There seem to be no attention to garden, building and lighting desing to enhance physical security in the inevitable case of power failure or blind spots. The windows are probably not protected sufficiently of spying with the help of a telescope, a high resolution camera and a proper imaging software.

1. Hardened walls - interior and exterior
2. Multifactor authentication on doors
3. Roving physical security including security posts at any key points
4. Security sensor arrays in secure areas
5. Eliminate windows
6. Shield against inbound/outbound eletromagnetic interference (EMI)
7. Secure power
8. Secure phones
9. Secure / filtered environmentals
10. Ingress/egress from cars via secured garage
11. Proximity sensors outside of building
12. Security details for key personnel
13. Security policies and procedures
14. Training on physical and logical information security
15. Logical information and physical security
16. Floor and roof sensors - pressure, proximity, fire, vibration, etc.
17. Secure servers - hardened OS and applications
18. Network security - firewalls, IDS/IDP, networ behavior analysis, real-time monitoring by trained personnel
19. Secure storage with encrypted files and accesss controls
20. Secure backups - ideally offsite w/heavy AES encryption
21. Interior and exterior cameras set up with visible and infrared capabilities
22. Monitoring of security layers in a 24x7 manned security operations center (SOC)

Those are a few that pop to mind.

So.... how much do you want to spend? :-)

Lots of nice "stuff" listed. I can't argue with their value, except for one concern - it's all worthless if the people in the building don't take security seriously. I think we're placing too much emphasis in the wrong place.

I think this article was misleading, incorrect and damaging to both security professionals and businesses they protect. Joe should have listened to a security professional. His threat is economic espionage and he is spending multiple millions of dollars on partial counterterrorism mitigating controls.

The number of misleading statements and omissions are too numerous to address in detail. The fence can be easily compromised, the briefcase is ineffective 80s technology, TL-30 safes only provide a rating on the door, no RF protection and there is no home or transportation security for Joe.

Insiders (employees, vendors, consultants, grad students and/or outsourced functions) can be responsible for loss of this type of information. I see no controls aimed to protect against this sort of loss.

A C Suite executive reading this article might think that the K rated fence or bollard costing millions of dollars could mitigate information theft, which is certainly not the case.

I predict Joe loses his competitive edge and his company. His product surfaces in Asia in six months, and his business model for security becomes a future case study for ineffective security strategy. His losses are nearly $1 billion but it helps many other companies avoid the problems he suffered (priceless).

I make myself available to debate my point of view.

Paul DeMatteis, CPP, CFE
Senior Adviser on Corporate Security Programs
John Jay College of Criminal Justice

Secretary appears for work early one Monday, "gee you would think someone noticed they dropped this USB key on the floor, I'll insert it into my machine and see who it belongs to in order to return it to them"

In goes the USB switchblade (http://wiki.hak5.org/wiki//USB_Switchblade) and all your security measures shown here are worthless. Gone in under 60 seconds at the cost of a $10.00 USB key.

You can add all the security measures you can think of, Tempest Shielding to prevent Von Eck phreaking, eavesdropping, armed guards, biometrics out the wazoo, but humans especially untrained individuals will almost always be the greatest risk.

Office security is fine but what about the home user who is using a VPN to get into the office, what happens when I park in front of her house, compromise her WEP key, compromise her machine, then tunnel right in through her machine.

I could think of plenty of ways to defeat even a billion dollar system without spending more then the price of a couple of cups of coffee. How about details, there are always alternatives to defend against.

J. Oquendo
CEH, CHFI, CNDA, SGFA, SGFE

This article served two purposes for the reader - it initiated thought about the physical controls in place in our work environments, and it illustrated some of the measures currently available.

For those of us in Information Security departments, facility security is often excluded from our direct accountability, and only peripherally under our influence. This article illustrates that information protection programs must encompass not just policy, process, awareness, and logical controls but physical controls as well. For some businesses, the measures presented here are over-the-top, for others they aren't enough....but the point here is that if facility security isn't in line with your organization's risk profile, your ability to secure your information is severely handicapped.

Thanks for the interesting and enjoyable read.