A tutorial on preventing disasters from within your company

From a security perspective, many options exist for skilled and motivated people to steal valuable company information, damage systems and applications, and violate physical and information security provisions. Despite the use of passwords, biometrics and other security devices, it is still possible to damage information systems.

Physical security systems, such as proximity cards, scanners, video cameras, motion detectors and other devices can also be compromised. Even techniques like social engineering, in which clever individuals can obtain valuable information from unsuspecting colleagues, can create potential disasters.

Editor's Tip:

In a typical office, the building infrastructure and its supporting components, e.g., HVAC, commercial power, communications, fire protection, air quality management and security can be compromised. Despite the use of automated monitoring systems for power and HVAC, for example, it is still possible for a system failure to result in an unplanned building evacuation or other disruption. And if a fire occurs, the lack of detection and suppression systems due to a malfunction could cause a serious disaster.

Editor's Tip:

The ability to prevent disasters from occurring within a business depends on operational procedures that address potential situations before they occur and respond quickly to minimize the impact if an incident occurs. Risk assessments can identify potential threats to the building/company as well as vulnerabilities that could facilitate an incident. The key is to address those risks and vulnerabilities with the greatest potential to cause a business disruption.

Editor's Tip:

Preventing disasters is just as important as responding to them. Here's a checklist of information security prevention activities.

1. Conduct risk assessments to identify potential threats
2. Conduct vulnerability assessments to identify potential system weaknesses
3. Address key threats and vulnerabilities and enact continuous monitoring to ensure proper operation of remedies
4. Establish information security policies, disseminate them to all staff and enforce them vigorously
5. Implement multiple system security access strategies to thwart potential inside criminals
6. Use biometric access to further increase security
7. Consider using video cameras to record staff activity
8. Require password resets every 30 days
9. Be aware of potential social engineering by staff
10. Consider implementing keystroke monitoring

Here's a list of facilities and operational activities to get you organized.

1. Conduct risk assessments to internal systems, e.g., security, access control, HVAC, air handling, power, communications to identify potential threats
2. Conduct vulnerability assessments to identify potential infrastructure weaknesses
3. Update infrastructure systems to address identified threats and vulnerabilities
4. Provide continuous monitoring of critical systems
5. Regularly test fire detection and suppression systems to ensure they operate properly; install fire extinguishers wherever possible
6. Ensure that primary and backup power supplies are operating properly; test them regularly
7. Provide lightning arresting equipment, and ensure that electrical systems are properly grounded
8. Use video cameras to monitor areas, employee safety, after-hours safety (e.g., for multiple shift situations)
9. Minimize potential for static electricity from carpeting
10. In regions where severe storms and high winds occur, install plastic film in building windows to minimize the potential for windows to shatter

Operational activities

1. Conduct assessments to identify potential operational risks and vulnerabilities
2. Develop and disseminate operational policies that address disaster situations
3. Ensure that businesses have disaster recovery plans for technology, and test them periodically
4. Ensure that building infrastructure systems have emergency procedures to address incidents when they occur
5. Ensure that evacuation instructions for staff are on display for all occupants (e.g., at elevator banks), and distributed to all building occupants
6. Contact neighboring buildings to arrange for temporary relocation of staff if necessary
7. Identify assembly areas for staff to meet in a building evacuation
8. Provide employees with cards that list emergency procedures, phone numbers to contact, assembly areas, etc.
9. Conduct periodic training programs to ensure that employees are aware of potential disaster situations and can be alert to them
10. Conduct periodic training programs to ensure that employees are aware of company security policies, ways that systems can be compromised, and how they can help prevent future incidents

Careful assessment of risks and ongoing diligence in maintaining system and operational security will help minimize the chance of an internal disaster. Employees must also be mindful of their role in protecting the company and keeping the office a safe environment.