Security Laboratory

Security Laboratory

Security Laboratory: IT Managers - Safety Series

This series of papers discusses the IT Manager's complex roles in establishing workplace and enterprise security.

Other Related Articles in Security Laboratory: IT Managers - Safety Series

Safety and the Computer Security Manager

By Stephen Northcutt

On the surface it would seem that an information assurance manager wouldn't need to be overly concerned about safety other than repetitive stress injuries, or perhaps a back injury from a system administrator trying to horse a monster 4U server with integrated raid array into a rack by herself. However, what if you morph the title, as many organizations are starting to do, to "risk manager"? An NIST web site, Medline,[1] lists a variety of topics and links to valuable information, but for now scan the list and ask yourself, what does a leader need to keep in mind on each of these.

Our most valuable assets leave the building every day

U.S. Naval aviators are constantly reminded of their value; it takes several million dollars to train one. They are reminded of this because they have a dangerous job, and if they destroy themselves and their aircraft, both are difficult and expensive to replace. In general, Information Technology is not as dangerous an occupation, but our people are quite skilled; they are precious and they are difficult to replace. Safety is often overlooked, but is certainly important. Worse, a lot of information exists only in our employees heads. Consider this text from a job ad for regency centers: "We recognize people as our most valuable asset. Our competitive salary and benefits package includes paid parking, 401K, 401k match, profit sharing, optional HMO or PPO medical insurance, dental insurance, a vision-care plan, prescription drug coverage, short-term and long-term disability benefits, life insurance, paid sick leave, paid vacations, and a tuition reimbursement program."[2] So, where does an information security manager's role fit into this?

According to CXO magazine the role of information security is protecting the company from data loss, outages and adverse publicity which goes way beyond the traditional technical role of IT security, such as firewall configurations and antivirus updates. Security becomes much more a function of risk management, concerned with business priorities, compliance requirements, and prevailing threats to the company.[3] So, the short answer is that safety concerns are threats to the most valuable assets in the organization. Does this mean in information assurance officer needs to be an expert in fire, poisoning, and occupational health? No, but they do need to know who that expert is and what IT resources they need to do their job when someone rings the bell.

The computer security touchpoints for safety by issue

Safety is the need to ensure that the people involved with the company, including employees, customers, and visitors, are protected from harm. Generally, safety is the top priority when physical security measures are implemented, and most information security practitioners will consider safety the top priority for their enterprise environment. So the first and most important touchpoint is with the physical security manager or sometimes this duty is under the facilities manager. If you are an information security manager and you are not meeting with the physical security manager at least once a month, something is probably wrong.

Case Study, Physical Security:

A number of router cards were stolen in the robbery which took place on Wednesday, and which severely disrupted voice and data services to businesses in the capital. Level 3 sent an email to some of its customers following the robbery. It said "There was a security breach in our Braham Street gateway early this morning. A number of service-affecting cards were removed without authority from live equipment. This has resulted in the loss of IP and voice services to a number of customers at Braham Street."[4]

Which is in contrast with Level 3 communications marketing information: The Level 3 fiber optic network's availability, integrity and confidentiality are the backbone of e-business. Thanks to the latest technologies and the collaboration of Level 3's customers and employee-owners, our network security is world class. In the Information Age, protection of data is critical for success.[5]

Lesson learned: Their information security people and physical security people should have spent more time together.

Try it now! Stop reading for a minute and look at the list in the appendix. Who is responsible in your organization for these safety threats. If you do not know, find out. What IT resources do they need access to in order to do their jobs? Give them a call, introduce yourself as the IT security leader.

Safety First, Security Second

The need for safety may be orthogonal to the needs of security, that is the need to ensure personnel safety will in many cases require accepting weaknesses in other objectives. Let's look at two examples where safety concerns take precedence over other physical security priorities.

Example 1: During a building evacuation, employees will be exiting the building rapidly. Doors may be propped open to facilitate escape. During this scenario, employees would NOT be expected to stand at a reception desk to ensure unauthorized personnel do not access the employee-only areas.

Example 2: When a fire is detected, automatic sprinklers may deploy to prevent the fire from spreading. This deployment, while protecting the safety of personnel, easily could damage assets required to maintain business function. Employees would not be required, or have the time, to place all important documents into waterproof containers before the sprinklers would deploy!

Now, we have a third example, this time we do a bit of creative thinking as information security managers and arrive at a solution.

Example 3: Defense Mapping Agency - 1982. At the time, a lot of the work was done on light tables powered by fluorescent bulbs. The flickering can trigger petite mal seizures and it was common to have the rescue squad visit several times each month, especially with an aging worker population. The material at DMA was extremely sensitive, leading to concerns about the degree of exposure. Here you see the orthogonal nature of security and safety. A simple solution was to train a number of workers as First Responders and Emergency Medical Technicians, and serve as the primary contact for stricken employees. A forward thinking leader will be able to meet the needs of security and safety.


Two of the biggest books in terms of page count covering the general topic of information security are Computer Security: Art and Science [6] by Matt Bishop and Security in Computing 4th edition[7], Pfleeger andPfleeger. Neither cover safety. In the course we teach, Management 512 SANS Security Leadership Essentials[8] the students sometimes question the inclusion of safety in the course. We freely admit there is debate as to whether safety is an essential of security leadership within the community. On the other hand, safety has been part of the Common Body of Knowledge from ISC2 and is in their code of ethics: "In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order."[9] At the end of the day, if you believe the employees are the most valuable asset in the organization, safety has to be a priority.

Appendix: Selected Safety Topics from Medline:
  • Coping with Disasters
  • Child Safety
  • Disaster Preparation and Recovery, Weather, Natural Disasters
  • Drug Safety
  • Ergonomics
  • Falls
  • Fire Safety
  • First Aid
  • Food Safety
  • Household Products
  • Infection Control
  • Injuries
  • Man-Made Disasters
  • Medical Device Safety
  • Motor Vehicle Safety
  • Natural Disasters
  • Occupational Health
  • Poisoning
  • Sports Safety