Protecting Data Assets: Not Just a Cyberspace Issue
June 2004
An organization's most valuable asset is the
personal information about and trust of its customers. Like other efforts to
increase the level of information privacy at your company, awareness among employees
is the most effective tool to improving process and protections. But other measures
should be taken as well, considering the size of the company and the sensitivity
of the information being stored to determine which controls will be the most
effective and necessary. A strong physical security plan—incorporated with other
safeguards—is crucial to prevent loss or theft of important data assets.
by Kara Spooner, edited
by Gary E. Clayton
www.privacycg.com
"Administrative, technical, and physical safeguards" … Privacy-related regulations in the United States use this phrase to describe
an all-encompassing program of protection for personal information collected
from citizens. Just as significant as protecting a network from hackers or other
outside network penetration is protecting the physical security of the machines
that house the most critical of assets for an organization—its information.
Laws such as the Gramm-Leach-Bliley Safeguards Rule and the HIPAA Security
Rule, as well as the National Association of Insurance Commissioners proposed
model regulation to be used by states in implementing security for the insurance
industry, require all three of these elements be incorporated into a data protection
program. Organizations are left to determine what measures are most appropriate
given their business practices, size, sensitivity of information, and other
factors.
Recently, companies such as H&R Block and GMAC Insurance have found themselves
in somewhat awkward situations when laptops and computers were stolen from their
facilities and employees which contained customers' personal information, like
names, addresses, and social security numbers. These companies notified their
customers and have had to deal with negative media attention. This brings to
light the issue that physical security is no longer limited to a computer room location, but includes any equipment
or media containing personal information.
Physical security is the protection of the location and equipment where information
considered by management to be sensitive resides. In a safeguards program designed
to comply with U.S. or state privacy regulations, personal data is the sensitive
information requiring physical security protections. Physical security as part
of a safeguards program would include protections of the facility housing servers
and areas that contain wiring, support services, and backup media. It would
also include removable media such as disks and hard copy printouts, as well
as workstations and laptops with personal information located on a hard drive,
intended or not.
This definition of physical security, including all hardware and media containing
personal information, is a shift from traditional thinking, which has focused
physical security resources on the data center and the responsibility of the
protection of physical assets with members of the IT function. Recent events
and trends have demonstrated that all employees who work with an organization’s
personal information assets are responsible in part for the physical security
of that information.
Enhancing Physical Security of Data Assets
Organizations must take a new approach to the physical protection of information
assets, one that includes employees outside of the IT function and focuses on
companywide policies and strong awareness campaigns. It is unlikely the GMAC
employees whose laptops were stolen strongly weighed that such a theft could
occur or the impact that carrying around that type of information unprotected
on their laptops would have on the company and its customers. Awareness of the
issue may have altered their actions and prevented the theft.
Companies can take a variety of steps to improve the physical security of
personal information assets. Some measures may be more effective than others,
depending on the characteristics and culture of the company and the nature of
business. Some examples of programs that can improve physical security as a
whole include the following.
Assigning a Companywide Physical Security Manager
It is quite common to have a management level position in the IT function
for maintaining the security of the data center. This role would be expanded
to include involving employees from across the company in protecting information
assets that they work with on a regular basis. This individual would also be
responsible for the development of policies and procedures for computers and
media containing personal information across the company and the education of
employees on these policies.
Additionally, this function might review current non-IT physical security
measures (such as filing cabinets, use of diskettes, and laptop practices) and
provide suggestions and an implementation plan for improvements. These responsibilities
could be assigned to one individual or many, in departments such as internal
audit, legal, or IT. The individual(s) given these responsibilities should report
to senior management in order to have the support needed to implement these
companywide initiatives.
Awareness Programs
Awareness programs can take a variety of approaches in educating employees
about the physical security of the organization’s information resources. The
magnitude of the importance of physical security can be emphasized with a serious
tone, or the approach can be fun in an attempt to be memorable. Either way,
raising employee awareness is key to translating company policy and procedure
into an everyday practice of stronger physical security.
Areas with Media Containing Personal Information Kept Low Profile
File and print rooms that house or process personal information should not
contain signs or other indicators of the room’s purpose or function. Even employees
from other departments who do not use the areas should not be alerted to the
room’s function. Not calling attention to a sensitive area can deter unauthorized
access or theft.
Precautions for Documents and Media
Locks or other mechanisms should be provided and used by employees to physically
safeguard documents or media. In addition, inventories of the locations should
be conducted regularly to ensure all are present. Exceptions should be immediately
investigated and reconciled to ensure no theft has occurred.
Consider Theft and Vandalism
Physical locations housing sensitive personal information, such as file rooms,
print rooms, and departments whose workers have regular access through their
workstations should be assessed to determine if their location is appropriate.
Possible theft or vandalism by outsiders who gain access to the grounds or building
should be considered when determining if a current location is secure enough,
given the sensitivity of the information being considered. For example, areas
containing files with social security numbers or health information are higher
risk than name and address.
Escort Visitors
While escorting visitors is typically limited to sensitive areas of the company,
the infiltration of personal information access to workstations across the organization
makes many more areas sensitive. Stricter policies on escorting visitors and
questioning unattended and unfamiliar individuals will help prevent the theft
of information from social engineers. If employees wear access badges, guest
badges should be issued to legitimate visitors and a tight inventory maintained
on the supply of guest badges to prevent theft.
Third Parties
Should third parties manage any part of the business requiring strong physical
security, such as housing a data center or providing document management services,
organizations should define qualifications and security requirements to be met
contractually by third parties and ensure on a regular basis that third parties
are meeting those expectations, such as through an outside audit or request
of a SAS 70 review.
Similar contractual requirement should be made for business with which personal
information assets are shared for the purpose of completing business processes
or transactions to ensure physical protections are in place during the provided
services.
Conclusion
As organizations work toward compliance with state or U.S. privacy laws,
improvements to physical safeguards work in conjunction with efforts to provide
technical and administrative protections to personal information. Like other
efforts to increase the level of information privacy at your company, awareness
among employees is the most effective tool to improving process and protections.
Other measures can take into account the size of the company and sensitivity
of the information being stored to determine which controls will be the most
effective and necessary. A strong physical security plan that is incorporated
with the other required safeguards will help prevent loss or theft of personal
information and protect your organization’s most valuable asset—the personal
information and trust of your customers.
Kara Spooner,
CPA, CISA, is a senior consultant with Privacy Council, an international privacy
consulting and technology firm, where she assists clients in a number of industries
in assessing privacy risks for legislative compliance and best practices and
implementing comprehensive solutions using web technologies and policy and procedure
development. She has also developed privacy focused client information management
processes such as privacy policy reviews, data information flows mapping and
gap analysis. A Certified Public Accountant and Certified Information Systems
Auditor, she is a graduate of Texas A&M University, College Station with a BS
and MS in Accounting Information Systems. Ms. Spooner can be reached at this kara.spooner@privacycouncil.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.