Скачать книгу

endpoints are typically set for short periods, such as 10 minutes, based on similar reasoning. Specific applications platforms and the portals that your users access them through may need to impose their own timeout periods and choose whether to use timeout warning reminders, based on specific systems security needs.

      Another time-based technical control, the merits of which are hotly debated, is password aging; this sets a time period (usually measured in days, not minutes) after which a user must change their password. Other password policy settings can limit password reuse as well. Password aging, length, complexity, or other password characteristics should be determined as part of your integrated approach to identity management and access control; proper implementation of multifactor authentication, for example, may provide greater security and ease of use than complex, rapidly aging passwords were once thought to provide.

      All of these settings should be subject to formal configuration management and control and documented in some fashion so that an incident response team, network operations staff, or the IT team can quickly refer to them to determine whether the alarms are sounding due to a misconfigured control or because a security incident is occurring.

      Physical Controls

       Human Vigilance—Keep It Working for You

      Whether you consider it part of your physical or administrative control systems, the human element in your security architecture can and should provide significant return on your investment in it, which you can achieve by treating them as professionals. Recruit them as if they matter to you (which they do!). Make sure that initial onboarding and training informs, empowers, and inspires them.

      You have a leadership opportunity with everyone involved with security operations, whether you're their supervisor or not. Step up to that challenge, work with them, and lead them as a team to be part of what keeps everybody's jobs secure. No matter what functions they perform or whether they stand around-the-clock watches and patrols or only work normal business hours, they can be pivotal to keeping your systems and your company safe—or become some of the weakest links in your chain of security if you ignore them or let others in the organization treat them shabbily.

      And if it's your first day on the job, be sure to treat each and every one of them as the helpful, dedicated professional that they are. The paybacks of this strategy can be unlimited.

      Controlled entry systems, such as mantraps and turnstiles, are electromechanical systems at heart. On the one hand, these must interface with some portion of your identity management and access control systems to be effective; on the other hand, they need routine maintenance, as well as remedial maintenance when they fail during use. In most cases, human guards or controllers are present in the immediate vicinity of such control points.

      Controlled egress systems may employ the same physical, logical, and administrative tools as used to control entry into and movement within a facility; they bring the added benefit of controlling inventory, equipment, software, or data loss (sometimes called shrinkage by wholesale and retail businesses), by both deterring and preventing unauthorized removals from occurring. This usually requires a degree of search of property as it leaves the controlled area. A growing number of high-technology firms, especially in biotechnology, rigorously enforce controlled egress and search as vital components of protecting their intellectual property and competitive advantage.

      Video and audio monitoring systems have become standard elements in most security systems—and all the more so as the costs of fully digital systems have become much more affordable. Even the small office/home office (SOHO) entrepreneur can afford a multicamera, digital video recorder security system, complete with Internet interfaces for remote monitoring. Many security cameras now come with infrared LEDs that provide surreptitious illumination of the scene, which improves monitoring significantly without needing to add visible light floodlighting systems and their power distribution and control elements; note that after keeping the lenses clean, proper lighting is essential for useful image quality.

      Inspection and maintenance of physical control systems is vital to continued security. Administratively, there should be no surprises here; if a maintainer or inspector shows up, your on-shift, on-site guards and monitors and the security control force all need to first authenticate their identity and further confirm that they've been properly called out or dispatched to perform a specified set of tasks.

      All physical control systems elements should be documented and under formal configuration management and control appropriate to their physical nature. Concrete block exterior walls, for example, should not be subject to having holes drilled or cut into them without proper authorization. The security department might not control or manage all of this documentation or the change management processes for the structural elements of the physical security aspects of your systems; regardless, your organization's security needs suggest how closely the building maintenance teams and the security teams need to work with each other.

      In most organizations and the cultures they are rooted in, there is a natural hierarchy of guidance and direction, starting with broad, sweeping, and visionary statements that get progressively less motivational as they become more prescriptive. Subsequent layers become proscriptive, tending to have as many “thou shalt nots” as they have “shall” statements in them (if not more). Although the names for many of these layers may be different in different settings and cultures, it's still reasonably useful to expect the same basic layers of policies, standards, procedures, baselines, and guidelines.

      Policies

      Policies are at the heart of what the organization is trying to accomplish. At a high level, policies provide critical instruction to senior executive management to implement measures to achieve external compliance expectations or support the larger strategic vision of the organization. This layer of senior management then promulgates these vision statements down to more tactical and operational managers both as policy statements and in finer-grained direction.

Скачать книгу