330
A Practical Guide to Security Assessments
9. Are any valuable paper documents in the facilities? If so, do electronic
copies of the paper documents exist? What would be the impact to the
business if the paper documents were either lost or destroyed?
Guidance:
Even with the increased use of technology, companies are still
generating quite a bit of paper. There is a tendency to focus on securing
electronic information rather than securing physical documents. Aside
from the valuable and sensitive paper documents, employees are constantly
printing e-mails and files that contain sensitive information. As a result, a
slew of sensitive paper documents needs to be protected from unautho-
rized access. In doing this, the physical security of the facility where the
document is stored is an important aspect to consider. For example, many
executives are privy to some very sensitive information (e.g., company
financial data, personnel records) that is in printed format. When perform-
ing an assessment, you should ensure that there are measures to protect
both the confidentiality and availability of these paper documents. In reg-
ulated environments (health care — Health Insurance Portability and Ac-
countability Act [HIPAA], financial services — Gramm–Leach–Bliley Act
[GLBA], education — Family Educational Rights Privacy Act [FERPA])
where companies have certain obligations to protect personally identifi-
able information, safeguarding paper documents is mandated and a failure
to comply can result in financial penalties.
Risk:
Not applicable. The purpose of this question is to further understand
the criticality and risk associated with physical security.
Client Response:
10. For any sensitive physical documents on site:
•How are they protected?
• What physical access measures have been taken to prevent unautho-
rized access to paper documents?
• Are sensitive paper documents shredded before they are thrown away?
• What would the impact be to the company if unauthorized individuals
accessed these documents?
Guidance:
As stated previously, paper documents are often overlooked
when talking about security. Many people have sensitive paper documents
in their possession and do not adequately protect them. If you think about
some of the traditional departments and the paper documents in their pos-
session, you will realize that significant risks exist if these documents are
lost or destroyed or if their confidentiality is compromised. Examples of
departments and sensitive paper documents include:
•
Finance:
Financial data — For publicly traded companies, financial
data should be accessed on a need-to-know basis.
AU1706_book.fm Page 330 Tuesday, August 17, 2004 11:02 AM