he Alliance for Enterprise Security Risk Management (AESRM) has released a report titled “Convergent Security Risks in Physical Security Systems and IT Infrastructures” that maintains the line between physical and cyber threats is getting more blurry to the point of near nonexistence.
Therefore, the organization — which includes ASIS International, Information Systems Audit and Control Association (ISACA) and the Information Systems Security Association (ISSA) — recommends professionals in these two spheres blend their operations and strategies where possible to minimize and manage risks.
“The Alliance for Enterprise Security and Risk Management is focusing on converging the traditional and cyber security functions in organizations as it relates to risk in the enterprise,” said Ray O’Hara, chair of AESRM and Vance International senior vice president of security consultancy. “As part of that, it’s very clear to the three organizations that represent the alliance that a lot of people who are involved with the risk function in enterprises need to talk to each other.”
The impetus behind this shift has been the transition of traditional assets into virtual assets, O’Hara said.
“In the old days, if you had an access-control card, you could get in at the door where you worked and that was it,” he said. “In some cases now, that access-control card runs across the network and allows access to not only your office in San Jose but also the one in Shanghai. As those devices transition to the corporate network, there needs to be more interface between the organizations as to what the risks are by placing those devices on the network.”
Still, as this conversion takes place, the extant threats to organizations’ physical resources should not be underestimated.
“While it’s important to talk about the information assets, don’t forget that the physical assets are important too, though maybe not as important as they used to be,” O’Hara said. “There used to be big data centers with padlocks and cameras, but now the data center could be sitting on a couple of small servers. Don’t forget to make sure that your access control cannot be penetrated from a physical standpoint, as well.”
O’Hara and the other experts at AESRM recommend companies recognize this convergence and deal with it by aligning their security functions and strategies to it.
“At the end of the day, what jumps out at you from this report is that there needs to be, what we’re referring to as, a risk council. That risk council would be responsible for a lot of different things but primarily getting the groups together that have responsibility for risk in the organization and sitting down at the same table and talking openly about the commonalities they have among themselves.
“The emphasis behind this is that the same network is now carrying data, supporting the traditional security function. What we’re encouraging is that those two functions get together and talk more about the sensitivity of that data, and how it’s being protected. Then there are investigative strategies that should be discussed because IT people have the evidence. In most cases, the activities that occur within organizations occur on a computer. The security people need that evidence to conduct investigations.”
For more information, see http://www.aesrm.org.