basically providing information to an outside party. We were able to identify when the laptop left the facility. We used IT and some forensic tools to identify actually what was being sent over e-mail and what Web sites they were looking at, and with that information we tied the investigation together. Mike Womer, chief of security and safety, Ohio Historical Society/Columbus: We provide physical security for the IT department. The firewalls fall under the IT department, but the security department provides all the physical security [for IT] - the lock, the keys, the access control, the alarms for our network equipment and the control rooms. It's important to coordinate with every aspect of the organization. But, security and IT are two separate functions in our situation. We provide security for IT but also provide it for collections (and other departments). Zachary Lowe, VP and CSO, Waste Management Inc./Houston: Any company that takes credit card information is at high risk if there is not close coordination between physical security and the IT side, in protecting customer information and business records that should be segregated. There are numerous state statutes now on the books and additional [proposed] statutes regarding protection of customer information. Within our organization, a director of information safeguards reports to me, and his responsibility is oversight of IT security policies. He works closely with the IT organization on a routine basis. We have a forensic audit function that reports to the director of information safeguards. They are in close coordination there because there is continuing need to monitor our network for internal issues. Since we all know that our greatest risk of compromise of customer data and company documents results from disgruntled employees, lax security on the part of employees or accident, it is important to monitor our networks with an eye toward a security perspective. Oftentimes, my experience is that IT professionals don't necessarily think the same way we do. It's important for them to incorporate that thinking at the outset of any new project or to continually look at the environment as we move forward, because threats are constantly changing. And, of course, there is the impact of ever-changing employees. We find that employees move from company to company far more frequently than in the past, particularly in the IT environment. We need to keep closer account of those activities. It requires refresher training and continual follow-up. We have in our company an annual refresher security awareness program. Ours is a Web-based program, and that training needs to be given to new IT employees. Jim Sawyer, security and transportation director, Children's Hospital and Regional Medical Center/Seattle: Their relationship is pretty much inevitable. You can't have one without the other. They are merged, intertwined. You bundle them together. You need them both. You have to have firewalls and you have to have physical protection, too. What happens if you have somebody whom you want to discharge or terminate, and they are mad at you? How much can they do? How much can they get out of the system? Those are important things [to consider]. They can really nail you. We have a process where if somebody is terminated for cause, we have them out of every system within an hour. For a standard termination, we have them out within a day. When they go home they are not going to be able to access our systems. Source: Corporate Security, 10/31/2006Copyright © 2006 by Strafford Publications, Inc. All rights reserved. Storage, reproduction or transmission by any means is prohibited except pursuant to a valid license agreement.

October 30, 2006