The key to keeping the people, property, and information inside your building safe and secure is to have proper security and surveillance plans in place. But how do you keep safe the information and data that is electronically flowing in and out of your building? Keeping your network secure is just as important as keeping the building secure – and protecting the network is not only up to the IT department, but also up to you as a facility manager.
Intersecting with IT
"The line between facility and IT is blurring," explains Bill McGee, product manager at Cisco. "Things like physical access, HVAC, and elevators are coming online. Just like with network security, physical security needs to focus on two critical design elements: increased visibility and granular control."
This is where the duties of the IT department and facilities department intersect. "Facilities managers need to coordinate with IT as business functions become IP-enabled," he says. "Being able to turn on the lights or the security system remotely via the network may seem cool, but if these things aren’t properly secured it can be a real problem. You don’t want a hacker to be able to strand people on an elevator, you don’t want someone to open access to a secured door, and you don’t want a hacker to spoof themselves as an IP camera in order to gain access to the network." With these facility system components on the line, facilities departments should have a vested interest in network security.
IT departments are responsible for keeping secure the information flowing through the network – they set firewalls and remote access, among other duties. Facilities departments are responsible for protecting the physical components of the network – such as the servers, wiring closets, and data centers. "From a physical point of view, the facility manager doesn’t have an obligation to protect the data on the wires – that’s the duty of the IT staff. But the facility manager has to make sure that someone doesn’t get access to equipment or wires that he or she shouldn’t have access to," explains Marty Linder, principal engineer with Carnegie Mellon’s Software Engineering Institute CERT program
Even taking steps during routine building inspections can ensure that the network remains secure. Look for unsecured equipment, visible posting of passwords, and check stored media, wiring closets, and data centers.
"Physical access to critical systems, like wiring closets, phone systems, or data centers, needs to be secured and monitored," explains McGee. "Physical barriers need to be implemented and routinely inspected. Emergency equipment, such as appropriate fire extinguishers for electrical equipment, emergency lighting, and alarms, needs to be distributed and maintained based on policy. Additionally, facilities teams need to request the ability to stream CCTV video to a handheld device or have remote access to security tools for 24/7 security review and enforcement."
Collaborating After a Compromise
Even when both departments are fulfilling their respective duties, the network can be infiltrated and compromised. In this case, like protecting the network, it is up to both IT departments and facilities departments to fix the problem. "For a remote attack, the facilities manager, in a penultimate act of defense, needs to be able to physically disconnect Internet access to the building," explains McGee. "For some attacks, law enforcement will require that the network be locked down and quarantined so that the affected and collateral devices can be inspected. The facilities manager will need to be able to secure physical access to computers and other network devices as required by investigators. Physical access to these devices will need to be limited to authorized personnel, so the facilities manager will need to coordinate with IT and investigators to enable access to appropriate individuals and not to others."
Not all attacks are remote, though. Network security breaches can also happen from the inside – whether an employee initiates the attack or the building is broken into. "For a local break-in or an insider attack, the facility manager needs to be able to lock down a building or campus segment and enforce some sort of personnel verification and inspection in the event of certain types of issues – such as missing hardware or stored data, McGee says. "They need to be able to override network-controlled physical access and they need to be able to review physical access records – like video capture and access logs."