An organization's most valuable asset is the personal information about and trust of its customers. Like other efforts to increase the level of information privacy at your company, awareness among employees is the most effective tool to improving process and protections. But other measures should be taken as well, considering the size of the company and the sensitivity of the information being stored to determine which controls will be the most effective and necessary. A strong physical security plan—incorporated with other safeguards—is crucial to prevent loss or theft of important data assets.
"Administrative, technical, and physical safeguards" … Privacy-related regulations in the United States use this phrase to describe an all-encompassing program of protection for personal information collected from citizens. Just as significant as protecting a network from hackers or other outside network penetration is protecting the physical security of the machines that house the most critical of assets for an organization—its information.
Laws such as the Gramm-Leach-Bliley Safeguards Rule and the HIPAA Security Rule, as well as the National Association of Insurance Commissioners proposed model regulation to be used by states in implementing security for the insurance industry, require all three of these elements be incorporated into a data protection program. Organizations are left to determine what measures are most appropriate given their business practices, size, sensitivity of information, and other factors.
Recently, companies such as H&R Block and GMAC Insurance have found themselves in somewhat awkward situations when laptops and computers were stolen from their facilities and employees which contained customers' personal information, like names, addresses, and social security numbers. These companies notified their customers and have had to deal with negative media attention. This brings to light the issue that physical security is no longer limited to a computer room location, but includes any equipment or media containing personal information.
Physical security is the protection of the location and equipment where information considered by management to be sensitive resides. In a safeguards program designed to comply with U.S. or state privacy regulations, personal data is the sensitive information requiring physical security protections. Physical security as part of a safeguards program would include protections of the facility housing servers and areas that contain wiring, support services, and backup media. It would also include removable media such as disks and hard copy printouts, as well as workstations and laptops with personal information located on a hard drive, intended or not.
This definition of physical security, including all hardware and media containing personal information, is a shift from traditional thinking, which has focused physical security resources on the data center and the responsibility of the protection of physical assets with members of the IT function. Recent events and trends have demonstrated that all employees who work with an organization's personal information assets are responsible in part for the physical security of that information.
Enhancing Physical Security of Data Assets
Organizations must take a new approach to the physical protection of information assets, one that includes employees outside of the IT function and focuses on companywide policies and strong awareness campaigns. It is unlikely the GMAC employees whose laptops were stolen strongly weighed that such a theft could occur or the impact that carrying around that type of information unprotected on their laptops would have on the company and its customers. Awareness of the issue may have altered their actions and prevented the theft.
Companies can take a variety of steps to improve the physical security of personal information assets. Some measures may be more effective than others, depending on the characteristics and culture of the company and the nature of business. Some examples of programs that can improve physical security as a whole include the following.
Assigning a Companywide Physical Security Manager
It is quite common to have a management level position in the IT function for maintaining the security of the data center. This role would be expanded to include involving employees from across the company in protecting information assets that they work with on a regular basis. This individual would also be responsible for the development of policies and procedures for computers and media containing personal information across the company and the education of employees on these policies.
Additionally, this function might review current non-IT physical security measures (such as filing cabinets, use of diskettes, and laptop practices) and provide suggestions and an implementation plan for improvements. These responsibilities could be assigned to one individual or many, in departments such as internal audit, legal, or IT. The individual(s) given these responsibilities should report to senior management in order to have the support needed to implement these companywide initiatives.
Awareness programs can take a variety of approaches in educating employees about the physical security of the organization's information resources. The magnitude of the importance of physical security can be emphasized with a serious tone, or the approach can be fun in an attempt to be memorable. Either way, raising employee awareness is key to translating company policy and procedure into an everyday practice of stronger physical security.
Areas with Media Containing Personal Information Kept Low Profile
File and print rooms that house or process personal information should not contain signs or other indicators of the room's purpose or function. Even employees from other departments who do not use the areas should not be alerted to the room's function. Not calling attention to a sensitive area can deter unauthorized access or theft.
Precautions for Documents and Media
Locks or other mechanisms should be provided and used by employees to physically safeguard documents or media. In addition, inventories of the locations should be conducted regularly to ensure all are present. Exceptions should be immediately investigated and reconciled to ensure no theft has occurred.
Consider Theft and Vandalism
Physical locations housing sensitive personal information, such as file rooms, print rooms, and departments whose workers have regular access through their workstations should be assessed to determine if their location is appropriate. Possible theft or vandalism by outsiders who gain access to the grounds or building should be considered when determining if a current location is secure enough, given the sensitivity of the information being considered. For example, areas containing files with social security numbers or health information are higher risk than name and address.
While escorting visitors is typically limited to sensitive areas of the company, the infiltration of personal information access to workstations across the organization makes many more areas sensitive. Stricter policies on escorting visitors and questioning unattended and unfamiliar individuals will help prevent the theft of information from social engineers. If employees wear access badges, guest badges should be issued to legitimate visitors and a tight inventory maintained on the supply of guest badges to prevent theft.
Should third parties manage any part of the business requiring strong physical security, such as housing a data center or providing document management services, organizations should define qualifications and security requirements to be met contractually by third parties and ensure on a regular basis that third parties are meeting those expectations, such as through an outside audit or request of a SAS 70 review.
Similar contractual requirement should be made for business with which personal information assets are shared for the purpose of completing business processes or transactions to ensure physical protections are in place during the provided services.
As organizations work toward compliance with state or U.S. privacy laws, improvements to physical safeguards work in conjunction with efforts to provide technical and administrative protections to personal information. Like other efforts to increase the level of information privacy at your company, awareness among employees is the most effective tool to improving process and protections. Other measures can take into account the size of the company and sensitivity of the information being stored to determine which controls will be the most effective and necessary. A strong physical security plan that is incorporated with the other required safeguards will help prevent loss or theft of personal information and protect your organization's most valuable asset—the personal information and trust of your customers.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.