Agreements

Everyone outside the organization that owns the documents who is involved in the destruction of the documents (including waste haulers, recycling facilities, and landfill and incinerator owners) should sign an AU1957_book.fm Page 175 Friday, September 10, 2004 5:46 PM

agreement that states that they know they will be handling confidential information from the organization, and they agree to maintain the confi- dentiality of that information. The agreement must limit the vendor to use and disclosure of documents and the information contained in the docu- ments to those uses stated in a contract.

Contractual language protecting the confidentiality of the waste should be built into all contracts with solid waste and recycling haulers and include the following elements:

Specify the method of destruction or disposal.

Specify the time that will elapse between acquisition and destruc- tion or disposal of documents (or electronic media, if that is also to be disposed of).

Establish safeguards against breaches in confidentiality.

Indemnify the organization from loss due to unauthorized disclosure.

Require that the vendor maintain liability insurance in specified amounts at all times the contract is in effect.

Provide proof of destruction or disposal.

One final point to consider when deciding how to dispose of docu- ments is their collection in a loading dock area. We must secure our solid waste compactors and containers by locking all accessible openings to the compactor. Metal doors can be welded onto the compactors to allow them to be easily locked. Ensure the loading dock is secure at all times. The container for the documents and the loading dock itself must be designed to minimize or eliminate the risk of documents blowing around in the wind before or while they are being collected for disposal.

7.5.1

Duress Alarms

In many facilities, certain operations are carried out that place staff in positions of heightened vulnerability. For example, in a bank, tellers are at risk from criminals who rob the bank during business hours. In data centers, employees who handle negotiable instruments (checks, stock certificates, etc.) may also be at risk.

Where employees are performing jobs that increase the risk of their being vulnerable to coercion or attack, each employee’s workspace must be provided with a duress alarm. The alarm activator (button or switch) should be placed so that it can be used without its use being noticed by others (a footswitch, for example, can be used without anyone watching being aware of its use).

The choice of whether the alarm should sound locally or not will be based on an assessment of the type of risk the alarm is meant to indicate. That is, if sounding the alarm locally is likely to increase the risk to the employee setting off the alarm, then the alarm should not sound locally. By the same token, if a local alarm might bring help more quickly or alleviate the situation, then one should be installed.

Whether local or remote, all employees who might be called upon to respond to the alarm must be trained in response techniques, and the response procedures must be kept up to date and stored at the place where responding employees normally work.

7.6 Intrusion Detection Systems

In the context of physical security, intrusion detection systems mean tools used to detect activity on the boundaries of a protected facility. When we commit to physically protecting the premises on which our staff work and which house our information processing equipment, we should carry out an exhaustive risk analysis and, where the threat requires, consider install- ing a perimeter intrusion detection system (IDS).

The simplest IDS is a guard patrol. Guards who walk the corridors and perimeter of a facility are very effective at identifying attempts to break into the facility and either raising the alarm or ending the attempt by challenging the intruder. Of course, the most obvious shortcoming of a guard patrol is that the patrol cannot be at all points of the facility at the same time.

This leads to the next simplest IDS and that is video monitoring. We can place video cameras at locations in the facility where all points in the perimeter can be monitored simultaneously and, when an intrusion attempt is detected, the person charged with monitoring the video sur- veillance can raise an alarm.

7.6.1

Purpose

Our first task in defining the requirements of an IDS is to define what is to be protected and what is the level and nature of the threat. For general threats we might ask: How does anything from the outside get to the inside? Are parking lots secure? What is the mail delivery system? What is the environmental system exposure? What are the loading dock proce- dures? What building access controls exist?

Other questions to ask in defining the purpose of the IDS relate to the history of the facility. For example, has there been a specific parking AU1957_book.fm Page 177 Friday, September 10, 2004 5:46 PM

lot incident, grounds incident, or a property/facility trespassing incident? Are there general vulnerability concerns that may include trespass, assault, or intimidation? When was the last occurrence, and what were the circum- stances? Are the authorities aware and involved? Is there documentation available for review?

Answering these questions will help define the purpose of the IDS (and what it needs to achieve). The next task is planning the system itself.

7.6.2

Planning

Of course, both of the examples given above should have been chosen as the result of a need identified by a risk assessment plus careful planning. The planning should have been carried out with an objective to provide a solution that addresses:

Surveillance

Control

Maintenance

Training

During the planning, the nature of the facility and the contents of the facility themselves should be taken into account. For example, the IDS requirements for a dedicated data center campus, situated on its own grounds and surrounded by a perimeter fence, differ greatly from those for a data center housed on the warehouse floor of a multi-story building in a city center.

7.6.3

Elements

The planning should produce a draft design that addresses the require- ments of the premises. The elements of intrusion detection required will depend on the facilities; for example, the dedicated data center might require a perimeter fence, lighting on that fence and in the space between the fence and the walls of the facility, video cameras, and then the perimeter system for the building itself. On the other hand, a facility contained in a multi-use building will require intrusion detection systems on the doors, windows, floors, walls, and ceilings of only the part of the facility that contains the data center.

Elements to consider when installing an IDS include:

Video surveillance

Illumination

Motion detection sensors

Heat sensors

Alarm systems for windows and doors

“Break-glass” sensors (noise sensors that can detect the sound made by broken glass)

Pressure sensors for floors and stairs

7.6.4

Procedures

Whatever tools or technologies are used in the IDS, the system will fail to provide security unless adequate procedures are put in place and training on those procedures is given to staff expected to monitor and react to alarms created by the IDS.

Staff should be trained twice a year on what IDS alarms mean and how to respond to them. Those staff responsible for monitoring the IDS must be taught to recognize intrusion attempts and how to respond according to a response scale (i.e., when it is appropriate to respond in person, when to respond with assistance from facility personnel, and when law enforcement should be called for assistance).

Procedures should also include logging procedures that allow for all events — not just events requiring responses — to be logged for audit purposes or for purposes of follow-up.