It's All About Risk

Mar 1, 2006 12:00 PM, By Sandra Kay Miller

FIREWALLS, intrusion detection/prevention systems, anti-virus and anti-spam/spyware solutions have typically fallen squarely in the realm of information technology.

But some companies are reacting to the reality that information and network security also have concerns in common with the physical security department. They realize that maintaining secure control over a company's logical assets is a critical security aspect and should be treated as such.

In the last year, Constellation Energy — a Fortune 200 company headquartered in Baltimore with more than 10,000 employees in offices throughout the world — united its IT and physical security departments.

Physical meets logical

Prior to the change, information security analyst Ian Macdonald was the engineering group's team leader responsible for implementing any IT security-related systems such as vulnerability management, intrusion detection, intrusion prevention and anti-virus. “I have now moved into a role that's more focused on making sure IT implements secure solutions,” says Macdonald, a native of Scotland who studied computer science at the University of Edinburgh.

Macdonald explained the reasoning behind moving his group out of IT and into Constellation's risk (physical security) organization: “One of the challenges we were finding was IT's goal is to deliver systems under budget and on time. Now that we are outside of IT, we can go up the chain of command and raise our risk concerns at a higher level. When we were still in IT there was always a possibility that IT would go ahead and deploy the system and think about security later.”

Moving IT to risk has also helped integrate physical and logical security aspects, as many of these systems have begun to merge. Currently, Constellation has a security operations center which was originally designed to be the point of contact for all physical security issues — locks, cameras, doors and interaction with various police, state and federal authorities on security concerns. However, assimilation of logical systems is now under way to create a “one-stop-shop” for all security issues.

Main security concerns

The two main security concerns Macdonald deals with on a day-to-day basis are data and desktop security. In addition to adhering to the Sarbanes-Oxley Act because Constellation is a publicly-traded company, there are also various energy-related regulatory concerns stemming from its ownership of power plants. “We have nuclear power plants so we have to stay in compliance,” Macdonald says. Macdonald handles tasks including: monitoring access to confidential data, classifying data, controlling and understanding what type of data employees are handling, making sure the data is classified according to Constellation's classification standard and then ensuring the correct controls are in place to protect that information.

Desktop security is a particular concern due to the company's Microsoft environment. “You have to give users a certain amount of control to do things, so one of the major concerns is how to protect our users from organization risks such as surfing to inappropriate Web sites or clicking on a malicious link in an e-mail that infects their machine,” Macdonald says.

To help mitigate these risks, Constellation practices security defense in depth. “We start at the perimeter where we have firewalls, IDS and filters on access to the Internet to protect users from going to malicious Web sites,” Macdonald adds. “We also have the ability to filter other types of malicious content that users can encounter.”

Moving inside the enterprise perimeter, virus protection is deployed on e-mail servers as well as at the desktop level. “We are always looking at ways to improve security on the desktops,” he adds. However, Macdonald feels as if desktop security is a balancing act to make a system not so secure that users are hindered from working efficiently. “It's always a challenge,” he says.

On a less technical aspect, another way Macdonald and his team work toward protecting Constellation is through security awareness projects. “We actually created a video that has gone out to all employees, which talks about how to work in a company and be secure. It talks about doing things like locking your computers and whether or not you should be sharing confidential information with other people.” It uses a comic approach, and Macdonald has received plenty of positive feedback from users.

Another non-technical approach was the production of a flyer distributed to all Constellation employees titled, “What Every Employee Needs To Know About Information Security.”

Currently, Macdonald's projects include researching the risks associated with moving to Windows Mobile PDA phones. “As IT projects come up, we go in and do the research into the technology and identify what level of risk and exposure that it gives to the company,” Macdonald says. This means his group can then come up with either a secure solution or a compromise that protects the company.

Getting into security

Before joining Constellation Energy four years ago, Macdonald worked at a software company building e-billing systems that collected credit card information. He recalled, “They were good enough to realize that they needed security people on staff to make sure that it was done securely. I saw an opportunity to join that group. I would always had an interest in security and this allowed me to move into the area and learn more about it.”

Outside of work, Macdonald continues to work with technology, operating e-mail servers and hosting Web sites for local community groups, including one that promotes bicycling in the Baltimore area. An avid cyclist, Macdonald bikes to his downtown office daily.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue