Over the past few months, I've read at least four news reports about various world government agencies that have either lost computer hardware and data or inappropriately provided access to sensitive data. In April, a laptop with classified code-word information was reported missing from an allegedly secure conference room at the US State Department. The laptop had been missing since February. According to reports, the theft resulted not from poor security procedures but from department employees' failure to follow existing procedures. The State Department said 15 additional laptops with unclassified information are missing too.
In late May, Australia reported a similar incident in which five of its Parliament laptops were stolen from private, allegedly secure areas of Parliament House. Then, we learned that former CIA Director John Deutch took classified information home without permission and left it accessible in his house.
This week, we're hearing reports that hard disks are missing from Los Alamos Laboratory vaults—drives that contain US and Russian nuclear secrets. Some military experts say our national arsenal has subsequently been completely compromised.
At first, I didn't want to believe these events actually happened. After all, they took place in highly secured facilities. But the events are real indeed, and they're probably just the tip of the iceberg when it comes to less-than-acceptable physical security in government facilities.
Risk management is only as effective as its weakest link. After all, what good are high-tech biometric security systems, VPNs, data encryption techniques, and other forms of defense if physical access management is inadequate? What about your facilities? Are they as secure as you'd like them to be?
As with layered network defenses, you must protect physical premise access with a layered strategy. Just as you might divide up pieces of a master password among several people so no one person has the entire password, you might also consider dividing up authority and accountability with regard to physical security. Involving several people in a procedure helps build accountability along the way. Intruders are less likely to attempt mischievous endeavors when several checks and balances are involved in the process of entering and leaving a premise. Until next time, have a great week.
