Criminals and villains are oftentimes portrayed as menacing, ugly figures. Take for example, the Big Bad Wolfe or Goliath. These figures are easy to recognize and the mere thought of them brings fear to many children. In business, we tend to focus on the easily recognized risks while ignoring meek and unassuming items that slowly eat away at the heart of business.
I believe, however, that we should also place some focus on the “meek and unassuming”. Of course, I say that in the context of the risk/reward structure. Consider the following example:
I’m sure most of us remember the story of Goldilocks and the Three Bears. The young lady, Goldilocks, broke into the Bears’ home, stole food, and then took a nap at the end of her crime spree. Who would suspect that a little girl would break into a bears’ den. While this is a make believe children’s story, it does have some real life applications. In business, we oftentimes underestimate people’s motivations and intentions while also ignoring small steps that we can take to build a better environment. Simply locking the door could have kept Goldilocks out of the bear’s home.
Hearing this story as a child, I often wondered why did Goldilocks break into the home. As an adult, I believe it was because,
- The opportunity presented itself (unlocked door)
- She had a perceived need to fulfil (hungry, sleepy, etc)
Is your organization adequately securing its assets from Goldilocks?
Auditors can assist in answering this question by imbedding office physical security into every audit. For example, imagine the collections customer service group at an organization that does not accept any form of payment from customers (payment occurs in another department). All sensitive information is stored on company servers. The actual office area contains door locks, however, doors are not consistently locked because sensitive info is deemed “low risk”. Unkown to management was the fact that customer service representatives create files for each customer containing SSI#, Name and Address. Now imagine the night cleaning crew, maintenance personnel, or rogue employees having access to this information all because the door is unlocked.
This is only one simplistic example of why auditors must embed physical access security reviews into engagements.
4 Step Approach to the Physical Security Audit
1. Find out what the most valuable assets (physical, virtual) are and where they are located.
2. Determine if employees understand the value of assets and what is required to protect them.
3. Identify the protection mechanisms (i.e. hard key, card swipe, etc)
4. Test the control (see below)
Typical Physical Security Testing Procedures
I once worked for an organization with swipe card door security. During each departmental audit, we obtained the current access list as well as recent activity history. We tested for items such as:
- Terminated employees with access
- Inappropriate access based on job functions
- Access during off peak hours
While it is important to focus on the Goliath risks, as auditors, we owe it to our organizations to also identify and evaluate the Goldilocks that may may be secretly eating our porridge.
What do you think? How easy is it to include office physical security in each engagement?