13.3 Securing the Workplace

Securing the work environment starts with addressing building access and taking such obvious precautions as locking doors to sensitive areas, including wiring closets, restricting access to the data center, and having employees go through a checkpoint when entering and leaving the building. All unattended areas should be watched with video cameras. Elevators should require smart-card access to other floors, and access to office areas on different floors should require the same card. The smart-card should have the employee’s photo, and all employees should be required to wear it while in the building and even challenge those who are not wearing one. These precautions not only protect employees from physical harm and theft of personal property by intruders, they discourage employee theft of computers and other assets, as well as attempts by employees to enter unauthorized areas.

Risk can be further reduced by issuing badges to visitors, providing visitor escorts to their meeting location within the building, and having a security guard stationed in the lobby. The presence of a guard not only discourages intruders from entering the building to do mischief, it discourages employees from walking out the door with company property or sensitive information. Even the possibility of being challenged goes a long way toward dissuading violations of corporate security policies.

Securing the work environment requires the cooperation of management and staff. For example, employees who work near unprotected workstations should take note of authorized operators and their usual work shifts. However, such simple measures as keyboard and disk-drive locks, forced log-on after a period of inactivity, and biometric controls are even more effective in deterring unauthorized access to unattended workstations. In addition, locking down workstations to desks can help protect against equipment theft. These are important security features, especially since some workstations provide management access to wiring hubs, LAN servers, switches, routers, and other network access points.

Network administrators should also implement controls that prevent tampering-with the wires or cables linking the workstations to the network. In addition to examining the obvious wires linking telephones and data processing equipment, administrators should examine conduits, wiring closets, and patch panels where telephone and data wires traverse other floors in the building. A basement may have a wire room where all of the wires in a building terminate. Administrators should keep unattended wire rooms and closets locked and monitor any installation work that must be performed.

An open wiring closet, for example, might let an intruder plug in a wireless access point to an Ethernet hub, giving that person easy access to the corporate network from out in the parking lot. Since the wireless access point and hub are behind the firewall, this type of network intrusion might go undiscovered for months. Planting the wireless access point can also be carried out by non-employees who have easy access to the building, such as maintenance people, outside cleaning firms, and vendors who might be persuaded by “competitive intelligence” gatherers to install such devices. This scenario makes securing the workplace from inside threats just as important as securing the network from outside threats.

Implementing an asset management system is a form of protection that helps guard against employee theft, fraud, waste, and abuse. Among other things, these tools provide the means to inventory the network. A central repository stores such information as equipment serial numbers, hard-disk configurations, and memory utilization. They track changes in hardware and software configurations and update the database in terms of move, add, and other changes. They also monitor software usage, manage software licenses, handle software distribution, and implement security features.

The failure to implement an asset management program can actually encourage theft or “asset shrinkage.” If employees know that assets are not accounted for and that they will not be held accountable for lost or stolen equipment, they are more inclined to carelessness when entrusted with company assets. Although all companies are potentially vulnerable to employee theft, those with no way to track assets generally suffer greater losses than companies that can track assets.