Data Breach, Education, HIPAA / HITECH Enforcement, Tip of the Week

Physical Security – First Line of Defense, First Point of Failure

When an organization is developing or maintaining their information security program they often cruise through the physical security portion.  It is fairly straight-forward to have locks, cameras, and guards.  However, the simple requirements can often be deceivingly complex in their implementation in each organization.

One specific common point of failure is the security personnel and front desk staff.  Many times an organization will contract externally for security staff, and while this can be beneficial in multiple ways from an administrative standpoint, there are considerations that must be made for it to truly be a success.  Vendor staff receives training through education and training on general security tasks, but may not receive training on the importance of information security.   The vendor resources are meant to be transportable, or able to fill roles in various industries.  Therefore an organization outsourcing for security resources must be prepared to train for industry and company specific best practices and requirements.  It must be ensured that the personnel are performing as expected to evaluate the effectiveness of training and focus of the staff.  Contracting for social engineering testing is an effective way to test the penetrability of an organization’s physical defenses.  Will your staff know the boundary of a visitor taking camera phone pictures near a sensitive environment?  

Information security is everyone’s responsibility.  It is crucial each individual understands and follows through with their part to ensure an organization’s information, their most valuable asset, is protected.  Physical security modifications are often brought about in response to an incident.  When it is approached holistically and proactively, as are other compliance standards, there is more assurance and reliability in the program as a whole thereby reducing the risk of compromise, loss of compliance status, and loss of reputation.

A security program is not meant to be stand-alone components – it is meant to be an organized program where each process is intertwined and lends strength to the other pieces.  Physical security is a first line of defense, and training staff appropriately will strengthen that defense when designed to relay content efficiently and demonstrably.

For assistance in evaluating and improving your physical security program, including social engineering penetration testing, please contact RISC Management and Consulting at: Sales@RISCsecurity.com, 800.648.4358

References:

Security Rule Standards – 164.308 & 164.310

http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

 

Advertisements

1 thought on “Physical Security – First Line of Defense, First Point of Failure”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s