Commentary

Physical security is a familiar area with its attendant locks and passes and uniformed guards. Most organisations will have placed much of this responsibility in the hands of professional security officers who are practised at monitoring the physical and often therefore visible security measures. Information security is usually far less visible and often relies on technology, which is outside the experience of the physical security experts.

Having the policy and the organisation and training in place, this Clause reviews the overlap between the familiar physical and visible security with the far less visible security of information. This standard assumes that much of an organisation's information will rest within its computer systems. Information security management is therefore heavily dependent on the safe keeping of the processing systems hosting that information.

In the days of mainframe machines that weighed tons that were connected to chilled water and complex three-phase power supplies, the theft of whole computers was almost inconceivable and yet card locks and halon gas protected almost every computer hall. Today critical corporate information is often on computers on desks in open-plan office environments and organisations rarely bother to lock anything away when staff leaves the office.

Technology seems to work against security professionals in that the trends are towards ever more portable versions of machines that allow both the information and the means to process it to be carried easily between home and office with no loss of working capacity. The theft of portable laptop machines is on the increase. They can be replaced but the information on them is too often the only copy.

Imagine losing your laptop on the train station in the morning, especially when you worked until midnight to finish that critical report, or even having your PC stolen from a restaurant or bar when it contains valuable and sensitive organisation information.

The significance of this Clause is that it raises the profile of computing assets to a more appropriate level on the corporate physical security agenda. Individual PCs might only be worth a modest amount when they are new and even less after depreciation on the asset register but they often contain your vital information up to the very end of their useful life. Indeed many PCs leave the organisation on retirement to the scrap heap with hard disks full of corporate spreadsheets and letters to the Chairman!

An Introduction To Information, Network and Internet Security
Commentary Physical security is a familiar area with its attendant locks and passes and uniformed guards. Most organisations will have placed much of this responsibility in the hands of professional security officers who are practised at monitoring the physical and often therefore visible security measures. Information security is usually far less visible and often relies on technology, which is outside the experience of the physical security experts. Having the policy and the organisation and training in place, this Clause reviews the overlap between the familiar physical and visible security with the far less visible security of information. This standard assumes that much of an organisation's information will rest within its computer systems. Information security management is therefore heavily dependent on the safe keeping of the processing systems hosting that information. In the days of mainframe machines that weighed tons that were connected to chilled water and complex three-phase power supplies, the theft of whole computers was almost inconceivable and yet card locks and halon gas protected almost every computer hall. Today critical corporate information is often on computers on desks in open-plan office environments and organisations rarely bother to lock anything away when staff leaves the office. Technology seems to work against security professionals in that the trends are towards ever more portable versions of machines that allow both the information and the means to process it to be carried easily between home and office with no loss of working capacity. The theft of portable laptop machines is on the increase. They can be replaced but the information on them is too often the only copy. Imagine losing your laptop on the train station in the morning, especially when you worked until midnight to finish that critical report, or even having your PC stolen from a restaurant or bar when it contains valuable and sensitive organisation information. The significance of this Clause is that it raises the profile of computing assets to a more appropriate level on the corporate physical security agenda. Individual PCs might only be worth a modest amount when they are new and even less after depreciation on the asset register but they often contain your vital information up to the very end of their useful life. Indeed many PCs leave the organisation on retirement to the scrap heap with hard disks full of corporate spreadsheets and letters to the Chairman!	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security