As the computer technology has started to revolutionize itself to new levels, it has become increasingly competitive and vulnerable to a number of malicious attacks, and thus software outsourcing companies in India should start treating IT security as a high priority on their agenda. It has become important with the implementation of various technologies such as Cloud Computing, MAN, WAN and especially the Internet, which in itself provide means of exploitation from unauthorized users. One of the most important aspect which has emerged among all this is the “Physical and Environment Security” of an organization. This is considered to be the first line of defense in the exploitation of computer systems which can cost the companies a hefty amount of money, time and resources.
Breaching a physical security ring of a software outsourcing company requires minimal technical knowledge on the part of the intruder. For example, a worker vacuuming the floor of a server room, snags the power cord of the server out of the wall causing the server to shut down. This may seem like an accident but due to hard shutdown it can potentially cause server malfunction if proper measures are not in place. As there are rings of security in Information Technology, similarly there are rings in place for physical security such as:
• Ring-1 : Areas on perimeter of business building
• Ring-2 : Immediate areas around the business building
• Ring-3 : Internal location of business building
• Ring-4 : Human Factor
Each and every ring is of utmost importance and need to researched, addressed and implemented while designing an Information Security model.
The first step of an outsourcing company should be physically securing computer hardware and if this implementation is not in place all other security measures are meaningless. Any amount of money spent in implementing the latest IT technologies on company servers will be costly if they are not physically secured. Thus, implementing a robust security model for the physical front is critical for all business in ensuring integrity and availability.
Implementation of a physical security model should consider the environmental threats and must implement controls to ensure environmental security. As per a survey, more than 70% of risk managers agree to the fact that environmental hazards are the greatest threat to a company’s earnings (Source: “Tech Talk: Prepared for Disaster”). Environmental protection needs to be considered as it can arise as an issue in the availability and continuity of the systems. To countermeasure these threats, a software outsourcing company in India needs to have a contingency plan in place which includes:
• Server backup and recovery
• Data backup and recovery
• Network backup and recovery
• Employee backup
There are no cookie-cutter physical security models. Physical security models need to be created to fit the individual company or business needs. Each company or business needs to implement what they can afford and what makes sense for their environment. We can say that what may be feasible and practical for a company employing two hundred employees will most likely not be the same for a company of two thousand. But, the concept of ‘robust physical security’ is identical to both companies.
Relevance to the ISO Standard:
A software outsourcing company in India looking for an ISO 27001 certification needs to implement the required physical and environmental controls relevant to their organization and which are in line with the standard defined by ISO. An ISO 27001 is a specification for an Information Security Management System (ISMS). It acts as a framework of all policies and procedures that are defined in an organization’s information risk management process. It covers various areas such as operations management, communication management, human resource processes, etc and “Physical and Environment Security” is considered to be the most important with respect to an organization and is classified under A-11 as per the ISO 27001:2013 standard.
As per ISO standards, Physical and Environment Security covers the security with respect to:
1. Secure areas
2. Equipment Security
The objective behind them is to prevent unauthorized physical access, damage and interference to organization premises and the information. It also prevents loss, damage, theft or compromise of assets and interruption to the activities executed by an organization.
All these measures help an outsourcing company an advantage over their competitors offering benefits such as:
• Assuring customers and stakeholders that the data possessed in the system is more secure
• Credibility and trust
• Cost Savings as there is less chance of breach consequently less chance of financial losses
• Compliant with the laws and regulations
Concluding, the convergence of IT and physical security for a software outsourcing company offers great opportunities for organizations but also increases requirements and responsibilities of those who must understand and manage this integration.
Courtesy - Bhavesh Bulchandani