Physical Security Governance
Successful Security Governance relies on the integration of the human, technological and documented policy components of physical security. These three pillars: People, Technology, and Processes must work in harmony to effectively reduce risk across the organization.
○ People: The individuals who make up your security force. All personnel must have a thorough understanding of their roles, responsibilities and responses. In today's world, this extends beyond guard forces to civilians.
○ Technology: The electronic means through which an organization monitors and protects against potential threats. Leveraging technology facilitates swift identification of suspicious behavior, allowing for a quick response. Cameras and other visible security measures can also serve as a deterrent to would-be offenders. The technology goal is to fulfill actual prevention strategies, which are crucial when designing an effective physical security kill-chain.
○ Processes: Internal practices and policies have a direct impact on organizational security. As such, documentation needs to be continually reviewed, tested, and updated in accordance with industry best practices in order to ensure the most effective security posture. Once in place, a properly implemented security governance program will ensure that all three pillars are properly established and monitored so that any necessary response can occur quickly and effectively. The visibility of the governance program and procedures can quickly become deterrents in and of themselves, ensuring a secure environment while maintaining a culture of accessibility. Culture plays a large role in determining what processes and governance will finally be expected and this must be absolutely vetted and understood. The balance between an open culture and one that understands prevention measures to deter threats and vulnerabilities may be a chasm that cannot be crossed.
Building physical security governance thru proper policies and procedures cannot function under a dysfunctional corporate environment. Therefore, part of best practices is to bring together leaders from the C suite and management to ensure that there is a willingness to build a security program that connects IT, OT, and Physical security as well as every aspect of the corporate tapestry. This will pave the way to best use of technology and human assets to improve and strengthen a healthy security environment. Respectively, the use of the information received by technology and human assets will corroborate and identify strengths and weaknesses creating metrics which build proper policies, procedures, and governance. Finally, this shift for an organization will clearly define and maintain a culture of awareness and transparency which will build a sense of trust and safety that all employees expect.
The Governance Process
The Assessment begins at the highest level. Organizational polices are reviewed and scrutinized. Key personnel are interviewed to verify practices and procedures in place.
○ The process continues at each branch of sub-site within the scope of the target organization. Shortcomings in policy application and technological provisioning are noted at each location.
○ Often, Physical Security Assessments or Penetration Tests are conducted to validate the effectiveness of Human and Technological controls.
○ At the conclusion of the engagement, the assessor will make both tactical and strategic recommendations with the dual goals of remediating any critical flaws and fostering an increasingly mature Security Governance Program.
While this is a model that many try to follow the issue is that they focus on one domain. Without a converged assessment revolving around Governance it usually falls short of expectations. This is one piece of the puzzle but one of the foundational elements in the understanding of true liability in the IT, OT, and Physical Security environment.