How to secure your lawn mower

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.

One of my acquaintances recently raised the subject of information security. Not surprising given it’s a specialist area for Enex TestLab, but his point was that less security conscious peers and workers tend to presume that information security is the domain of IT boffins.

The theory goes something like this: Hear the word security and somehow associate that with IT. True, IT systems generally need a level of security around them, but it doesn’t necessarily make sense that it is the domain of an IT practitioner. It is often by default that the IT admin shoulders security awareness tasks, well beyond their knowledge comfort zones.

Enex TestLab tests the security of things, it’s a specialist skill. Subjects will range from physical locking systems, alarm sensors, alarm panel transmission systems, paper shredders and equipment shredders, to IT systems security, firewalls, encryption, IDS/IDP, anti-malware systems and data wiping products. They’re all different security oriented systems, but do people defer to IT when they are buying padlocks?

In reality information security is the domain of those that generate the information in the first place. Only the information creator is aware of the value of that information. The custodians of aggregated information repositories, be it physical paper-based files and archives or electronic records and data, may not necessarily be aware of the level of risk the organisation is exposed to if that information passes where it shouldn’t.

So how much do those responsible for creating the information invest in ensuring its security. Do they seek out physical safes, alarms systems, locking mechanisms, and access control and identification systems (or more realistically IT, encryption systems, IDS/IDP, and firewalls)?

Are staff trained and aware of physical or electronic threats? How long must information be retained before disposal, and (depending on its level of sensitivity) how should it be disposed—by shredding (how fine?) wiping, degaussing, disk destruction?

More valuable information should, logically, require more security. But each piece of information, its creation, storage and disposal, has a different associated value, and so theoretically, cost to secure.

In reality, most businesses take one of two approaches:

A) Make all information security the domain of IT boffins, or, B) Put all information in the same basket, so all information (even already public information) is secured in the same manner.

It’s a bit like putting everything inside the garden shed including the plants and gnomes. Some things are better left outside, only the mower and tools really need protecting.

In some instances it’s actually more akin to using a safety deposit box in a bank to keep your mower and tools in, when the garden shed would do.

A more appropriate approach would have those responsible for creating the information valuing their information and assigning it a classification according to:

  1. The risk and cost of the information getting into the wrong hands
  2. How the information should be handled
  3. Where it should be stored
  4. How long should it be stored.

This way those who are authorised to handle and store the information (and ultimately destroy it) make the most informed decision about the expenditure necessary to protect it.

This is, effectively, treating information in the same way as physical asset, which leads be back to my acquaintance.

Information security does not start and end with IT experts, it starts with the information creator and owner and ends with the appropriate level of destruction. In between, the value of information should dictate the investment in protection—physical and electronic.

I am off to the bank to withdraw my mower, but first perhaps I need to take the lawn out of my garden shed.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: information security, Enex TestLab

Show Comments