Information Security: Information security deals with the protection of information and the systems associated with it.

Adhering to the various principles like confidentiality, integrity, availability and accountability is essential. Loss of information can have many disastrous effects. When customer data is leaked out, customers lose faith in the company. It can lead to a loss in reputation. The reputational risk will affect the companys market share and the competitive advantage Information once lost cannot be recovered There is no insurance for the loss of data.

Thus protecting the information in addition to the companys physical asset becomes an important business requirement. In addition to it, information security is also required in a legal perspective. From the 9/11 disaster and the Anthrax mail attack, information security, personal security and physical security seem to be closely related. With data being located outside the organisation at data centres or cloud, the importance to physical security is on the rise. Since the loss of employees and the physical components have a negative impact on the organisation, good physical and personal security is required even if very high information security is already in place. Threats faced by companies: In addition to protection from external threats, companies are increasingly concentrating on protection from the internal risks which includes both accidental and intentional threats by its employees. Some of the threats faced by companies are: Loss/theft of laptop/ portable storage device Trojan horses, virus, worms, botnets, cyber warfare Attack on databases cross-site scripting Attacks on wired, wireless networks, phone attacks and VoIP Access by un-authorised individuals Phishing/pharming, spam, spyware

Organisations are taking steps to enforce security by concentrating on the physical security in the premises, through security compliance initiatives and security audits. Analysing log data helps to detect attacks and other measures like vulnerability assessment and penetration testing are performed by companies. Some companies require the employees to go on a compulsory vacation. This enables the authorities to audit the employees files. This also creates awareness to the employee that his actions are being monitored and hence reduces his indulgence in malicious activities. Companies also restrict the amount of information available to an individual through access control. These are based on the principle of least privilege. By restricting physical access and access to information, both accidental and malicious modifications to data is prevented. Managing passwords is also an important feature. Separation of duties help in prevention of un-authorised access to information. Rather than a single person responsible to handle a critical task, when two people are involved, it prevents an individual from copying, modifying or removing the information. This is usually deployed in the financial domain. Job rotation enables all the employees aware of each others job functionalities. This enables employees to detect information misuse. Also, every person can be audited by others. Employment policies: The regulatory compliance, customers demand to protect personal information and new innovative technologies are various factors which affect the security principles. End users also play a role in the protection of information. Companies frame policies to enforce information security during their hiring process. Job descriptions and interviews are conducted in a way that highlights the information security practices and makes clear the candidates access rights. Background checks governed by the FCRA( Fair Credit Reporting Act) are conducted to examine the candidates credibility according to the job position and the industry. Information security briefing should also be made as a part of the orientation for new employees and should also be provided during on-the-job training. This will create awareness and help the employee understand his responsibilities in terms of security. Employees are required to sign contracts stating the information security policies which ensure that the employees protect the informational assets. Educating the employees about the policies and various best practices in a regular manner is adopted by many organisations in the recent years. Though the time consumption is considerably high, it has become a necessity. Support from the top management is essential for such initiatives. Adhering to the security policies should also be a part of the performance review. Policies are put in place to

manage employee termination also. Regardless of whether the departure is hostile/friendly, organisations need to take care of certain aspect like revoking access to the system and physical buildings, return of official gadgets and storage devices. Exit interviews are conducted to enforce the non-disclosure agreements. In addition to this, policies are also enforced for temporary employees, contract employees, consultants and business partners. They are also subjected to non-disclosure agreements, access control, and restriction of physical access to prevent information theft. Ensuring privacy of Personal Employee data: Kraft foods Inc. is the second largest food and beverage company in the world. It has offices around the world. This case study describes how the company had to re-organise its system to comply with the European Union Directive on the Protection of personal Data. Kraft foods Inc. collect employee data and use the same for various operations like calculation of compensation and benefits. With employees all around the world, the company has to follow the regulations in each country of operation. The European Union Directive on the Protection of personal Data puts forward certain requirements: Personal data should only be collected for legitimate purposes and should be stored only for the necessary period of use Employees should be informed about the purpose for collecting the data and can be done only after their approval. They should be able to update or check their data. Personal data can be processed only after consent and employees have right to tell not to use their data also. Proper technical and organisational controls should be placed to protect employee data. Restrictions were also posed on transferring of data outside of the EU. This led to the company to reorganise its HR system. The SAP HR system was introduced with servers in a secure data centre. A Data Transfer agreement was established between the company and the other entities operating in the EU. This was in accordance with the European Union Directive on the Protection of personal Data. It enabled restricted transfer of employee information and prevented improper use of the data. Only authorised persons were allowed access to the data and employees were given right to access and correct the data belonging to them. Privacy of the employee data was preserved. The chief information security officer was appointed. He

was responsible for the overall planning and implementation of IT security in the company. The security needs were aligned with the business requirements. A structure was established and information security policies were formed in accordance with the Sarbanes-Oxley Act 2002. Disaster management, recovery and backup were planned. Access to the system was restricted by User IDs and passwords which prevented un-authorised access to the employee accounts. Password controls were established. Access privileges were granted according to the job responsibility. The employee data was used only for legitimate persons and only be people authorised to process the data. Sensitive data was identified and protected. Emphasis was given to security in the companys Code of Conduct. Employees were constantly educated about the security principles and practices through interactive web based trainings. Adherence to the industry regulations creates awareness about the security aspects to the management. Care should also be taken so that by concentrating on the security aspect, the business objectives are forgotten. The security measures taken by companies should also not be overly restrictive. This may reduce the productivity of the organisation. Employees may also choose to ignore the policies or search for alternate ways when they are too stringent. Thus the right balance between security and usability should be achieved.

Physical security: Physical security is the protection of physical buildings, hardware, desktops, documents, data centres from un-authorised access. It aims to protect against intentional attacks by malicious attackers as well as natural disasters. It provides for detection of any security breach and enables faster recovery through backup and disaster recovery measures. Physical security is essential to protect an organisations information and data. Protecting information against infiltration i.e. physical hardening is important. At present, organisations are increasingly relying on data centres or cloud located outside their premises. Physical security includes protection of these third-party data centres as well as protection on the cloud. It is important for the client company to audit the security on the third-party vendors regularly. This is to check if they are in accordance with the various required legal security compliances. Some of the measures taken by organisations are: Smart card access to restricted areas Fire and burglar alarms Surveillance cameras Heat/motion detectors, noise/room monitoring Biometric access controls

Employees are provided with uniforms and access cards to gain access to buildings or specific functionalities. This enables access control and also prevents un-authorised access. In addition to providing access cards to the physical entities, it should also be provided to access other areas in the company like the network, data etc. many companies are trying to adopt a single access card method to protect various system access as in universities. This access card should be integrated with the database so that all the activities of the employee can be monitored. Portable devices are prone to security risks. In addition to theft of devices by outsiders, it is essential to prevent misuse by internal employees also. With the DBS case of a former employee stealing customer data, companies have put across various policies to deal with the usage of thumb drives. Some disable plugging in of thumb drives to prevent employees copying official data. However, there are companies that allow copying into the system but blocks the other way around. Company issued flash drives are a good alternative. These protect against viruses and can also be used for auditing purposes. A perfect balance between security and productivity is essential when it comes to portable storage devices.

The recent DBS Bugis street ATM fraud has created awareness for banks regarding physical security. The ATMs were compromised by installing card readers and camera to record the PIN and the content of the magnetic strip. This has caused banks to re-consider their security mechanisms to prevent future incidents. Convergence of physical security and IT: The importance given to physical security has increased since the 9/11 disaster and Anthrax mail attack. Information security is closely related to physical/personnel security. Even if very high information security practices are in place, a good physical security is required. This is because the loss of the companys physical assets and employees can have a negative impact on the organisation. The most prevalent physical security measure is surveillance cameras around the facility. However, these tapes should be stored and audited regularly. Of late the legacy cameras are being replaced by IP cameras. These have the advantage of efficiency and cost. When legacy cameras are expensive to deploy and monitor, the new IP cameras have greater analytical capabilities at a lower cost. However, problems like storage and high bandwidth consumption arises. This paves way for the convergence of IT and physical security. Even a very good security system when designed poorly can lead to disastrous effects. Security systems when not configured properly can affect the productivity of the organisation. Hence the physical security team and the IT team have to work together to put up a good system. While the physical security team points out the placement and control of cameras, the high risk areas, and determine the motion patterns, resolution and recording level needed in each area, the network team deals with the backend infrastructure of the network. This will prevent the network from being overloaded with high resolution video feeds due to improper network configuration. The video tapes from the surveillance cameras need to be audited regularly and stored for at least for 90 days according to the PCI regulation. Storage of these high volume camera feeds is a daunting task. Storage on cloud is usually not adopted because companies do not generally prefer to move sensitive data out of their premises. However, there is much advancement which allows transfer at off-peak hours. Case study of Advo Inc.: Advo Inc. is the largest direct mail advertising service in the United States. The companys advertisements reach almost all the households. Initially, physical security was given the least

importance in the company. Other than physical guards in some of the premises and occasional background checks, no other formal methods or policies was established. After the 9/11 attack and the following Anthrax mail attack, the company began to examine its security policies. With the general public who feared to receive mails, its business was at risk. Numerous measures were taken in response to these attacks. An equipment cleaning process was established which prevented the spores from contaminating the mails. The management structure was re-organised and new directors were appointed to take care of the security aspects. Experts were hired to do an analysis of the existing state of security and risk and suitable methods were suggested. Professionals were hired for IT and physical security. The Director of IT Security and Enterprise Architecture was responsible for the protection of the data centre, software protection, access control, network monitoring and formulating the disaster recovery plan. Policies were formed in accordance with the various guidelines. Physical security was also improved. Improved outdoor lighting and fencing was provided in the premises. Access control was established. Visitors were allowed only in a specific area. Badges and parking permits were issued to employees and visitors and log entries were maintained to monitor the activities. A Security Control Centre (SCC) was established which served to integrate the companys security management system. This centre monitored all the activities of the employees and visitors by integrating all the applications. Real-time access control was also provided. Security tours were conducted twice a day. Security cameras and alarm systems were installed in every facility. The servers were protected against unauthorised attack. Employee authentication was through password and suitable password controls were established. Software patches were updated regularly and internet data was tracked and audited. Snort Sensors are located to detect network intrusions. Disaster recovery plans were formulated and security audits were conducted regularly. This integration of security has helped the company to improve the efficiency of the security system and lower costs. Management support is essential for the convergence of physical security and IT. A proper organisational structure and reporting hierarchy must be formed defining the roles and responsibilities of each employee. Security awareness and training is an important part in any organisation. Employees should be regularly educated about the security principles, separation of duties and best practices.

References: 1. Information security: Contemporary cases - Marie Wrght and John Kakalik 2. Principles of information Security Michael E. Whitman and Herbert J. Mattord 3. Security Convergence, Information Week Analytics August 2009 4. State of Security- What keeps InfoSec Pros Awake at Night, Information Week Analytics February 2009