Commercial locksmiths love when a bank or some other institution has a security audit since it often gets the shop work. You get work right after the audit and sometimes in the week just before the next audit. I also know the auditors find all kinds of accounting and personnel procedures to change as well but that does not get us work. In all this, I was wondering if anybody with serious security concerns was looking a bit deeper. With that in mind, I have written a series of questions to audit the locksmith since the security of the end user is partly dependent on the diligence of the locksmith shop. There are occasional robberies of shops after all.
I am not making any comment on any of the shops I know. Also, I am trying to strive for best practice at all times. However, answers need to be realistic in the real world we all work. I have chosen to toss out the questions first and invite anybody to add others for later revisions. After the questions, I will give my thoughts on what is best practice for each item. I fully expect 'not applicable' will be the correct reply for some shops to many of the questions.
Yikes, did I ever open a bucket of worms. I keep finding questions about areas of vulnerability. I am tossing these out now hoping I get some ideas of other questions to ask. I still have a page of question on staffing I have not typed.
--------------------------------------
Physical Security
(This set of questions should be answered for each building used by the locksmith where it has multiple locations.)
Does the shop have high security locks on all exterior doors? Do all exterior doors have deadbolts with 1 inch or 2.5 cm of throw? Are astragals or blockers in place if appropriate? Do cylinders have taper rings to limit extraction? Are all doors code compliant as emergency exits?
Are the exterior door of good enough construction to resist some physical attack?
Would broken glass in the door or sidelight be an effective way to open any door? Are all such glass surfaces coated in security films? Does breaking glass trigger an alarm?
Are records kept in an interior locked room also with a high security key? After hours, would an alarm condition exist before an intruder reaches this room?
Does the alarm system have contacts on all doors and openable windows? Does it have motions sensors to cover all interior space? Is the alarm monitored? Does the alarm have battery and cell phone backup? Is the cell phone back-up guarded against a fast disable?
Does the shop have interior space monitored by cameras? Do the cameras have IR ability? Where does the signal feed? Backup? Offsite backup? How long are the files or video tapes kept? Are the record secured from tampering?
Are any exterior walls vulnerable to a mining attack from outside or an adjacent building? Are all places directly inside under a motion sensor? How far could an intruder move before tripping a double hit on the alarm?
Record Keeping
Are files with master and restricted keying records kept locked in a cabinet or safe when the business is closed? Give the rating of the this cabinet or safe.
During business hours, are they also secured from non-cleared staff?
Is there any leakage of key codes or other sensitive security information into the accounting stream?
Are ready-to-use keys kept in the files associated with the building they operate?
Is any kind of encoding used on key records sent with staff outside the building? Are keys tagged with the function and location?
How long are dormant files kept after the last work done in a location? Is the building or operation notified of their destruction?
Who owns the keying record of the building and how do you make this clear to the end user who buys a master key system? Is the end user given a choice??
Staffing
(Whole page of questions pending.)
Procedures
Are old master keys decoded before planning new systems? Is this done in a way you can reasonably know all the old keys are retired?
Are all keys shipped to the end user with standard codes? Could they be shipped without code if asked or fully blind codes??
Do you keep off site records off all the key system files you have on record?
What computer systems exist connected to the internet? If a trojan was ever installed what kinds of data could leak?
___ keying charts ___ client names ___ financials __ emails ___ quotes
___ others, specify __________________________________
Of computers not connected to the internet, are they systematically backed up? Are the systems checked for viruses from sources like CDs and USB sticks? Is data stored overnight as encrypted files? Good encryption??
Are all laptops in use at the site equipped with recovery software? Do they encrypt key data? Will it erase if a brute force attack is tried?
Are all passwords strong on all critical systems? No really … how strong are they? Are they written on paper but only in a safe?
Get back to me with more good questions you think would help this topic along.
--- --- --- --- ---
The contents of this post are released for non-profit or educational
use in whole or in part provided this statement and the attribution
below are kept attached.
Laux Myth ... Thoughts From a Locksmith
By MartinB, Found @ http://lauxmyth.blogspot.com/
Friday, September 2, 2011
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment