This article was originally published as a section of a 2007 white paper titled, Ten Rules for Putting Your Physical Security Systems onto the Corporate Network: How Physical Security Departments Can Successfully Make the Transition to IT-Centric Systems.
A unique challenge to physical security and IT collaboration is the terminology used in each domain. While the concepts are basically the same for most terms, a single term can refer to different items in each domain. For example, IP means Intellectual Property to corporate security, but Internet Protocol to IT security folks. For example, a physical security manager might say, “We have removed all the IP from the corporate network,” meaning that all critical intellectual property documents have been removed from computers connected to the corporate network. This would eliminate the threat of documents being accessed by a hacker on an internal or Internet network connection. That sentence would sound absurd to IT personnel, because network communications are based on IP messaging!
What happens when these terms come into play is that discussions go along fine until such a term is utilized. Then the participants who have another definition than the speaker has start developing strange ideas about what is being said. If it happens too much, one side or the other gets into a mental fog, and cant really track with the rest of the discussion. Parts of major initiatives have gone off the rails over this specific phenomenon. Table 1 below provides some examples of the terminology differences. Once aware of this phenomenon, participants can recognize when the definition difference has come up and address it on the spot.
Table 1. Examples of Terminology Differences
Term | Physical Security | IT |
---|---|---|
IP | Intellectual Property | Internet Protocol |
Credentials | ID Badge; Passport | Digital Certificate |
Key | Key for physical lock | Encryption key |
Perimeter | Fence line or exterior building walls | Network connection to outside or public networks |
Intrusion detection | Door/window alarm system | Computer & network hacker detection |
Directory | Lobby Building Directory | Electronic Network Directory |
Security Logs | Reception sign-in sheets; Journal of security officer shift notes | Lists of access attempts to computers and networks |
Revocation | Canceling and retrieving a security ID badge | Canceling a digital certificate |
Signature | Written signature | Digital signature |
On the other hand, there are a lot of common concepts between physical security and IT domains—after all, they both deal with security—and so Table 2 below provide examples of the commonalities between the two domains in terms of security concepts.
Table 2. Examples of Common Concepts
Security Component | Physical | IT |
---|---|---|
Perimeter Barriers | • Walls and fences | • Firewalls |
Access Control | • Locks & Keys • Keypad Pin Codes • Biometrics • Door Entry: Access Cards |
• RSA Tokens • Password Codes • Biometrics • System Login: Smart Cards |
Alarms | • Intrusion Detection: Motion Detectors, Glass Breaks, Door Contacts, Fence or Perimeter Intrusion Detection Systems (IDS) | • Intrusion Detection: Network Intrusion Detection Systems (IDS), Computer Anti-Virus Systems |
Investigative Tools | • Interviews • Collection of Evidence (Forensic Physical Science) • Evidence Analysis • Identify Cause or Suspect |
• Interviews • Collection of Evidence (Computer Forensics) • Evidence Analysis • Identify Cause or Suspect (Network Forensics) |
Notice i.e. “No Trespassing” | • Physical Signs (“Keep Out”) | • Computer Messages (“Keep Out”) • Acceptable Use Agreements |
Security Resources | • Contract Security Officers • 911 – Law Enforcement Response • Community Law Enforcement Programs |
• Consultants • High Tech Crime Units • FBI Infraguard Program • Carnegie Mellon/CERT |
Risk Assessment or Security Surveys | • Access Permissions Review • Threat and Vulnerability Analysis • Building Penetration Testing |
• System Configuration Inspection • Threat and Vulnerability Analysis • Network Penetration Testing |
Awareness and Training | • Incident Response Training • Executive Protection Training • Security Awareness Training |
• Incident Response Training • Protection of Information Training • Security Awareness Training |
Additionally, some terms that are in common use are not fully understood even by some of the people using them. For example, the term bandwidth is commonly used to refer to how busy a person is (I dont have the bandwidth for that today). People can also get all kinds of strange ideas when they try to take definitions from the context of the sentence. For example, Look at the screen, you can see there isn't enough bandwidth, can give someone the idea that the width of the visual image on the screen is what is meant by bandwidth, when the person was talking about the display of available network bandwidth. This has actually happened. And there have been people who think that CCTV refers to a cable television station like MTV rather than a camera surveillance systemClosed Circuit TV.
Understanding the importance of terminology, and that there are many shared concepts between physical and IT security, you have an excellent chance of success in moving your physical security systems onto the corporate network, and helping ensure that the business receives the full potential value of the systems, and that they are cyber secure.