Securing Today’s Organization from Cybercrime: Recommending a Holistic
Approach to Virtual and Physical Safety
Chuck Mackey - HISP, Executive Director, Technology Solutions Institute
Corporate College©
Introduction
Every day that passes brings new threats, attacks, and intrusions to computing environments
across America. No business, organization, school district, non-profit or for that matter,
individual, is completely safe from a rapidly expanding list of hackers, identity thieves, and
cyber-villains. Inadequate cyber security and antiquated physical protection measures has
inflicted serious damage on productivity, intellectual property and our prosperity, as a country
and citizens. I’m sure you or someone you know has a story about how identity theft negatively
impacted their life.
This is not fear-mongering; look only to sources such as privacyrights.org for a comprehensive
list of logical (virtual) and physical breaches…that we know of. As of this writing, well over 260
million breaches1 have occurred in only the last few years.
Consider these two very troubling items:
“In 2007, the Departments of Defense, State, Homeland Security, and Commerce; NASA;
and National Defense University, all suffered major intrusions by unknown foreign
entities. The unclassified e-mail of the secretary of defense was hacked…DOD officials
claim the department’s computers are probed hundreds of thousands of times each
day.2”
Recently, the White House itself had to deal with unidentifiable (intruders) in its
networks.3
Unfortunately, the list could go on and on. So, where do we go from here? If the United States
government can’t secure its own virtual and physical environments, how can anyone ever hope
to achieve success in doing the same?
First, it’s vitally important we understand that “It could happen to us.” But we also need to
understand that we can continue to thrive even in the face of increased security measures.
“Tighter” security does not necessarily mean “less access.” Rather, it’s precisely the opposite;
complimented with an improved ability to authenticate the users’ of your organization’s
1
Breach is defined as any incident relating to or involving hackers, identity thieves, stolen or lost data processing devices, such as
computers, networks, telecommunications devices and systems, discs, storage media (flash drives, memory, tapes, etc.), break-ins to
buildings, vehicles, data centers, homes, etc., where data was involved. http://privacyrights.org/
2 th th
Securing Cyberspace for the 44 Presidency: A Report of the CSIS Commission on Cybersecurity for the 44 Presidency, Washington
D.C. 2008
3
See note #2.
1

computing environments and granting them the appropriate access to the systems they need to
perform their jobs.
Second, tighter security does not automatically mean “lock down.” What it does mean is
control; control over who has permission, who may grant permission, and what access
permission allows you to view, copy, store, retrieve, print, enter and leave.
Third, not all the issues associated with improved virtual and physical security deal with the
technology; increased security can be achieved through policy, procedure, and process
improvements.
Finally, by taking a holistic approach to security you understand both the ‘big picture’ as well as
the daily tasks associated with protecting data. Here, then, are six ‘action steps’ every
organization should seriously consider.
Action Steps
1. Create a Comprehensive Security Strategy for Your Organization
Your senior-most leadership should formally state that security4 is a fundamental principle of
your organization and it will seek to protect the integrity of data, ensure its confidentiality, and
enable availability to it, given proper identity and authentication. Further, leadership should
institute a Security Council that coordinates this strategy and then develops a tactical blueprint
for security between each of your organization’s business units, divisions, and departments.
The security strategy must articulate goals, objectives, and tactics that identity the steps to
achieve high levels of safe and secure computing, along with safe and secure physical access to
facilities, without compromising worker performance.
The starting point to advance these goals is to establish an organization-wide security policy that
makes clear the organization’s intention to protect data and to maintain integrity concerning
your mission, vision, values, goals, and objectives.
2. Organize for Security
Leadership should appoint an Executive Director-Office of Security that oversees the Security
Council. This role would have the responsibility, authority, accountability, and oversight to enact
security initiatives, submit budget proposals relating to all aspects of security, manage
approaches for all security measures, and collaborate with internal and external resources,
including all vendors, suppliers, etc.
4
Security throughout this paper means both virtual (logical) and physical security. ‘Virtual’ refers to anything associated with the
electronic storage, processing, and retrieval of data. ‘Physical’ means accessibility to buildings, departments, rooms, vehicles, etc.
2

The Office of Security would have top-level responsibility for developing the organization’s
security strategy, along with input from the Council, into the creation of security procedure, and
would handle the day-to-day implementation, operation, and performance of all elements in
securing the College.
3. Establish Partnerships with the Community At-Large
The Office of Security, along with other representatives of the Security Council, should be an
active and ongoing participant in critical affiliations outside the organization, such as InfraGard
(public-private partnership between the FBI and private/non-profit/education institutions), and
other associations that are focused on IT, data retention, law enforcement, business continuity,
legal, etc.
The Office of Security should establish relationships with area businesses and organizations that
focus on key infrastructures throughout the organization’s operating environment. In the event
of a mass casualty, hazard, or weather-related action, the Office of Security must be in the
position of providing input to your organization’s leadership on any/all contingency plans for
ongoing operation. This can only be accomplished if the Office of Security is “plugged into” the
local, regional, state, federal environments that are in the know.
4. Regulate Security
Leadership should empower the Office of Security with the ability to issue standards and
guidelines for securing the organization across all virtual and physical environments. This
includes your current operating environments and those anticipated within the plans over the
next decade. Without including security into discussions, plans, and blueprints, you risk sub-
optimizing overall security and integrity.
An absolute necessity in regulating security is a security framework5 that establishes the “rules
of the road.” The frameworks aides in accomplishing three security requirements:
Assessing security risks for the organization;
Identifying and adhering to relevant legal, statutory, regulatory, and contractual
requirements of the organization;
Formalizes a set of principles, objectives, and requirements for security to support its all
security initiatives.
We recommend utilizing a proven, internationally-accepted framework; specifically, ISO 27001-
2: 2005 for compliance and certification. The ISO framework provides three extremely
important elements for regulating organization-wide security:
Control: Defines the specific control statement (domain) to satisfy a security objective;
5
Framework: structure designed to support something; provides repeatable, measurable planning processes and a roadmap to help
manage security-related activity.
3

Guidance: Provides the detail implementation explanation for a security control;
Related Information: Provides any explanation related to controls concerning critical
factors, such as legal consideration/legislation, directives, etc.
Built into this framework is the Information Security Triad6: Confidentiality, Integrity, and
Availability.
Confidentiality means ensuring that relevant information (data) is accessible only to
those people who are authorized to have access.
Integrity means protecting the accuracy and completeness of relevant information and
any associated processing methods.
Availability means ensuring that authorized users have access to relevant information
and associated assets when and where it’s required.
Additionally, other significant properties including authenticity, accountability, reliability and
non-repudiation can also be framed within ISO. But perhaps the most important consideration
within the ISO framework is its domain orientation. ISO 27002: 2005 identifies eleven domains
of information security:
1. Security Policy
2. Organization of Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance
The ability to implement security practices against each domain is best handled by a certified
information security practitioner. The author recommends that the Executive Director-Office of
Security, hold the Holistic Information Security Practitioner (HISP) Certification from the HISP
Institute. The HISP Certification addresses each of the eleven domains, as well as providing a
substantial level of detail concerning a number of technical security certifications, including the
Certified Information Systems Security Professional (CISSP), Certified Information Security
Auditor (CISA), Certified Information Security Manager (CISM), and selected Business Continuity
certifications.
It’s rare that an organization of any size would entrust its financial integrity to someone other
than a Certified Public Accountant (CPA) or someone without significant financial bona fides.
6
eFortresses Security & Compliance 2008.
4

Similarly, none of us would entrust our healthcare to unlicensed medical professionals. Why
should the organization as a whole compromise its important assets?
Through the adoption of the ISO framework and implemented via the HISP method, the
organization establishes both the authoritative, governing security body of knowledge along
with formalizing the metrics and vocabulary concerning all security matters.
5. Credential Management for Security
It may seem trivial, but the ability to authenticate and identify who we are to the employer is
perhaps the single most important aspect of sound security practices. Being able to accurately,
honestly, and reliably prove who we say we are each and every time it’s required—whether
electronically or otherwise—is proactive defense against malfeasance.
The organization should enact strong identity management based on in-person (photo-badge
cards/physically-worn proximity cards) and virtual proofing (strong passwords/computer
keycards, biometrics, etc). This certainly includes the use of verification devices, but most
assuredly must include a complete re-thinking of procedures for entry in to your physical spaces
and virtual systems. No better example exists than the security-compromising issues associated
the myriad of “remote databases” in the form of Excel and Access reports on desktops, laptops,
flash-drives, and personal home computers!
Access to the organization’s facilities and systems should only occur via organization-issued
credentials that are consistent with protecting privacy and civil liberties.
6. Revise Authority
Leadership should revise decisions concerning the investigation, purchase, adoption, and
integration of any technology used for monitoring and other day-to-day security enforcement
that is enabled by organization-wide technology.
This does NOT mean interfering with decisions directly associated with actual police work;
investigations, responding to incidents, or administering violations. Rather, the Office of
Security should be front-and-center on all decisions regarding network, unified communications
platform, data center, Virtual Private Network (VPN) access, and the deployment of mobile
computing devices (laptops and Personal Digital Assistants) throughout the entire organization.
Summary
Security is at or near the top of the list on just about everybody’s agenda these days; from the
federal government, EDUCAUSE, major IT advisory and consultancies like Gartner, Deloitte, and
others. Cyber crime, whether viewed as a terrorist activity, country-to-country espionage,
malicious hacking, identity theft, or defamation, poses a serious blow to economic vitality and
personal safety. We are in for a long struggle with increasingly diligent and well-funded cyber-
5

criminals, foreign intelligence agencies, and sophisticated terrorist organizations all bent on
compromising our data for their gain.
Focus on re-thinking your approach to IT security; it is much more than protecting your network.
Re-think your position concerning Public Safety, Business Continuity, and how each of these are
impacted by—and also impact—decisions concerning data confidentiality, integrity, and
availability.
6