Physical security governance guidelines

 - 
Thursday, October 31, 2019

At the core of the Physical Security Governance conversation is the ability or inability of organizations to collaborate and communicate between silos such as operations, human resources, finance, etc. Best practices, policies and procedures are often thwarted by ineffective collaboration and management within the enterprise. I have found that although the desire is clearly explicit, the action is far from perfect.

Building physical security governance through proper policies and procedures cannot function under a dysfunctional corporate environment. Therefore, part of best practices is to bring together leaders from the C suite and management to ensure that there is a willingness to build a security program that connects IT, OT, and physical security as well as every aspect of the corporate tapestry. This will pave the way to best use of technology and human assets to improve and strengthen a healthy security environment.
Respectively, the use of the information received by technology and human assets will corroborate and identify strengths and weaknesses, creating metrics that build proper policies, procedures and governance.

Finally, this shift for an organization will clearly define and maintain a culture of awareness and transparency, which will build a sense of trust and safety that all employees expect.

Physical Security Governance explained:
Successful Security Governance relies on the integration of the human, technological and documented policy components of physical security. These three pillars, People, Technology and Processes must work in harmony to effectively reduce risk across the organization:
•    People: The individuals who make up your security force. All personnel must have a thorough understanding of their roles, responsibilities and responses. In today’s world, this extends beyond guard forces to civilians.
•    Technology: The electronic means through which an organization monitors and protects against potential threats. Leveraging technology facilitates swift identification of suspicious behavior, allowing for a quick response. Cameras and other visible security measures can also serve as a deterrent to would-be offenders. The need to fulfill prevention strategies is crucial when discovering the application of technology.
•    Processes: Internal practices and policies have a direct impact on organizational security. As such, documentation needs to be continually reviewed, tested and updated in accordance with industry best practices in order to ensure the most effective security posture.

Once in place, a properly implemented security governance program will ensure that all three pillars are properly established and monitored so that any necessary response can occur quickly and effectively. The visibility of the governance program and procedures can quickly become deterrents in and of themselves, ensuring a secure environment while maintaining a culture of accessibility. Culture plays a large role in determining what processes and governance will finally be expected and this must be
absolutely vetted and understood. The balance between an open culture and one that understands prevention measures to deter threats and vulnerabilities may be a chasm that cannot be crossed.

The Governance Process explained:
•    The assessment begins at the highest level. Organizational policies are reviewed and scrutinized. Key personnel are interviewed to verify practices and procedures in place.
•    The process continues at each branch of sub-site within the scope of the target organization. Shortcomings in policy application and technological provisioning are noted at each location.
•    Often, Physical Security Assessments or Penetration Tests are conducted to validate the effectiveness of human and technological controls.
•    At the conclusion of the engagement, the assessor will make both tactical and strategic recommendations with the dual goals of remediating any critical flaws and fostering an increasingly mature Security Governance Program.

While this is a model that many try to follow, the issue is that they focus on one domain. Without a converged assessment revolving around Governance it usually falls short of expectations. This is one piece of the puzzle but one of the foundational elements in the understanding of true liability in the IT, OT and Physical Security environment.

Pierre Bourgeix is president of ESICONVERGENT, a consulting firm.