Professional Documents
Culture Documents
INTRODUCTION
TO INDUSTRIAL SECURITY
CONCEPT
PART TWO:
CATEGORIES OF SECURITY
CHAPTER 4:
PHYSICAL SECURITY
CHAPTER 5:
PERSONNEL SECURITY
CHAPTER 6:
DOCUMENT AND INFORMATION SECURITY
CHAPTER 4
PHYSICAL SECURITY
Learning objectives:
At the end of this chapter, the student is expected to:
• Define physical security;
• Explain the purposes and advantages of physical barriers;
• Explain the three lines of defense and enumerate examples;
• Illustrate protective alarm sensors; and
• Characterize protective lighting and enumerate examples.
Discussion:
Physical security refers to a logical set of tangible elements and measures adopted to prevent
unauthorized access to equipment, facilities materials, documents and personnel. The objective is
protect these assets from damage, compromise and loss. In short, it is system of barriers placed
between the potential intruder and the objective to be protected. For example, a fence can slow
down an intruder sensor can send alarms, and protective lighting can make the intruder visible to
patrolling security personnel.
There is a wide variety of factor to consider in ensuring physical security. Measure include
safeguards such as lightning, fences and lock key system, personal identification and visitor
control. Other factors to consider may refer to the nature of a target or the asset being protected.
It could be a physical object like a very expensive jewelry, a non-physical object like the formula
for San Miguel Beer, a human object like a chief justice or a group of high profile tourist
vacationing in Boracay, or even a structure like the Malacañang Palace.
Principles of Physical Security
In considering the appropriate security measures, the following principles should be considered.
1. The type of access necessary depends on the numbers of variable factors, thus, may be
obtained in different ways.
2. There is no such thing as an impenetrable barrier.
3. The installation of a barrier varies from another.
4. There is defense in barrier depth.
Factors in Selecting Security Safeguards
The following are factors that should be considered in determining the physical security needs of
a facility (Fay, 2006).
1. Site Characteristic
Selection of safeguard can be influenced by the nature of the site such as the size,
layout, utilities, internal activities and assets in the site. Other factors may include company
philosophy and work force culture.
2. Environment
This refers to the area surrounding the facility. A bank inside a large commercial
complex in Makati City will require safeguards different from those required for an
exclusive beach resort in an island in Cebu or a factory of fireworks in an isolated area in
Bulacan. For example, the bank may opt for electronic locks and sensors, the resort may
require a specially secured boat access, and the fireworks factory may go with a perimeter
fence.
3. Forces of Nature
Also at play in the selection of safeguards are the environment’s climate, weather, and
natural forces. Certain detection sensor devices may not work well in extreme temperatures
and are vulnerable to floods and earthquake.
4. Crime
Crime patterns must be considered in selecting the necessary countermeasures.
Decisions should be preceded by a risk assessment that includes a study on the nature,
intensity, and repetitiveness of criminal acts that have occurred in or near the facility
during the recent past.
Terrorism is also an important factor for certain facilities that may be considered targets
of terrorist groups such as airports, tourist destinations, research laboratories and
government buildings.
Physical Barriers
A barrier is a natural or manufactured obstacle to the movement of persons, animals, vehicles or
materials. It defines physical limits to and delays or prevents penetration of an area (POA
Publishing LLC, 2003).
It is impossible to build a barrier that cannot be compromised. A clever and determined intruder
with plenty of time, money and imagination can quite possibly penetrate any structural barrier.
Hence, intelligently designing layers of barriers is considered an effective measure to ensure
physical security. The idea is to cause as much delay as possible by designing a series of layers,
or concentric circles, so that highly protected assets are within a configuration of multiple
barriers.
A concentric protection of a high-security facility allows for several rings of barriers, as
explained by John J. Fay in his book Contemporary Security Management:
"...The overall security scheme features several rings of security that in the abstract look like a
shooting target. The outermost ring, which is at or on the far edge of the perimeter, might be a
clear zone in which the approach of an intruder or intruder force can be seen by human and/or
electronic means. The next ring might be a wall or fence, and then another wall or fence.
Supplementing the walls or fences might be guard posts, patrols, detection sensors, CCTV
cameras, and security lighting. The next ring might be sentry-protected and electronically
controlled doors to a building or a complex of buildings. Within the building might be another
ring of security another ring within the exclusion areas might consist consisting of access-
controlled exclusion areas, and yet another ring within the exclusion areas might consist of safes,
vaults, and similar containers, inside of which might be motion-detection devices. The theory
operates on the simple premise that an attempted intrusion will have a lesser chance of success
when multiple layers of protection stand in the way." (Fay, 2006)
3. Reducing the cost of security staffing by substituting barriers for people, and placing
security posts in locations that complement barriers
1. To control the movement of people and vehicles into, out of, and within the facility
1. Human Barriers
The guard force as a human barrier is the key element in any security system. Without it,
all other protective devices - mechanical, electrical or electronic-would be useless. The
electric device may sound the alarm, the CCTV may spot the culprit, or the micro-
computer may trigger a red button as a sign of intrusion, but it is the guard who will
respond and initiate the needed security action.
2. Animal Barriers
The most common of animal barriers are dogs known as the K-9 team. The number of
dogs to be used relies on the size and kind of installation being secured. The most popular
breed is the German shepherd. If trained correctly, the K-9 can detect even hidden drugs
and firearms, thus, their prevalent use in sensitive entrances like airports, malls and
public transport such as the MRT.
Among rural residences, another effective animal barrier is the goose barrier. It is
common knowledge that geese are not as ferocious as dogs, but they can easily call the
attention of their owners at the first sign of a would-be intruder through their loud hissing
sound.
The usual starting point in assessing risk at a facility is the perimeter. The major purpose
of the use of perimeter as barrier is to deny access or exit of unauthorized persons.
• Standard barbed wire is twisted, double-strand, 12 gauge wire with 4-point barbs
spaced at an equal distance apart
• Must be less than seven feet high, excluding top guard
• Must be firmly affixed to post not more than six feet apart
• The distance between strands must not exceed 6 inches and at least one wire will
be interlaced vertically and midway between posts.
• A top guard is an overhead of barbed wire along the top of the fence, facing
outward and upward at approximately 45-degree angle.
• Top guard supporting arms will be permanently affixed to the top of the fence
posts to increase the overall height of the fence at least one foot.
• Three strands of barbed wire, spaced 6 inches apart must be installed on the
supporting arms.
1.5 Clear Zones
• A clear zone of 20 feet or more should exist between the perimeter barrier
and exterior structure, parking areas and natural or man-made features.
• A clear zone of 50 feet or more should exist between the perimeter barrier
and structures within the protected areas except when a building wall
constitutes part of the perimeter barrier.
2. Building Walls
Walls, floors roofs or their combinations serve also as barriers and must be of such construction
to provide uniform protection just like the wire fencing.
Masonry walls' height must be the same that of the chain link and surmounted by the barbed wire
top guard, if the height of the masonry is less than the prescribed, additional chain link as
"topping" is placed to attain the minimum requirements. Walls can be made of stone slabs the
post at regular intervals to prevent the wall from collapsing.
3. Bodies of Water
Bodies of water like river, lakes, marsh, ponds or other bodies of water forming part of the wall,
building or fencing should never be considered adequate natural perimeter barrier, Additional
security measure like wire fence, concrete walling, security patrolling and floodlighting at night
maybe necessary for the portion of the perimeter.
Concrete Structures
An ordinary concrete building wall, because of its rugged and formidable appearance, may give
the impression that it offers good protection against penetration, but may not. Standard poured
concrete or concrete block walls are utilized to support structural loads, or are used as curtain
walls to enclose spaces between load - bearing walls, but are not normally designed to prevent or
delay penetration. Concrete walls that are six inches or less in thickness are vulnerable to
penetration with hand tools and small amounts of explosives. For example , bolt cutters can be
used to cut the small - size reinforcing bars ( rebar ) usually number four or less sometimes used
in four - inch - thick concrete walls . Four - inch concrete walls are not load bearing , are used
principally to curtain spaces between columns , and offer little protection against even moderate
force .
Eight - inch - thick, reinforced concrete walls are found in all types of structures. They are load
bearing and cannot easily be penetrated with hand tools alone. However, small amounts of
explosive, supplemented by hand tools can quickly penetrate them. Walls thicker than eight
inches are usually found in vault construction.
Standard concrete block walls, without reinforcing material, are easily penetrated with hand
tools, power tools or explosives. The strength of these walls can be increased materially by
filling the hollow cores with concrete or by installing rebar.
Floors
Wooden floors normally have flush sheathing covering the joists diagonally. This surface may
then be covered with building paper and flooring such as tile, cork, rubber, linoleum or wood.
Floors may also be constructed of poured concrete, which may be reinforced with steel rods. A
concrete floor may be used without any covering or may be covered with wood, tile, linoleum or
carpet. The floor may be a concrete slab poured directly onto the ground, or it may be on a
foundation, raising it above the ground and leaving a space underneath for an intruder to
penetrate the floor surface.
Interior Walls
Interior walls and ceilings may be constructed of lath and plaster. However, prefabricated sheets
and panels of material such as plasterboard have become, in recent years, a popular method of
interior wall and ceiling construction. The joining edges of the material are sealed with paper or
fabric tape and are then sealed with a plaster covering. After installation, surfaces constructed of
such material resemble plaster. Plywood or other types of wooden paneling may also be used and
are usually attached to the studs or rafters. The vertical joining edges may be covered by narrow
wooden strips.
Ceilings
Ceilings may be covered with acoustic or decorative tile. It is a common modern building
technique to construct ceiling plenums that do not have security barriers between rooms and
areas. As a result, an intruder who can gain access to the plenum space can work from there to
achieve access to rooms or spaces below.
Doorways
Doorways, including the frame, jambs and stops, are constructed of either wood or metal.
Doorways are of two general applications: personnel and vehicular.
Personnel doorways, in both outer and inner building walls, may be single or double. They are
usually fastened by hinges to the door jamb on one side and equipped with a latch and perhaps a
lock on the other side. Sliding doors and folding doors may also be used. Folding personnel
doors are ordinarily installed in the interior of a building and are often intended to deny visual
rather than physical access.
Vehicular doorways may also serve as entrances and exits for personnel. Double doors are often
used because of the size of the openings. They may be hinged on the outside on jamb edges and
secured with a locking device where the inner edges of the doors meet in the center. Sliding or
rolling doors, single or double, may also be used. They may move horizontally or vertically on
tracks or rollers. Folding doors that fold in hinged sections are another option. Regardless of the
design or the size, doors have weaknesses.
A door is often much weaker than the surface into which it is set. Sometimes, the door is hollow
core, or constructed of comparatively thin wooden or glass panels between the rails and stiles,
and the panels may be easy to remove.
The door frame may also be a weak spot if it is not properly installed. If the frame is wood, it is
usually installed by nailing the doorjamb to the wall studs, after which the doorstop is nailed to
the jamb. If this installation is not correctly done, the piece-by-piece construction may allow thin
shims or levers to be inserted so that the lock bolt can be disengaged. In addition, most doors are
installed by a carpenter, not a locksmith. Carpenters are generally more concerned with the
swing of the door rather than the effective function of the locking mechanism. An all-metal door
does not cause such a problem if properly installed. However, the door frame must be of
sufficient strength that it will not allow the door to be pried out of the frame or allow the bolt in
the lock to be released.
If not correctly installed, hinges may contribute to the weakness of a door. For example, if hinges
are surface mounted so the mounting screws or hinge pins are exposed on the exterior surface of
the area being protected, intruders can quickly remove the screws or pins and gain entrance by
opening the door from the hinged side and replace the door as they leave. There would be no
evidence of penetration if the removal and replacement were done carefully. Hinges should be
installed so that the screws are concealed and the hinge pins are on the interior. The hinge pins
can also be welded or flanged to prevent removal. Surface-mounted hinges are sometimes
installed with bolts extending through the door. Removal of these bolts is possible even from the
bolt head side if sufficient pull is exerted. The threaded end of the bolt can be peened to
eliminate this hazard.
Windows
Windows are designed to provide ventilation, natural illumination or visual access through a
wall, or any combination of the three. Most windows are equipped with clear glass and can often
be opened to provide access. Other windows, in areas where it is necessary to deny visual access,
are glazed with frosted, pebbled or other opaque or translucent glass. Picture windows or those
installed in air conditioned buildings are permanently fixed in place. While they allow
illumination and visual access, they do not open to provide ventilation.
The weakest area in a window is usually the glass. An intruder can easily cut out a section with a
glass cutter, or the glass may be covered with tape so it can be broken without the broken pieces
falling and causing noise. Because of the innate vulnerability of glass to penetration, two
products have been developed to discourage forcible entry. One type, a polycarbonate, is
constructed of plastic material, while the other has a special plastic laminate sandwiched between
two pieces of glass. Both products are highly resistant to impact and give the appearance of
ordinary glass. However, the laminated glass is about twice the cost of tempered glass; the
plastic is a bit less costly than the laminated.
If they are not strengthened, standard windows may be the weak link in the barrier protection in a
structure. Because most standard windows can be penetrated with hand tools in less than a
minute, additional protection, such as protective coverings, grills or mesh, may be required for
proper protection.
Other Openings
In addition to doors and windows, a wide variety of other openings in the roof, walls and floor
may require consideration. These include openings for shafts, vents, ducts or fans; utility tunnels
or chases for heat, gas, water, electric power and telephone; sewers and other types of drains; and
other small service openings.
Various techniques and material can be used to give added protection to surface openings.
Expanded metal, wire fabric and fencing may be utilized. Steel bars or grills may be used to
protect glass-paneled windows or doors. Such bars should be spaced no more than five inches
apart. If they are round, their diameter should be at least 1/2 inch; if they are made of flat steel,
they should be at least 1x 1/4 inch in size. Steel grills that have 1/8 x 2-inch mesh offer good
protection. Both bars and grills must be securely fastened so they cannot be pried loose; and if
possible, they should be installed on the interior surface.
If a door needs to be strengthened, it can be covered on the inside with 16-gauge sheet steel,
attached with screws. Sound-reducing baffles can be installed in ducts to protect a room or area
from unauthorized listening. Wire mesh, expanded metal or metal grills can be used to secure
chases and tunnels, locked in place to permit removal, if necessary.
Identification Systems
Controlled entry into a business facility usually begins with identification of the person entering.
The identity of employees or visitors can be determined through the following types of
identification verification and access control.
1. Guards can personally recognize or inspect the identification of employees or visitors, and
then formulate a judgment of that person's validity.
2. Card reader systems can compare the coded identification cards with computer records for
authorized personnel verification.
3. Biometric readers can use a person's physical property (such as retinal pattern or fingerprint)
to gain entry.
Types of protective alarm systems include local alarm system, auxiliary system, central station
system and proprietary system. These can serve the purpose of either substituting other security
measures for economic reasons or supplement these security measures to provide additional
controls.
Sensors can detect when an intruder penetrates the facility's boundary. It can also "sense
unexplained presence within zone or in close proximity to a protected object. When the intrusion
is detected the sensors are calibrated to activate and causes an alarm sounded or a signal to be
sent to a monitoring station of protected facility (Fay, 2006)
Sensors can perform three main functions. They can detect intruders such as when it reacts to
intruder's motion, sound or body heat. They can also open a portal, such as when it validates the
inputted card key to open a door. Finally, a sensor can turn on a device, such as when it reacts to
movement and automatically turns in security lights.
Sensors are more economical compared to the cost of labor. They are accurate and reliable when
properly installed, calibrated and serviced. However, the reliability of detection depends on
several factors such as an intruder's size, speed strength and direction of movement and distance
to the sensor. The intruder who uses very slow and stealthy movement in the right direction will
make it difficult for the sensor to detect his presence.
Protective Lighting
Protective lighting is designed to illuminate the perimeter barrier and the outside approaches of
an area. A threat cannot be detected, either by camera or in person, if there is no light. Lighting
can also serve as deterrence since a threat is more likely to attack an asset relative darkness than
in bright light.
2. The standby lighting provides continuous illumination of a protected area during the
hours of darkness, but it can be turned on manually or by special device or other
automatic means.
3. Movable lighting can be stationary or portable and consists of manually operated
searchlights. It may be lighted continuously during hours of darkness or only as needed.
It can supplement or temporarily replace other types of security lighting.
4. Emergency lighting is a standby lighting that can be utilized in the event of electric
failure, either due to local equipment or commercial power failure. The power source of
emergency lighting is usually a backup generator or an arrangement of batteries. Lamps
mounted in a stairwell that automatically light up during a fire fall into the emergency
lighting categories
CHAPTER 5
PERSONNEL SECURITY
Learning objectives:
At the end of this chapter, the student will be able to:
• Explain personnel security;
• Enumerate the checks included in pre-employment screening;
• Enumerate pre-employment screening measures;
• Enumerate the purpose and explain the importance of ongoing personnel security;
and
• Enumerate ongoing personnel security measures;
• Explain exit procedures.
Discussion:
Among the major threats confronting an organization are employee crime and employee
misconduct. In fact, internal theft surpasses the losses that can be attributed to robberies, theft,
frauds and other criminal acts committed by outsiders. At the same time, both substandard job
performance and inappropriate behavior of employees can result in potentially devastating
lawsuits and loss of business.
It is the employer's duty to maintain a safe and secure working environment. Employers conduct
pre-employment background checks of job applicants in order to protect existing workers,
guests, and the public from the harmful acts of employees. Harmful acts committed by
prospective employees cover a wide number of criminal acts, such as the rape, assault, and drug
dealing, as well as safety violations that injure and kill. Job applicants with a potential to commit
harmful acts can be filtered out of the hiring process through pre-employment investigations.
An employee with legitimate access to corporate systems also potential to wreck the
organization's reputation by simply using a USB memory stick or a webmail account to steal
confidential information. Personal security measures can prevent such kinds of employees from
exploiting their legitimate access to company for unauthorized purposes. Those who seek to
exploit their legitimate access are termed "insiders. They can execute several forms of criminal
activity, from minor theft to terrorism. Company polices procedures should be put in place to try
to minimize the risk.
Employees who may exploit their legitimate access for unauthorized purposes may include
rebellious individuals, members of activist groups, journalists, competitors, those with links to
organized crime or even those involved in terrorism. Through effective personnel security
measures, the organization will be better able to employ reliable people, minimize the chances of
staff becoming unreliable, and detect suspicious behavior and resolve security concerns once
they emerge.
Many organizations use security measures solely in the recruitment process, but personnel
security should be maintain throughout the time of employment. Although it is the management
and the human resource personnel who are tasked to oversee the enforcement of proper
employee behavior, security personnel have an important role in developing the necessary
policies, standards guidelines and procedures. They should also assist in developing training
programs that will help the organization handle situations in case security incidents occur.
The Centre for the Protection of National Infrastructure (CPNI) is a government agency that
protects the United Kingdom's national security by providing protective security advice. It has
published guides on Pre-Employment Screening (CPNI, 2011) and Ongoing Personnel Security
(CPNI, 2010) to assist UK-based companies in personnel security management. These guides
will be used here and adopted to the Philippine setting to discuss key elements on personnel
security.
Pre-Employment Screening
Personnel security measures are usually undertaken during the recruitment process. This is
because companies believe that it is better to spot a dangerous or dishonest individuals before
they are hired. This means that the human resource department should not simply trust the
correctness of information written in a very impressive resume. Hence, proper background
employment screening on job applicants must be carried out.
Apparently, companies in financial services have long been carrying out such background checks
and only recently have other industries followed. Such an interest could be attributed to the rising
instances of applicants who lie on their job applications (Condon, 2010).Many of these lies might
be considered trivial, such as exaggerating the responsibilities of a job role, or making
educational qualifications look more impressive. Nevertheless, these small lies are suspicious
enough when evaluating the character of a prospective employee who will be handling high
security functions if hired.
Through pre-employment screening the credentials of job applicants and their preconditions for
employment are verified. These checks should establish whether the applicant has concealed
important information or otherwise misrepresented himself. The objective is to collect
information and use that information to identify individuals who present security concerns.
Application Form
Using a standardized application form to be completed by job applicants requires them to
provide all relevant information and confirm its correctness with a signature. The form should
include 4 provision that pre-employment screening will be carried out. By signing the form, the
applicant provides consent for background checks to be undertaken. It should also include a clear
statement that lies or omissions are grounds to terminate the hiring process or employment even
if it is discovered when the applicant is already hired. Such statements in the standardized
application form not only protect the organization legally; they also serve as deterrent to the
applicant signing the document.
Interviews
The job interview portion of the application also helps in the screening process because it
provides an opportunity to discuss the candidate's suitability for employment. This interview is
important because:
• A face to face discussion encourages applicants to be honest.
• It allows the employer to clarify information in the application form, ask for other
information not covered in the application form, and probe candidates about their
responses.
• It also provides a good opportunity to add to the overall assessment of the applicant's
reliability and integrity.
Identity Verification
Verifying the applicant's identity is a critical measure in the screening process. In fact, other
measures in the screening process should only come second after the applicant's identity has
been satisfactorily proven. The key is to verify that the individual is not committing fraud by
using false identities.
There are four main reasons why individuals use false identities:
• To avoid detection - Individuals like crooks, terrorists or wanted criminals may wish to
remain anonymous or undetected.
• For dishonest financial gain - This involves individuals who have ill intentions to commit
credit fraud or unqualified applicants who falsify educational qualifications to obtain
employment.
• To avoid financial liability - "This includes individuals who have failed to pay debts and
are avoiding financial liabilities.
• To legally obtain genuine documents such as passports by using false 'breeder' documents
(i.e. those documents required to obtain passports, such as birth certificates which can
have few or no security features).
These reasons show how some individuals will claim false qualifications in their resumes and
application forms, possibly to get unauthorized access into an organization's assets. These also
highlight the need to authenticate documents submitted by the applicant and verify the
information provided.
The purpose of verifying identity is to ascertain the correctness of the information they have
given about themselves by:
• Determining that the identity is genuine and relates to a real person.
• Establishing that the individual owns and is rightfully using that identity.
One method of verifying identity, which is called the paper-based approach, involves requesting
original documents such as those that corroborate the applicant's full name, signature, date of
birth and full permanent address. Ideally, such documents should possess the following
characteristics:
• Issued by a trustworthy and reliable source
• Difficult to forge
• Dated and current
• Contains the owner's name, photograph and signature
• Requires evidence of identity before being issued
A second method called the electronic approach involves checking the applicant's personal
details against external databases. This method requires checking and cross-referencing
information from databases such as criminal records or credit reference agencies. By searching
for records associated with the name, date of birth and address provided, it is possible to build a
picture of that individual's past and current life. Tracking such history indicates that the identity
is more likely to be genuine. On the other hand, if searches result in a history that lacks detail or
depth, it is possible that the identity is false.
When such database checks are able to confirm that the identity does exist, it would also be
necessary to test whether the individual truly owns this identity by asking questions that could
corroborate information about the identity. Testing the individual's knowledge of the identity is
as important as establishing that the identity exists to prevent the hiring of an applicant who
simply stole the identity of someone who is actually qualified to perform an important position in
the organization.
Media Searches
Media searches involve the evaluation of an individual based on their online reputation. It
includes searching for what they say or what others say about them on the internet. This could be
a useful tool if the position to be filled up involves access to sensitive material that the applicant
might compromise. For example, if the position requires working closely with several TV and
movie personalities, it would not be ideal to hire an individual who enjoys heavy gossiping in
social media sites.
Media searches can also help verify identity, confirm or resolve concerns about suspicious
behavior, or establish how security aware the applicant is. An individual who posts photos of
drunkenness in parties and allows public viewing of such photos could indicate poor judgment,
especially if the position being applied for involves working in a religious foundation or a
prominent conservative politician. Potential conflicts of interest may also be identified, such as
being personally related to the owner of a competing business.
There are risks, however, in using media searches. Employers might obtain information about
someone with the same name as the applicant. It is also possible that the positive information
available online were staged by the applicant in order to appear qualified. Third party views or
opinions about the applicant are also not completely reliable, especially if these cannot be
verified to be true.
If there is a clear breach of security policy or if further evidence of wrongdoings emerges, those
responsible for personnel security should be informed so that they can conduct further
investigation.
Exit Procedures
An employee who leaves an organization could possibly have considerable knowledge about its
assets, operations and security vulnerabilities. If the reason for the employee's departure is not
amicable, he might maliciously give sensitive information to the organization's competitor. A
thorough procedure on personnel departures is therefore critical to ensure that appropriate actions
are taken to protect the organization without unnecessarily disrupting the relationship with the
departing employee. Standard procedures could include changes in the combinations for secure
cabinets, termination of IT accounts, or changes in generic passwords and remote access codes
so that an employee will no longer have access when he leaves the organization.
When an employee leaves, the organization cannot guarantee his loyalty especially if he left
feeling badly treated, ignored or unappreciated. They would possibly not feel guilty about
damaging the organization or give away sensitive company information. Exit procedures can be
the appropriate measure to limit this employee's propensity to be disloyal.
As soon as managers become aware that an employee is leaving the company, they should assess
and manage the risk that this individual may pose. The manager should consider the following:
• Is the employee leaving voluntarily or as the result of a disciplinary process or
redundancy?
• If the employee is not leaving voluntarily, what is the reason for the dismissal?
• Where are they going to work for next? Would they be working for the competitor?
• How sensitive is their role and their access to organizational assets?
After assessing the risks, the following are the manager's options depending on the employee's
contract:
• Allow the employee to carry on working during their contractual notice period and retain
their usual access to the organization's assets. This option could provide the employee
with an opportunity to abuse his access and damage the organization and should therefore
be used only if there is no risk.
• Allow the employee to work their contractual notice period but with reduced access to
assets (for example, using additional supervision or by allocating lower-level IT access).
This is generally considered the best course of action. If an employee is leaving to work
for a competitor, it may be appropriate to remove his access to commercially valuable
information.
• Ask the employee to leave immediately - possibly under supervision to prevent any
unauthorized act while still on the premises - and not to return for the duration of their
notice period. This could apply to employees who had extremely sensitive positions. This
is likely to cause ill feelings with the employee and should therefore be handled with
caution.
Exit procedures should also include the return of all access tools and identifiers that belong to the
organization. These assets may include:
• Uniforms
• Security passes and/or identification cards
• Mobile phones
• Company credit cards
• Any unused personal business cards
• Keys to secure/storage areas
• Tokens for access to electronic systems
• Any books, papers or commercially sensitive documentation Laptops and other remote
working equipment such as flash drives
• Security containers such as security briefcases
The following additional steps should also be considered to reduce the employee's access to
assets:
By and large, the exit interview is done with employees about to leave the company in order to
help identify problems contributing to employee turnover. The employee's experiences and
reasons for leaving may suggest needed changes and open the eyes of the management to adopt a
course of action that will improve the morale, improve the working conditions and increase
efficiency. Expanding the questions by including security questions can be an effective source of
information about loss.
Learning objectives:
At the end of this chapter, the student will be able to:
• Enumerate factors to consider in document and information security;
• Illustrate the information cycle;
• Enumerate the characteristics of information;
• Define and classify sensitive information;
• Define proprietary information and enumerate the types of intellectual properties;
and
• Enumerate some information security measures.
Discussion:
Protecting crucial documents has become progressively more critical in this age of fast growing
technology. The loss of document and information can cost a company huge amounts of money.
Business competitive badge and national security have been put at risk because proper security
precautions were not implemented. Oftentimes, the importance of document and information
security is not realized until after a loss has been discovered. Owing to this, a comprehensive
document and information security program is important to operating and competing in our
modern society.
Implementing an efficient and effective document and information security program requires
knowledge and skills in the field of document and information technologies as well as
management. Its management relies on a clear understanding of the types and uses of document
and information within an organization. Planned measures information throughout all phases of
its existence. To prevent loss of document and information due to employee or procedural error,
security administrators must implement an effective document and information management
plan.
In protecting vital documents and information, one must understand the capabilities and use of
document and information technologies in terms of how technology can be used in the creation
usage, storage, transmission and disposal of information. One must also understand how
technology can be used in the manipulation and abuse of documents and information.
Types of Documents
• Class I - Vital Document - an irreplaceable record, reproduction of which does not have
the same value as the original.
• Class II - Important Document - a record , reproduction of which will involve
considerable expense and labor or considerable delay
• Class III - Useful Document - a record , the loss of which may cause inconvenience but
could be readily replaced and may not present an insurmountable obstacle to the prompt
restoration of the business
• Class IV- Non - essential Document - a record that may include daily files, routine in
nature, the loss of which will not affect the organization's operation. This class represents
the bulk of the records which can be kept in ordinary files ready for reference if needed
and usually discarded after some period of time.
Factors to Consider
1. Document and information security is based on the premise that the government has the right
and duty to protect official papers from unwarranted and indiscriminate disclosure.
2. The authority and responsibility for the preparation and classification of classified matters rest
exclusively with the originating office.
3. Classified matter shall be categorized according to their content and not to the classification of
file in which they are held or another document to which they are referred.
4. Classification shall be made as soon as possible by placing appropriate marks on the matter to
be classified.
5. Each individual whose duties allow access to classified matter while it is in his possession
shall ensure the distribution of such matter on the "need to know" basis only and to properly
cleared persons only.
Information is voluminous. Another reality is that companies are dealing in larger volumes of
information than ever before. Great amounts of raw data are needed to make fully developed
analyses. From customer information to critical business strategies, financial operational data
and intellectual property, not only is there more information but it is high-impact information.
All of these have serious security vulnerabilities.
Sensitive Information
Sensitive information refers to information that has value and should be protected, including the
following:
• Proprietary business and technical information.
• Personal data concerning applicants, employees, and former employees.
• Proprietary information owned by partners and obtained through an agreement.
1. Secret - This is information the unauthorized disclosure of which could cause serious damage
to the organization's business. Its use and access to it are strictly limited. Examples include:
• Trade secrets
• Plans to merge, divest, acquire, sell, or reorganize
• Information that could affect the price of shares
• Information with high political or legal sensitivity
• Information prejudicial to the interests or reputation the organization
2. Restricted -This is information of such value or sensitivity that its unauthorized disclosure
could have a substantially detrimental effect on the organization's business. Example include:
• Marketing strategies
• Customer files
• Agreements and contracts
• Contentious or litigable matters
Proprietary Information
Information is considered proprietary when it is not readily accessible to others; it was
created by the owner through the expenditure of considerable resources; or the owner
actively protects the information from disclosure (Fay, 2006). This can include secret
formulas, processes, and methods used in production; or it could be the company's
business and marketing plans, salary structure, customer lists, contracts, and details of its
computer systems.
Proprietary information includes intellectual properties that are recognized and granted
varying degrees of protection by governments, such as the following:
1. Patents - grants issued by a national government conferring the right to exclude others
from making, using, or selling the invention within that country. Patents may be given for
new products or processes. Violations of patent rights are known as infringement or
piracy
Security Screening
Job applicants, current employees, contractors and other individuals who could be
sharing sensitive information with the organization may have their backgrounds checked
for affiliation with known activist or dissident groups or for any potential for insider
activity. For individuals in posts that are considered critical or vulnerable within the
company structure, screening may involve an investigation of their criminal history or
interviews with family, friends and work colleagues in order to identify any possible
concerns. In some cases, covert methods of security clearance may be employed.
Physical barriers that control access to restricted areas can serve as a deterrent and
increase the likelihood of identifying unauthorized individuals. The organization can
employ a series of identification methods from photographic identification cards, bar
codes, voice analysis, and retinal scans to enhance entry restrictions within high security
areas inside the facility.
The organization may use technological security measures to prevent individuals from
accessing communication or data storage media from external sources. In addition,
security personnel can enforce restrictions against electronic devices such as mobile
phones, cameras and voice recorders that could record or access sensitive information
within certain areas inside the facility. Countermeasures should also include protection
against high-tech surveillance devices that involve tapping land lines and mobile
telephone calls, remote accessing computer terminals or viruses that damage IT
equipment. Magnetic shielding, encrypted communications, virus checks, stand-alone
computers, and magnetic interference equipment as well as secondary communication
backups, alternative data storage systems, and power generators should also be in place
as part of a redundancy policy.