DEVELOPING SECURITY PROCEDURES

Primarily, an organization must have an effective information secu-rity policy in place to accomplish a reasonable secusecu-rity level for paper and physical documents. In our ever-increasing Digital Age, much em-phasis goes to deterring network intrusion and attacks on databases in electronic format. Yet, an astute information security team must realize that at some point in the life cycle of sensitive information such data may end up in paper or physical form. Therefore, developing a com-prehensive information security policy that includes paper and physical documents is essential for layered defense.

For guidance on developing information security policies, the pro-fessional should consult the SANS site (http://www.sans.org/resources/

policies). This resource offers numerous templates and supporting doc-uments on crafting security policies. In addition, “The SANS Policy Primer” by Michele D. Guel (2001) provides a concise overview on de-veloping policies for protecting information.

Once the information security policy is in place, it serves as a frame-work on which to build procedures to ensure the policy’s general pro-visions receive proper enforcement. Developing procedures for paper and physical document security require the joint participation of infor-mation and physical security professionals along with the input and co-operation of the information assets’ owners. In working as a team, the members strive to cover the following principles:

1. Procedures should implement policies in a practical manner. Pro-tecting sensitive paper and physical documents requires care, but the process should not be unduly burdensome. Otherwise, work-ers will constantly be looking for ways to shortcut the process.

2. Establish procedures for classifying documents as Confidential, Private, or Sensitive. Ensure that appropriate review prevents unnecessary classification. Everything cannot be a vital secret;

otherwise, the whole protection process becomes unwieldy.

3. Make sure the classification system is comprehensible to all.

The rationale should be easy to understand.

4. Define storage and handling procedures for the classified docu-ments. Specify where, when, and how each type of classified document receives secure handling and storage.

5. Define destruction and reuse procedures for classified docu-ments. (See Chapter 5.)

6. Define reclassification procedures. (A periodic review is neces-sary to ensure time, resources, and monies are not being de-voted to protecting documents whose classification is obsolete.) 7. Define special procedures for physical documents.

8. Define how Security responds to incidents regarding sensitive paper and physical documents. How will the documents be se-cured? Who does Security notify? What reports does Security generate? Who handles the investigation?

Always allow for revision of procedures as changes in the organiza-tion dictate. Tradiorganiza-tion is great, but modern security requires adaptabil-ity and flexibiladaptabil-ity. Make sure that your securadaptabil-ity procedures stay in

“synch” with the realities of your work environment and meet on a reg-ular basis with the owners of information assets. Obtain their feedback on procedures and what can be done to improve service.

Enforcing Paper and Physical Document Security

Regular inspections protect documents. If the security officer force must walk the premises on second and third shift, they can keep their eyes open for violations of document security policies and procedures spotting violations and taking corrective action should be a part of se-curity officer training at the facility.

The security team of information and physical security professionals must design a checklist and a report form for document security inci-dents. In addition, the security team should establish a route for security patrols to ensure they visit all probable “trouble spots” within the facility.

These spots are places where documents tend to accumulate and de-serve regular inspection. Ideally, security officers should have electronic watch stations that correspond to these spots along their route.

Key areas to investigate on a daily basis include:

1. Dumpsters and trash bins 2. Shredding collection points 3. Meeting rooms

4. Special project rooms 5. Copier areas

6. FAX areas 7. Printer areas 8. Breakrooms

9. Paper storage areas

10. Storage areas for sensitive physical documents 11. Loading and receiving docks

12. File cabinets and document storage equipment 13. Media Library

14. Document destruction area

Obviously, the security force looks for sensitive documents that are unsecured, unlocked doors to storage areas, excessive accumulations of documents, whiteboards that need to be erased, and the like. Constant vigilance cuts off many avenues of attack by the information thief. To use a buzz word, leveraging the physical security force extends the en-forcement capabilities of the information security professional. Make sure that all uniformed security officers have training in securing paper and physical documents.

On the topic of training, the next best technique in guaranteeing a high level of document security is in educating the average worker. A multi-layered approach can have a significant impact. First, all new em-ployees, as a part of the new hire orientation process, need to under-stand the importance of following document security procedures.

Second, educational audits offer constructive criticism if a department has difficulties in implementing procedures. Unscheduled audits, if done in a friendly, nonconfrontational manner, can educate workers.

Briefing workers and managers after an audit on the strengths and weaknesses discovered can have a positive impact, and, finally, peri-odic security training meetings will reinforce the need to protect sensi-tive paper and physical documents.

The basics of worker training should include:

A. Review of the information security policy.

B. Correct procedures in handling and securing sensitive documents C. Correct procedures in destroying and disposing of sensitive

documents.

D. The rationale of classifying documents.

E . The importance of a clean desk policy.

F. Policing work areas around copiers, fax machines, and printers to prevent excessive and prolonged document accumulation.

G. Why notes on a calendar or sticky notes on a terminal, logons, and access codes in one’s workspace are a bad idea.