Physical and IT Security: Separated by a Common Language

Print Friendly, PDF & Email

This article was originally published as a section of a 2007 white paper titled, Ten Rules for Putting Your Physical Security Systems onto the Corporate Network: How Physical Security Departments Can Successfully Make the Transition to IT-Centric Systems.

A unique challenge to physical security and IT collaboration is the terminology used in each domain. While the concepts are basically the same for most terms, a single term can refer to different items in each domain. For example, “IP” means “Intellectual Property” to corporate security, but “Internet Protocol” to IT security folks. For example, a physical security manager might say, “We have removed all the IP from the corporate network,” meaning that all critical intellectual property documents have been removed from computers connected to the corporate network. This would eliminate the threat of documents being accessed by a hacker on an internal or Internet network connection. That sentence would sound absurd to IT personnel, because network communications are based on IP messaging!

What happens when these terms come into play is that discussions go along fine until such a term is utilized. Then the participants who have another definition than the speaker has start developing strange ideas about what is being said. If it happens too much, one side or the other gets into a “mental fog”, and can’t really track with the rest of the discussion. Parts of major initiatives have gone off the rails over this specific phenomenon. Table 1 below provides some examples of the terminology differences. Once aware of this phenomenon, participants can recognize when the definition difference has come up and address it on the spot.

Table 1. Examples of Terminology Differences

Term Physical Security IT
IP Intellectual Property Internet Protocol
Credentials ID Badge; Passport Digital Certificate
Key Key for physical lock Encryption key
Perimeter Fence line or exterior building walls Network connection to outside or public networks
Intrusion detection Door/window alarm system Computer & network hacker detection
Directory Lobby Building Directory Electronic Network Directory
Security Logs Reception sign-in sheets; Journal of security officer shift notes Lists of access attempts to computers and networks
Revocation Canceling and retrieving a security ID badge Canceling a digital certificate
Signature Written signature Digital signature

On the other hand, there are a lot of common concepts between physical security and IT domains—after all, they both deal with security—and so Table 2 below provide examples of the commonalities between the two domains in terms of security concepts.

Table 2. Examples of Common Concepts

Security Component Physical IT
Perimeter Barriers • Walls and fences • Firewalls
Access Control • Locks & Keys
• Keypad Pin Codes
• Biometrics
• Door Entry: Access Cards
• RSA Tokens
• Password Codes
• Biometrics
• System Login: Smart Cards
Alarms • Intrusion Detection: Motion Detectors, Glass Breaks, Door Contacts,  Fence or Perimeter Intrusion Detection Systems (IDS) • Intrusion Detection:  Network Intrusion Detection Systems (IDS), Computer Anti-Virus Systems
Investigative Tools • Interviews
• Collection of Evidence (Forensic Physical Science)
• Evidence Analysis
• Identify Cause or Suspect
• Interviews
• Collection of Evidence (Computer Forensics)
• Evidence Analysis
• Identify Cause or Suspect (Network Forensics)
Notice i.e. “No Trespassing” • Physical Signs (“Keep Out”) • Computer Messages (“Keep Out”)
• Acceptable Use Agreements
Security Resources • Contract Security Officers
• 911 – Law Enforcement Response
• Community Law Enforcement Programs
• Consultants
• High Tech Crime Units
• FBI Infraguard Program
• Carnegie Mellon/CERT
Risk Assessment or Security Surveys • Access Permissions Review
• Threat and Vulnerability Analysis
• Building Penetration Testing
• System Configuration Inspection
• Threat and Vulnerability Analysis
• Network Penetration Testing
Awareness and Training • Incident Response Training
• Executive Protection Training
• Security Awareness Training
• Incident Response Training
• Protection of Information Training
• Security Awareness Training

Additionally, some terms that are in common use are not fully understood even by some of the people using them. For example, the term bandwidth is commonly used to refer to how busy a person is (“I don’t have the bandwidth for that today”). People can also get all kinds of strange ideas when they try to take definitions from the context of the sentence. For example, “Look at the screen, you can see there isn't enough bandwidth,” can give someone the idea that the width of the visual image on the screen is what is meant by bandwidth, when the person was talking about the display of available network bandwidth. This has actually happened. And there have been people who think that CCTV refers to a cable television station like MTV rather than a camera surveillance system—Closed Circuit TV.

Understanding the importance of terminology, and that there are many shared concepts between physical and IT security, you have an excellent chance of success in moving your physical security systems onto the corporate network, and helping ensure that the business receives the full potential value of the systems, and that they are cyber secure.