Respondents to last week's IT Manager channel poll thought that Australian IT departments should be involved in the physical, as well as electronic, aspects of the organisation's security.
"At times we tend to ignore physical aspects of security while focusing on the electronic kind," said one respondent. "Firewalling a network wouldn't achieve much if the door to [the] server room is accessible by one and all."
Information security goes beyond just the contents of hard drives to include all information within an organisation, argues information security consultant Daniel Lewkovitz. "Good security is not necessarily about shutting doors and erecting walls, but more to do with controlling who comes in through those doors and who climbs over the wall."
"[Companies] need to perform very strong threat and risk analysis on their own organisation to find out what threats they are faced with and then find out how best to deal with them," he added.
Analysts are also seeing more interest in physical security, with Michael Warrilow, senior analyst in security and risk strategies at META Group, claiming related calls to the organisation had increased.
Warrilow believes that the decision about who is responsible for physical security within an enterprise depends on how the organisation is set up. He said that security teams needed to be involved in helping to assess risk and presenting the options to the business. From an IT perspective, the most common aspect of physical security addressed was access to the data centre, Warrilow said.
Likewise, research director at industry analyst Gartner, Steve Bittinger, said that like any business function, technology can underpin and enable physical security. Bittinger said in more mature organisations there might be a chief security officer (CSO), who might have top-level responsibility to report to the board about physical, as well as IT, security.
A Gartner research note about the role of the chief information security officer found that the success of an information security program had as much to do with process and procedure, as it does with technical solutions.
"Establishing a dedicated staff that is responsible to senior management for policy development, risk assessment and awareness training--as well as management and oversight at the business-unit level--is crucial," the research note stated.
Some enterprises were also looking at combining information security and physical security departments under one roof, it found. This was due to overlapping responsibilities such as investigations and user provisioning as well as a common goal of protecting the assets of the organisation.
"This arrangement takes a strong management team and a lot of communication because the skillsets of each group are very different--preventative versus after-the-fact and physical, respectively," it said.
1%
1%
