In 1990 when I was an internal auditor I was tasked with determining the overall information security posture of my company. One of the things that I decided would be a good thing to do was to go to the offices Saturday and Sunday evening when there would be the fewest personnel around. I wanted to look at their work areas to see what type of information security risks I could find that were a result of the work habits of the personnel.
A computer security investigation for the human realm!
Oh, boy; it was an eye opening experience! Plus a huge task considering I had around 5 different buildings occupied by around 10,000 people that I reviewed, seemingly nonstop, Saturday and Sunday from the early evenings into the wee early hours of the mornings with the help of a just couple of other auditors.
Needless to say I didn’t get to all the areas; I focused on what I determined would be the most high-risk areas first. However, I still found so many vulnerabilities it filled pages. It became a significant basis for what would become the organization’s first set of information security policies…which I wrote as a result of the audit. But that is another story.
Over the years I have refined the process quite a bit. It is now much more streamlined and targeted based upon first doing an assessment of the areas that present the greatest risk to systems and information.
Doing these after-hours walkthroughs allows organizations to get out where their personnel work and see what kinds of risks exist to information when no one is around. Look at all the privacy breaches that occur because of personnel not following policies, or making mistakes in their work areas! These are highly vulnerable areas for information security incidents and privacy breaches.
After-hours walkthroughs can usually be done during the work-week within specific business areas in around two to four hours by a team of reviewers. Partnering with the physical security department and having them come along increases the time investment value and security value greatly by not only having physical security risks identified at the same time, but also giving the information security folks a chance to raise information security awareness for the physical security folks and vice versa.
Some people, actually more than one information security officer and privacy officer, have said to me over the years, “But the risks are so little at night! No one is around, with the exception of the security guards, cleaning staff, maintenance workers and employees who may be working late.” Yes, these folks very well COULD be in the area. I have seen many instances of security guards doing bad things with the information they have found, along with the cleaning staff, maintenance workers and employees. So when you think about it this is a very large number of people, isn’t it?
For the September 2007 issue of the CSI Alert I wrote about this topic in, “CSI: Humanity”
Within the article I discuss the 18 most common vulnerabilities I have found while doing these reviews over the years, along with 5 compelling reasons to do the walkthroughs.
If you read it, please let me know what you think! I would be particularly interested in hearing if you have additional vulnerabilites to add to my list of the top 18.
Tags: awareness and training, Information Security, IT compliance, policies and procedures, privacy, risk management