Okay, So what would one of these enterprise security assessments look like? What are the things we're going to discuss? Well, what we're doing is we're figuring out, you know, we could use this for a gap analysis. Perhaps maybe we know where we wanna be. We want to examine where we are and figure out how to close that gap.
It might be something that we do is part of continuous Reines reassessment of our network environment.
It might be something that we've implemented. New security solutions. We want to figure out how they're coming together. So ultimately we can use thes security assessments in a wide range of environments are to satisfy a wide range of needs. Might be better way to say it.
So where do we start? We always start with policy. What is our policy Say? What are the objectives of our policy? What are we trying to accomplish? Ah, what is our policy look like? How's it framed? What are the procedures and the guidelines? Basically,
these were the directives from senior management. So we want to make sure that we understand policy we owns understand the purpose of policy, the directives of policy
And then what we want to do is we wanna take a look around and see if the controls that we have in place, you're gonna help us accomplish the goals of policy.
Start with a physical security assessment. You know, physical security really is your first line of defense against the bad guys, so to speak. And I realized that not everybody has to be on your physical premises to create an attack or to launch an attack. But our physical security is an important first step. So,
you know, is are the physical security
elements of our organization Are they complete and comprehensive? Or if I put all my security controls at the front entryway and then if you drive around back, I've got a loading dock Who's door's always open, you know? Is it comprehensive? Been complete. Don't forget also that as important as the physical security of our assets are,
we want to make sure that our physical controls
will always be designed first and foremost to protect human life. Is our facility well lit? Do we have unobstructed evacuation routes? You know, these air important considerations?
Um, do we have mechanisms in place that would help people evacuate the building in the event of a fire.
Ah, flood. Do we keep our people safe? Lights outside fences around the perimeters to keep intruders out? Not just intruders, not just keeping intruders out because they can steal our stuff, but also because they can pose a threat to the well being of our employees. Look at your physical security requirements
and see if those needs are being met.
Do we allow swipe card access to our building? Do we require that? If so, are people allowing other folks in on their card swipes? We call that piggy backing, and I have to tell you, if there is any security violation, I see almost every single place I go. It's piggyback
almost always and honestly, I can think of a handful of times. I've seen someone turn around and not let a stranger in behind them. Ah, and in those handful of times that I've seen it, it wasn't necessarily even handled particularly well.
So there's someone who's trying to follow me in on my card. Swipe.
Uh, you know what? I've seen people turn around and do and say, I can't let you in. I'm sorry you have to have a badge to get in here
and it first. And don't get me wrong. That's certainly better than nothing. But what have I just done? I have essentially said. Listen, you stand here. I'm not gonna let you in. Give it five minutes. Somebody else will. And I can just about assure you when you leave somebody out there that was attempting to get in your building,
they won't have to wait more than five minutes. Somebody let him in.
What should we have done instead?
Oh, I see You don't have your badge with you. Let me walk you down to security and they'll make sure that you have access to exactly where you need to go. I don't want you to be stuck here all day trying to get in. Come on with me.
What I've really said is, Hey, I don't know you. You're trying to get my building that earns you a free trip to security. But I've said it politely and in such a way that I'm being helpful, right? I'm not offending anybody. We've got to train our people. Not just don't let people in on your card swipe,
but what to do in case somebody tries.
Most people aren't current comfortable turning around, grabbing the door, enclosing it in somebody's face. They shouldn't have to be. That's not an appropriate response anyway. Immediately when somebody's trying to access your building without proper credentials taken to security, that security's problem now do it in a friendly, helpful manner. But ultimately,
if that was an attacker,
they're not gonna be able to just stay in there and try and try and try again. You take this person to security, and that's the third time they've been brought to security. That week. I can guarantee you that gets escalated. But if we just let that person stay out there and keep trying, somebody let him in.
Hey, so when we're assessing the physical controls of our building, not only are we assessing that we have the controls in place, but that people are are using them well as they were intended to be. Swipe card access does nothing for a business if your employees air going, allow other folks to piggyback behind them. Okay,
so we look at the physical security assessments.
Environmental security also comes under this category. Things as basic as temperature and humidity. Remember the three tenets of security, confidentiality, integrity and availability.
You show me an 85 degree server room, you will have a problem with availability. So we want to do those types of assessments as well. Look at our environmental controls and see how they're working out.
All right. So once we're satisfied that the physical security of the building is sufficient and again it's driven by cost benefit analysis, Um, we'll move forward and talk about some of the more technical elements on the inside.