Has Your Firm's Security Had A Physical?

Physical security and data security are converging in the enterprise law firm today. As physical security systems become more IT-centric, they are more often being identified as an application on the network and not as a disparate system. In fact, integrated access control and surveillance systems utilize a matrix of rights and privileges to control and monitor personnel access to physical security points and video in much the same way as one would control access to servers, drives and files on a network.

Gone are the days when a physical identification or a signature was an acceptable means of allowing entry to a building by an employee or visitor. No longer are security guards the first line of protection. They have been replaced by intelligent IP-based enterprise security systems that ideally are tied into the existing IT infrastructure and normally segmented via a Virtual Private Network (VPN).

A physical security solution may span multiple offices within a building, across several offices in a single city or throughout all of the firm's offices worldwide. This enables a firm to leverage its IT infrastructure in the same manner that they manage other applications and provides for a uniform platform with a single point of command and control.

The need for an integrated physical security system has never been more
important:

• Clients expect that their communications with a firm are secure and uncompromised;
• Law firms need to assure clients that their systems, facilities and data are secure;
• Firm management needs to have systems in place that can maintain confidentiality for both physical and network security while being accessible on demand during security breaches or emergencies; and
• Every firm needs to be able to maintain compliance with the myriad of regulations and best practices surrounding access to data and audits.

The Case for Integration

Ideally, a large multi-office firm can program, manage and monitor hundreds of security points and surveillance cameras in an integrated security system in much the same way that network security is administered.

In my experience, it is best to centralize all the offices on a single security management platform utilizing uniform access credentials and an enterprise-level video management solution. This simplifies deployment, is cost-effective and facilitates auditing and reporting.

This same system, linked with the Human Resources (HR) application, provides an efficient way to share information between applications. This can be as simple as adding an optional interface between the physical security and HR applications or through custom integration between databases.

In addition, integration of the visitor management process provides another level of sophistication to the firm's security profile. This allows for a single point of management whereby visitors may be associated with the employees that they are visiting. A system may be as simple as providing identification badges or temporary credentials that grant or deny access to the specific areas they are visiting.

The moment an employee leaves the firm for any reason, their physical access can be instantly terminated. This limits access, prevents removal of intellectual property, data sabotage and mitigates potential threats to other employees.

Separate, But Integrated

Integration and centralization, you might think, is the universal approach to how an organization should follow to establish a security system. Well, yes and no.

I always stress standardization, but where there are infrastructure limitations, i.e., bandwidth, I may recommend a modified approach. That was the case at a law firm that recently upgraded its security system.

As part of an upgrade, which included 80-door access control points and 150 IP cameras that secured its four Manhattan locations, the firm chose to leverage its access control platform by deploying new installations at remote sites that communicate over a Wide Area Network (WAN). To reduce bandwidth requirements, video was locally recorded at each site but managed by an enterprise video management solution. This allowed for standardization but limited the bandwidth usage between their facilities to when video is streamed or reviewed from the archive.

Monitoring Is Mandatory

While it may be adequate to “ping” an IP endpoint to ensure that it is communicating, this is not sufficient when supporting a physical security network. Security systems have become more sophisticated, using servers, redundancy, master and sub-video recorders and storage devices where a ping does not ensure functionality. The last thing a security director wants is for data and video to be unavailable at the time of an incident or investigation.

Many firms recognize the benefits of outsourced monitoring and have taken the next step in supporting their security systems by utilizing systems such as Managed Services for Physical Security Infrastructure (MSPSI).

MSPSI eliminates the burden of having the firm's IT staff monitor the infrastructure while being assured that their systems are being managed to ensure high availability. Using tools developed for MSPSI, we often know about a problem with a card reader, camera or storage device and can resolve it before the client experiences any loss of system performance.

Moving forward to ensure that the firm's physical security is up to date, here are a few points to consider in the critical areas of protecting the enterprise, its data and its assets.

Access Control

Undoubtedly, physical access security plays an important role in managing and controlling access to critical areas but can also be very useful when integrating it with your data security plan.

If compromised, it can lead to breaches in physical assets and data. According to Qing Hu, an Iowa State University information security researcher: “What our studies ' and many others by my colleagues in the field of information security ' have suggested is that internal computer fraud is a more significant issue than external hacking. External hacking gets headlines, but internal fraud ' employees actually altering data or stealing secrets and sending them to other companies ' is more prevalent than it is reported.”

Data security aside, an essential component of the physical security system is the use of access control devices (key cards, fingerprint recognition or other biometric readers) that allow a passage through a lobby turnstile, floor entry or private office.

Let's Go to the Video

Most existing LANs have the bandwidth to support a surveillance application by segmenting the video on a VPN. This allows the firm to leverage its infrastructure, ease deployment and potentially to take advantage of existing storage and disaster recovery plans.

In fact, video has become the leading growth segment of the physical security market. In an article published by Electronics Research Network (www.electronics.ca), the video surveillance market is expected to grow at a rate of 20.4% from 2010 to 2015 (see, “Global Video Surveillance Market to Reach U.S. $37.7 Billion By 2015,” http://bit.ly/h86Boe).

Integrated with the access control system, video can be associated with alarm or access events by prompting live video and associating video clips with an incident that simplifies investigative work.

Ideally, a firm will establish a centralized command center manned by security personnel to monitor the video streamed to a workstation or mobile devices that further increases its availability.

Mobility and Security

While mobile devices provide unparalleled user benefits and lower cost computing, they represent one of the major security minefields for data security. Human error, with inadequate password protection results in the all too frequent lost or stolen computer that may have hundreds of files of important legal data on cases, witnesses and trial documents. A recent poll of large law firms conducted by CNA Insurance Company reveals that only 34% of firms track the whereabouts of portable media and storage devices.

Mobile devices may be equipped with RFID tracking capability and integrated with the access control platform. This allows for real-time tracking of the device while on the premises and can be linked to the access control and surveillance systems.

In addition to the physical access security of the devices, electronic security is an important part of the plan.

Safeguards may include:

• Password improvement ' consider centralized password programs that manage the function and generate effective passwords;
• Improved data encryption; and
• Installing device tracking software if none exists

Virtualization

Another area to create efficiencies is the virtualization of these technologies. Virtualizations such as VMware, Xen or Microsoft products are being slowly accepted within the physical security space to leverage existing underutilized infrastructure. Several access control partners have also begun supporting virtualization, but you may want to ensure you have the right hardware to support the robust requirements of a video application.

Compliance

Physical and environmental security as well as access control is a key component of compliance with current regulations. These include:

• Gramm-Leach Bliley (GLB) Act and its key component of physical access controls;
• As part of the Health Insurance Portability and Accountability Act (HIPAA) regulations, physical safeguards must exist. As per HIPPA, physical safeguards mean “physical measure, policies and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environment hazards, and unauthorized intrusion”;
• As part of section 302 and 404 of Sarbanes-Oxley (SOX), organizations must provide for internal controls. Any internal control review would not be complete without addressing controls around the information security including physical protecting where this data resides, i.e., secure location; and
• Statement on Auditing Standards No. 70 (SAS 70) requires physical security controls as part of compliance process.

Other organizations, like the International Organization for Standardization (ISO), may have similar requirements to comply with the physical aspect of information security, such as ISO17799.

In the end, information security and compliance cannot exist without physical controls on your data.

Physical security and data security are converging in the enterprise law firm today. As physical security systems become more IT-centric, they are more often being identified as an application on the network and not as a disparate system. In fact, integrated access control and surveillance systems utilize a matrix of rights and privileges to control and monitor personnel access to physical security points and video in much the same way as one would control access to servers, drives and files on a network.

Gone are the days when a physical identification or a signature was an acceptable means of allowing entry to a building by an employee or visitor. No longer are security guards the first line of protection. They have been replaced by intelligent IP-based enterprise security systems that ideally are tied into the existing IT infrastructure and normally segmented via a Virtual Private Network (VPN).

A physical security solution may span multiple offices within a building, across several offices in a single city or throughout all of the firm's offices worldwide. This enables a firm to leverage its IT infrastructure in the same manner that they manage other applications and provides for a uniform platform with a single point of command and control.

The need for an integrated physical security system has never been more
important:

• Clients expect that their communications with a firm are secure and uncompromised;
• Law firms need to assure clients that their systems, facilities and data are secure;
• Firm management needs to have systems in place that can maintain confidentiality for both physical and network security while being accessible on demand during security breaches or emergencies; and
• Every firm needs to be able to maintain compliance with the myriad of regulations and best practices surrounding access to data and audits.

The Case for Integration

Ideally, a large multi-office firm can program, manage and monitor hundreds of security points and surveillance cameras in an integrated security system in much the same way that network security is administered.

In my experience, it is best to centralize all the offices on a single security management platform utilizing uniform access credentials and an enterprise-level video management solution. This simplifies deployment, is cost-effective and facilitates auditing and reporting.

This same system, linked with the Human Resources (HR) application, provides an efficient way to share information between applications. This can be as simple as adding an optional interface between the physical security and HR applications or through custom integration between databases.

In addition, integration of the visitor management process provides another level of sophistication to the firm's security profile. This allows for a single point of management whereby visitors may be associated with the employees that they are visiting. A system may be as simple as providing identification badges or temporary credentials that grant or deny access to the specific areas they are visiting.

The moment an employee leaves the firm for any reason, their physical access can be instantly terminated. This limits access, prevents removal of intellectual property, data sabotage and mitigates potential threats to other employees.

Separate, But Integrated

Integration and centralization, you might think, is the universal approach to how an organization should follow to establish a security system. Well, yes and no.

I always stress standardization, but where there are infrastructure limitations, i.e., bandwidth, I may recommend a modified approach. That was the case at a law firm that recently upgraded its security system.

As part of an upgrade, which included 80-door access control points and 150 IP cameras that secured its four Manhattan locations, the firm chose to leverage its access control platform by deploying new installations at remote sites that communicate over a Wide Area Network (WAN). To reduce bandwidth requirements, video was locally recorded at each site but managed by an enterprise video management solution. This allowed for standardization but limited the bandwidth usage between their facilities to when video is streamed or reviewed from the archive.

Monitoring Is Mandatory

While it may be adequate to “ping” an IP endpoint to ensure that it is communicating, this is not sufficient when supporting a physical security network. Security systems have become more sophisticated, using servers, redundancy, master and sub-video recorders and storage devices where a ping does not ensure functionality. The last thing a security director wants is for data and video to be unavailable at the time of an incident or investigation.

Many firms recognize the benefits of outsourced monitoring and have taken the next step in supporting their security systems by utilizing systems such as Managed Services for Physical Security Infrastructure (MSPSI).

MSPSI eliminates the burden of having the firm's IT staff monitor the infrastructure while being assured that their systems are being managed to ensure high availability. Using tools developed for MSPSI, we often know about a problem with a card reader, camera or storage device and can resolve it before the client experiences any loss of system performance.

Moving forward to ensure that the firm's physical security is up to date, here are a few points to consider in the critical areas of protecting the enterprise, its data and its assets.

Access Control

Undoubtedly, physical access security plays an important role in managing and controlling access to critical areas but can also be very useful when integrating it with your data security plan.

If compromised, it can lead to breaches in physical assets and data. According to Qing Hu, an Iowa State University information security researcher: “What our studies ' and many others by my colleagues in the field of information security ' have suggested is that internal computer fraud is a more significant issue than external hacking. External hacking gets headlines, but internal fraud ' employees actually altering data or stealing secrets and sending them to other companies ' is more prevalent than it is reported.”

Data security aside, an essential component of the physical security system is the use of access control devices (key cards, fingerprint recognition or other biometric readers) that allow a passage through a lobby turnstile, floor entry or private office.

Let's Go to the Video

Most existing LANs have the bandwidth to support a surveillance application by segmenting the video on a VPN. This allows the firm to leverage its infrastructure, ease deployment and potentially to take advantage of existing storage and disaster recovery plans.

In fact, video has become the leading growth segment of the physical security market. In an article published by Electronics Research Network (www.electronics.ca), the video surveillance market is expected to grow at a rate of 20.4% from 2010 to 2015 (see, “Global Video Surveillance Market to Reach U.S. $37.7 Billion By 2015,” http://bit.ly/h86Boe).

Integrated with the access control system, video can be associated with alarm or access events by prompting live video and associating video clips with an incident that simplifies investigative work.

Ideally, a firm will establish a centralized command center manned by security personnel to monitor the video streamed to a workstation or mobile devices that further increases its availability.

Mobility and Security

While mobile devices provide unparalleled user benefits and lower cost computing, they represent one of the major security minefields for data security. Human error, with inadequate password protection results in the all too frequent lost or stolen computer that may have hundreds of files of important legal data on cases, witnesses and trial documents. A recent poll of large law firms conducted by CNA Insurance Company reveals that only 34% of firms track the whereabouts of portable media and storage devices.

Mobile devices may be equipped with RFID tracking capability and integrated with the access control platform. This allows for real-time tracking of the device while on the premises and can be linked to the access control and surveillance systems.

In addition to the physical access security of the devices, electronic security is an important part of the plan.

Safeguards may include:

• Password improvement ' consider centralized password programs that manage the function and generate effective passwords;
• Improved data encryption; and
• Installing device tracking software if none exists

Virtualization

Another area to create efficiencies is the virtualization of these technologies. Virtualizations such as VMware, Xen or Microsoft products are being slowly accepted within the physical security space to leverage existing underutilized infrastructure. Several access control partners have also begun supporting virtualization, but you may want to ensure you have the right hardware to support the robust requirements of a video application.

Compliance

Physical and environmental security as well as access control is a key component of compliance with current regulations. These include:

• Gramm-Leach Bliley (GLB) Act and its key component of physical access controls;
• As part of the Health Insurance Portability and Accountability Act (HIPAA) regulations, physical safeguards must exist. As per HIPPA, physical safeguards mean “physical measure, policies and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environment hazards, and unauthorized intrusion”;
• As part of section 302 and 404 of Sarbanes-Oxley (SOX), organizations must provide for internal controls. Any internal control review would not be complete without addressing controls around the information security including physical protecting where this data resides, i.e., secure location; and
• Statement on Auditing Standards No. 70 (SAS 70) requires physical security controls as part of compliance process.

Other organizations, like the International Organization for Standardization (ISO), may have similar requirements to comply with the physical aspect of information security, such as ISO17799.

In the end, information security and compliance cannot exist without physical controls on your data.