Facility Security: Learning from the SCIFs
The government keeps some of the biggest secrets of all in the name of national security and they maintain this status in areas called Sensitive Compartmented Information Facilities (SCIFs). Governmental dictates detail the physical requirements for SCIF construction:
Walls, floor and ceiling must be permanently constructed and attached;
Reinforced on the inside with steel plates, and slab-to-slab with expanded metal;
All doors, windows, walls, floors, vents and ducts must be protected by sound masking devices;
Entrance doors should be limited to one which must be equipped with locks and alarms and of specific thickness; and
The thought behind the SCIFs is to create a secure area that has appropriate protections in place to ensure the greatest extent possible that highly sensitive information inside would not be compromised. While it is unlikely the cost benefit calculation for a private sector organization would lead many businesses to build a facility meeting all the requirements of a government-mandated SCIF (such features can add hundreds of dollars per square foot of office space) there are lessons that can be learned about secure facilities from the people who construct them according to the federal government’s strict specifications.
Companies in the pharmaceutical, medical device, and other industries where intellectual property is held at a premium could benefit from implementing some of these SCIF requirements. The key to determining what you need to keep your information safe is assessing what you need to protect. In a government-sponsored SCIF, the risk levels are codified with terms like Top Secret, Secret, and Confidential as the highest to lowest risk factor assessments. Each of these terms has a specific definition in government circles. For the purposes of the private sector, we can substitute business-critical terms when considering a secure facility. Private sector companies would be most likely to protect matters that would include its intellectual property, mergers and acquisitions, or information that would give advantages to the competition. And since many global organizations today are just as large as many government, the need for added layers of security becomes obvious.
Labeling sensitive information at your company will stem from a combination of your corporate goals and the need to comply with government regulations such as the Health Insurance Portability Act or the Trade Secrets Act. This discussion of sensitive information ties into a risk analysis of both the data sets you want to keep secure and the intellectual property you have in your company’s portfolio. Organizations with government contracts don’t have much choice when it comes to the information they protect: SCIF design specifications are spelled out for them. Private sector security executives and their business colleagues must make these assessments themselves.This means knowing how your facility and staff need to work so you can secure assets needing protection and be ready to do it for an extended period of time.
Some examples include:
Physical Security – Physical security is always the center piece of securing classified information and security officials need to understand their building’s surroundings and environment. Firms need to review who is around their immediate surroundings and not just the center of your office suite or headquarters. At a minimum the secure portion of your facility should have one access point or door devoid of any gaps, and ductwork openings that are secure.
Information Security – Controlling electronic transmissions can be accomplished with shielding, filters, grounding and devices limiting radio frequency (RF) emissions. Shielding the walls of the SCIF with foil and other conductive materials will help ground electronic signals generated within the SCIF. Phones should have filters that prevent wiretapping and encryption is vital.
Employee Security – Last but most important is the human factor. The best security systems in the world have been compromised by employees. A select number of designated employees should be assigned responsibility for certain facets of security such as inventory of data and documents. If employees violate policies and procedures, they must be held accountable. It is important to have an efficient way to identify employees who don’t follow security measures and resolve the situation immediately.
Even if your company doesn’t require a security clearance, you should know who has access to your data. And, of course, vetting everyone on the secure site through background checks is a must.
In this age of heightened security and increased industrial espionage, the inclusion of some of the SCIF concepts within your own organization only seems prudent. With the proper planning and forethought, protecting your intellectual property based upon the SCIF principles can secure your company’s future prosperity and avoid catastrophic data leaks.