Advo Inc.

: Integrating IT
and Physical Security
Group 4 - Hackers
Chakka
Deepti
Santhosh
Shiyamraj
Preeti
Rahul
Vijayashree
Vineeth

Advo - Background
One of the largest providers of mail advertising in US
About 3900 employees working in 21 facilities
Over 25000 clients and distributes advertisements to
130M household addresses and 12.6M business
addresses in US and Canada
Largest commercial user of USPS

Security before Sept 11, 2001

Security was given least priority
No predefined security policies or procedures
No background checks on the temporary employees before they
hired
Poor outdoor lighting and fencing
Minimal security during business hours
No surveillance cameras or alarms
No control over visitors
Nomailing room
Sensitive documents were discarded
Keys to doors were not carefully controlled
Business continuity plan or disaster recovery were
undocumented

Contd..
The security around Advos applications and
database was strong.
Advo entered a 10 year agreement with IBM global
services to provide computer processing systems
development and systems legacy support
The security services included in the agreement were
Real time system monitoring
Intrusion, detection and prevention
incident management

Terrorist and Bio terrorist related attacksSept 11, 2001

CEO and several senior level managers from the
companies operating committee were in NY
during attack
The terrorist attacks elevated the importance of
security within Advo and physical security got
highest priority
Reaction
Wackenhut corp was hired to provide uniformed
security officers at all facilities and HQ 24 hrs a
day, seven days a week

Two weeks later

The first bio terrorist related Anthrax attack occurred in US
Number of USPS employees died after handling mails
infected with Anthrax spores
Out of fear, many people refused to open their mail which in
turn could lead to the end of Advo
There were also a fear in the company that Anthrax spores
could spread to Advos own facilities as the USPS provided
them with equipment
Response
Cleaning process was established
All equipment fro the USPS were cleaned in a nearby facility

Strengthening Security
Senior VP of Security management was appointed
Kroll Inc and E&Y were hired to do risk analysis of Physical and
IT security respectively
Each facility had a lead security officer assisted by three
security associates
Tour management system from Tiscor was implemented. Palm
Pilot was used by security associates to scan pre established
inspection points
Outdoor lighting was improved, fencing was installed and mail
room was created
Visitors was no longer allowed to walk freely, they were made to
wear a visitors badge and sign a log
All facilities were audited twice a year to ensure the security by
security manager

Security measures 2004 and SCC

In 2004, a security management system was implemented to
connect all facilities to Security Control Centre at HQ and SCC
requires not more than 2 employees at a time
SCC is responsible for Employees Identification badges, Visitor
controls, Parking permits, Security tour controls, Alarm system,
Security cameras and support measures
Data centres provide Internet connectivity, email
communication and other non critical applications
User authentication was established by means of password entry
during login
Antivirus program was automatically updated
Tools were used to filter internet data, track employee internet
usage, block unwanted websites and provide data about systems
infected with spyware

Security Audits
In 2004, security managers conducted a security audit in HQ and 21 mailing
facilities. The audit covered 21 key areas.

Access control
Bomb threats
Cleaning of equipment
Dark hours
Emergency action plans
Fencing
Identification badges
Key control
Laptop security
Lighting
Locking devices

Mail room
Parking control
Pre-employment screening
Record access and retention
Security camera
Security incident reporting
Utility security
Workplace violence
Tour management system
Security officers and
technicians

Final Comments
Audits are conducting every six months
Successful transformation was because of three factors
Top management attention remained focused on the
need of stronger security
Two security directors hired director of IT security and
enterprise architecture and the director of corporate
security who report directly to top management
IT and Physical security are not treated as separate
entities but interconnected components

Integrated security management system has allowed

Advo to achieve greater level of security

Questions
Traditionally, managing IT security and physical security have
been treated as two separate domains. Why should they be
integrated?
Why is top managements awareness and support essential for
establishing and maintaining security?
Why should those responsible for leading the organizations
security efforts be placed high in the organizational chart?
The first decision made by Advos top management in the
aftermath of the 9/11 attacks was to improve physical security.
Why was attention focused on this particular aspect of security?
What are the advantages and disadvantages of using
consultants and third-party organizations to provide securityrelated services? What reasons would a company have for
hiring consultants to provide guidance for its security efforts?

Contd..
Why is it a good security practice to have few visitors in a reception
area?
Identify the security risks involved in allowing networked systems to
be used by large numbers of temporary employees who do not need to
log in. What password guidelines should be implemented for stronger
user authentication?
How far away should a backup site be located from company
headquarters? What factors should be considered in determining the
location of a backup site?
Advo believes that frequent audits help to ingrain a security mindset
among the companys employees. What other benefits are there to
performing frequent security audits?
The vendor of Advos security management system is Software House.
Research the role of Software House in the Open Security Exchange
(OSE). What is the purpose of the OSE?