Corporate security

1

Corporate Information Security

Corporate security

Jarno Niemelä Jargon@iki.fi

2

We Do Not Live In The Internet
●

Fire

●

Burglary

●

Employees stealing from company

●

Key person becomes unavailable

●

Water damage

●

Terrorist/Activist attack

●

Competitor spying

●

Confidential information leaks to press


3

Topics For The Day
●

Employee safety and security

●

Building security

●

Alarms and monitoring

●

Building safety

●

Storage of valuables

●

Risk management


4

Employees
●

The most important asset

●

But also the greatest risk

●

●

●

Employee skills, efficiency and morale determine
how your company does
Good personnel management is the most important
thing when running a company
The basic principle is to keep the good people in
and bad people out


5

Employees As Resource
●

From company point of view employees are
–
–

Workforce

–

Most important assent

–
●

Information storages

Greatest security risk

Key employees are critical resources
–

Someone who knows something that no one else does

–

Without key person some process is impossible

–

Prevent this by distributing information and having
backup persons for each task


6

Employees As a Security Risk
●

Unhappy people work poorly, and may leave
–

●

Employees leak information, intentionally or not
–

●

Treat people well, have fair policies
Training,where to talk, what to talk, whom to talk

Employees stealing company property
–
–

●

Happy and motivated people are unlikely to steal
Increase risk of getting caught, conduct inventories

Keep track what and how your employees do
–

Is there reasons for them to be unhappy?


7

Hiring people
●

Look for the right person for the right task
–
–

Is not overqualified

–
●

Is qualified and motivated for the for the job
Fits with the people you already have

Make sure you know who you hire
–

Do a proper interview, and also one with the team

–

Check the background and references

–

Test the skills of potential applicants

–

Personality tests, what do they tell?


8

Checking Background
●

Do you know anyone who knows the applicant?

●

Check that personal information is correct

●

Check for criminal record

●

If working with money, check credit status

●

Drivers license, traffic violations

●

Education and diplomas

●

Health, medication and treatments

●

Don't play spy, don't Google. This sort of
information must be obtained by official channels


9

Training And Paperwork
●

Very few are incompetent because they want to
–
–

Make sure that NDAs and other paperwork are done

–

Additional training when position changes

–
●

Introductory training when new employee comes

Tasks, policies, security and safety issues

Keep employees skills fresh with training
–

People feel that their skills and value in the profession is
maintained

–

Employees with up to date skills are more efficient

–

Well trained employees also reduce security risks


10

Keeping People
●

Now that you have good people, you'll want to keep
them that way
–

Even the best and most motivated people can become
'bad' if managed improperly

–

In personnel security the most important things don't
actually have much to do with the 'security' part

–

The best way to keep people 'good' is good people
management

–

Especially in YT industry this is very often forgotten,
laying off even a few persons hurts the company morale,
and personnel productivity long time!


11

Employee Leaving
●

Everyone leaves sooner or later
–
–

●

'Hostile' leaving when leaving to competitor, laid off
'Benign' when retiring or changing field

Know what to do when an employee leaves
–

Skills transfer to replacement

–

Gather back keys, laptops, documents, equipment

–

Disable accounts, change passwords

–

Any sensitive processes that need to be modified?

–

Has the employee signed NDA? Better review it


12

Building security
●

Building security is about making sure that the
building is safe for all company assets
–
–

Equipment

–
●

People
Information

Building security is mostly about common sense
–

Good floor plan and passive security is much easier and
cheaper than best alarms and guards


13

Office layout
●

Divide office areas into access zones
–
–

Public areas: Reception,public meeting rooms

–

Office area: Outsiders are allowed only when escorted

–
●

Outside the office: Company entrance, fences

Critical areas: Data centers, network cabinets, finance

Zone access control controls who gets in
–

No extra control inside the zone

–

All routes from zone to another zone must be known

–

There should be extra time/effort needed to get from one zone
to another


14

Office Divided Into Zones
Outside
Reception
Offices
Server room
Critical research areas
CEO, Finance offices


15

Doors
●

What is the purpose of a door
–
–

Noise dampening

–
●

Access prevention
Fire door

Is the door good enough?
–

Door strength

–

Lock strength

–

Hinges

–

Fire isolation (how long the door holds a fire)


16

Walls And Windows
●

Windows, an easy access to burglar or maybe not
–
–

●

Can windows be broken so that it wont be noticed?
First and second floor windows should be laminated

Walls
–
–

●

What time and equipment is needed to cut trough
What is on the other side of the wall?

Check the area outside the office
–

Keep the yard clean and don't give tools for attackers

–

If possible try to prevent anyone using vehicles in attacking
the building, use decorations that are heavy


17

Access control
●

Let the good people in, keep the bad people out
–
–

●

Access control allows more accurate control than keys
Employees need to accept the control, DONT ABUSE IT

Access control works at the zone borders
–
–

●

Doesn't care what people do at the zones
Who has been at the zone at any given time

Access control needs to be done properly
–

Easy to use, suspicion on anyone who cant open door

–

The control logs need to be stored securely

–

Reliable, is system keeps failing people will ignore it


18

Alarms
●

Alarms activate at exceptional situations
–
–

●

Window broken, door forced, movement at night, fire, gas
Located at the zone borders and inside zones

Each threat needs correct alarm sensor
–
–

Motion detectors, pressure sensors

–
●

Physical open/break sensors
Fire alarms, gas detectors, moisture sensors

Alarms are useless by themselves
–

When alarm goes off, there must be a reaction

–

Audible alarms at outer zones, and silent at inside


19

Monitoring
●

Know whats going on, use cameras
–
–

●

Recording cameras help investigate what happened
Actively monitored detect intrusions and guide guards

Make sure that cameras are of some use
–
–

Keep the area well lit and situate cameras well

–

●

Secure or offside storage for video data
Put signs that the area is monitored, cameras are good
deterrent

Know what you are allowed to record and where
–

Personal privacy laws are very strong in Finland


20

Guards, Guards
●

There are many types of guards
–
–

Guard that visits the site when making rounds

–
●

Guard that is located at the site
Guard that is alerted when alarm goes off

Different types have different reaction time
–
–

●

Guard from remote location needs transit time
Local guard can respond more quickly, but is expensive

Optimize the value of property against the expense of
protection


21

Fire
●

If possible prevent fires
–
–

●

Find out possible ignition sources, make them safe
Neatness counts, all extra material must be removed

If fire breaks out, the building should contain it
–
–

Zone should isolate the fire as well as possible

–
●

The office needs to be divided into fire zones
Fire doors closed, no extra holes in the walls, fire breaks

But remember, the purpose is only to buy time
–

To get people into safety

–

For fire brigade to arrive to put the fire out


22

FIRE, Get The People Out!
●

If fire breaks out make sure that people get out
–
–

Doors in the escape route must have emergency opener

–

Make sure that escape routes are not blocked

–

There must be at least two routes from each zone

–
●

Fire escape routes must be well marked

The routes should be instinctive

People must be trained how to get out
–

Make sure evacuation responsibilities are assigned

–

Also have people responsible for first aid, guiding fire brigade
and other emergency tasks


23

Extinguishing Fire
●

For small fires, fire blankets and hand extinguishers
–

●

When people reach for the extinguisher they don't check the
type. So place correct extinguishers at the correct places

Make sure that fire extinguishers are of proper type
–

Water sprinklers are good for general use, but wreak havoc on
paper and electronics

–

For electronics there are specialized gas extinguishers, but
many of them replace air. So people must be able to leave if
they activate

–

There are also extinguishers that can be places inside
machinery and devices


24

Heat, Water And Air
●

Is the air conditioning sufficient?
–

●

Are server rooms and other areas properly cooled?
–

●

If it's too hot or there's not enough air people cannot
concentrate
Too hot will cause servers to crash

Find out where pipes go and where water goes when
pipes break
–

More than one server room has been destroyed because
there were water pipes at its ceiling

–

It's good idea to situate critical systems away from any piping


25

Physical data security
●

Backups, backups, backups
–

How do you store local backups?

–

How long they survive fire or water
● Who has access to them?
Having off site backups is a very good idea

–

More than one small company has gone bust as thief
also took the backups
Who has physical access to servers?

●

●

●

If the server cannot be cracked theres always the
server hard-drive...


26

Document handling
●

Document life cycle: Create, use, destroy
–

When a document is created it should be classified
●
●

Customer/contractor/partner confidential

●

Confidential

●

●

Public

Restricted

Documents must be handled by to their level
●

●

Care should be taken on storage and handling of high level
documents
For consistency only important documents should have
high level. Don't mark everything classified!


27

Destroying documents
●

When document is not used anymore it must be
destroyed
–

All confidential documents must be shredded

–

Document shredding companies should not be trusted
with most critical documents

–

Also disks, hard-drives and other medias

–

People must be trained, and shredding should be
convenient so that people do it

–

Sometimes have a look at waster paper bins at the
company, there are sometimes rather interesting
documents there :)


28

Storage Of Valuables
●

Know what you have that needs protection
–
–

Backups

–
●

Critical documents
Money and other valuables

Know from what you want to protect from
–

Protection from fire or from burglar needs different protection.
Theres no such thing as just 'safe'

–

Don't just buy something that just looks secure

–

A fire proof safe may look big and impressive but will open
less than in a minute with a crowbar


29

Selecting A Correct Safe
●

Paper and data storage needs rated fire proof safe
–

–

DIS rating will indicate how long diskettes and other material
will survive

–
●

P rating indicates how long paper will survive. F.EX P-60
means paper will survive 60 minutes in fire of 1000C

Select either fireproof safe is data box in normal safe

EN 1143-1 rating tells safe armor rating
–

E I is recommended for maximum 10 000 EUR of content value

–

E II is recommended for maximum 30 000 EUR of value

–

E III is recommended for maximum 60 000 EUR of value

–

E IV is recommended for maximum 120 000 EUR of value


30

Installing And Using The Safe
●

Choose a good location
–
–

Place into protected zone that has alarm/monitoring

–

Remember the safe only buys time, don't give too much

–

●

Bolt the safe down, so it cant be removed easily

Don't put the safe into cellar, if fire comes the cellar will flood
with extinguishing water

Don't leave the keys for burglar
–

If the safe has a key, store it into separate location

–

If the safe uses a code, either don't record the code, or store it
into safe place (bank vault)


31

What you cannot prevent insure
●

●

Sometimes, shit happens, so make sure you have
insurances
But even with best insurances the accident costs
more than the insurance company pays
–

Equipment

–

Time

–

Production

–

Missed sales and oppoturnities


32

Risk Management
●

Risk Management is the process of understanding
what risks company has
–

Risk= Probability of threat * Damage

–

Risk Management is
●
●
●
●

Finding out what threats there are
Estimating probability of threat realizing
Estimating the damage caused by a threat
Analyzing the risks that were deducted from the
gathered information


33

Finding Out Risks
●

Identify risk areas
–

●

Know what the company does and how

Do vulnerability analysis for each business area
–
–

●

●

Think what can go wrong and how
Analyze past history, brainstorm, play what if

Estimate the damage caused by vulnerabilities you
found
Make a risk matrix
–

Calculate each risk, and see what have high scores


34

Tools For Vulnerability Analysis
●

Questionnaire method
–
–

●

Set of questions, from which the result can be derived
Level of success depends very much on questions

Fault tree analysis (FTA)
–

A tree where threat or result is at top and causes at
branches
●

●

What needs to fail for the event to happen

Event tree analysis (ETA)
–

Starts from single failure, maps what else needs to fail
and combines probabilities for event chains


35

Fault Tree Analysis
Server hacked
or
Password leaked

and
Password
guessed


Unpatched
vulnerability

Open in firewall

36

Process Of Risk Management
●

For each risk found decide how to manage it
–

Ignore it

–

Preventing is more expensive than damages
Reduce the probability of threat

–

Better process control, security measures
Limit the damage

–

Minimize the loss caused when risk realizes
Have recovery process

●

●

●

●

Minimize the downtime and loss of production


37

Conclusion
●

I'm not an expert on this and neither are you
–

●

Get an expert to check the building,fire and other safety

There are many laws that govern this field
–

But don't think that doing things at the level required by
law is enough

–

The laws are there to protect others from your company

–

Laws don't protect you from yourself (at least not much)


38

References
●

●

●

●

Security Basics
http://www.csoonline.com/article/486621/security-basics
The business of resilience
http://www.demos.co.uk/files/thebusinessofresilience.pdf
Laki turvallisuus-selvityksistä
http://www.finlex.fi/fi/laki/ajantasa/2002/20020177
PK-yrityksen riskienhallinta
–

●

http://www.pk-rh.com/

Suomen Pelastusalan Keskusjärjestö
–

http://www.spek.fi


Corporate security

More Related Content

What's hot

Viewers also liked

Similar to Corporate security

Corporate security