Information security comes out of the cold
Information security is a fundamental preoccupation of facility and operations managers, touching on all aspects of building functionality, from lighting and crowd control to smoke detection. STEPHAN OVERBEEK from AISA (Australian Information Security Association) explains the ever-increasing importance of this sector.
As a facility manager, you are responsible for managing buildings, sites, stadiums and other types of venues. Typically you deal with electricity, lighting, water, drainage, cleaning, maintenance, smoke prevention and detection, communications and many other aspects of safety and physical security.
Did you know that many of these aspects are based on a good working information infrastructure? I am talking about your computers, desktops and laptops, computer network, internet connections, storage devices, mobile devices and other communications equipment technologies.
You base many of your decisions on various types of information. For instance, the information of the people present in your venue, the information regarding risks and hazards, the information regarding air condition, pressure, temperature, humidity, and the information regarding materials and consumables under your management etc.
Your information needs to be correct and timely, and sometimes you want your information to be accessible only to a selected group of individuals.
I hereby introduce to you a field of expertise you may not yet be intimately aware of. This field of expertise is termed ‘information security’. The purpose of information security is to provide the right information at the right time to the right people.
Information security is a specific type of security, similar to physical security, personal security, personnel security and financial security. In short, fields of security aim to protect anything valuable.
INTEGRATING INFORMATION AND PHYSICAL SECURITY
Data centres form the ultimate valuable object for facility managers from an information security perspective. The purpose of data centres is typically to host computers, networks, storage devices and other systems that process and store information. Facility managers manage data centres, and so it is of relevance to you to take note of this new field of expertise called information security.
Your air-conditioning, smoke detection systems, VESDA (very early smoke detection alarm), fire protection systems, UPSs (uninterrupted power supplies), batteries, generators and many other safety and physical security systems have only one ultimate aim: to protect the computers in the data centre and thus to protect the information stored and processed by those computers.
This is a good example of where information security and physical security are being integrated.
Another example of where physical security and information security meet is in physical security systems: more often these physical security systems capture, store and process information. Think of video cameras capturing digital images, boom gates that open and close based on scheduled information, and many other types of physical security systems that depend on some form of information for their correct operation.
As physical security is important to you as a facility manager, and as physical security increasingly depends on information security, you may need to develop a greater interest in information security.
As such, we would like to invite you to become more intimately aware of information security as a field of expertise, and of information security professionals as people to relate to regarding information security issues.
INFORMATION SECURITY MORE IMPORTANT
As information security and physical security are becoming more integrated, the importance of information security is increasing, as is our associated dependency on a properly working information infrastructure.
In the next budget round, you may want to consider allocating a portion of your budgets to information security systems. Think of securing your computer network with firewalls, and of installing authentication tools, automated intrusion detection/prevention systems and security solutions for your databases, as well as back-up systems.
As a useful rule of thumb, it is worth allocating between five and 10 percent of your ICT budget to information security systems.
INFORMATION SECURITY PROFESSIONALS
Information security professionals are passionate about the purpose of information security (‘right information, right time, right people’). They may work in technical security to make computers protect the information they process; they may work in organisational security to ensure the correct processes are designed, implemented and followed in order to protect information belonging to their organisations. Information security professionals may help you understand the hazards, threats, vulnerabilities and risks for your venue. They may help you determine which risks are acceptable and which need to be addressed.
AISA is the Australian peak body for information security specialists. AISA is a not for profit organisation with branches in Sydney, Melbourne, Canberra, Brisbane, Perth and Adelaide. If you or your colleagues are interested in learning more about information security, please check out our website (details below) and feel free to come to our meetings.
Stephan Overbeek is a managing consultant for Shearwater Solutions, where he is responsible for helping Australian customers identify information risks and security threats to their businesses, as well as developing and implementing risk, compliance and security management solutions.
In addition, he is director of special projects for AISA (Australian Information Security Association). Prior to September 2008 he was AISA’s national chair.
He has more than 12 years’ experience in training and consulting in the areas of risk management, compliance management and information security.
This article first appeared in the October-November 09 issue of Facility Management.