Case Study: Mohegan Sun and the Future of Data Security - ' Next Page'

Not every company can claim the kind of inborn security culture found at Mohegan Sun. But a lot of companies are moving in that general direction, says Ted DeZabala, a principle in Deloitte & Touche's enterprise risk services group. Businesses are spending more time thinking about the physical control of information, and about the way information moves in and out of their organizations. "I don't want to say it's an obsession, but this is on the minds of very senior people," DeZabala says. Some organizations are even discussing combining the top-level jobs of information security and physical security officers, although that idea has yet to gain much traction.

As applied to information systems, physical security has traditionally been seen in terms of basic measures to forestall malicious behavior, and disaster-preparedness for events like floods or hurricanes.

Now, however, increasing attention is being paid to the tangible aspects of data security that go deeper into the work process, such as software that can tie information logged from sources such as ID badges—say, a worker's presence in a building—to the things like PC or network log-in status. "If your ID shows you've left the building, but your computer is still turned on, the system can put those things together and log you out," says DeZabala. "Or if a person is not in the building, but their account has been logged into, it could be a security breach, and the software will notify the appropriate people."

But truly changing the organizational mindset will take some work. "We see companies spending a fair amount of energy on training as employees become aware of being monitored, or they have to go through more sequences to get to information they have accessed in the past," says DeZabala. "Companies need to communicate and tell people why it's happening."

At Mohegan Sun, that mindset is already pervasive. "A strong security culture is at the soul of what we do," says Todd Carden, a Traveler's Life & Annuity veteran who joined Garrow's team as information security manager about a year ago. "It's easy to link security to the physical processes, because it's all related to money. Any time we deal with client-related information, employees understand the importance of privacy and security," adds Carden. "It's easy to understand why someone who drops a lot of money would want only the appropriate people to see their records."

That widespread grasp of the core business value of privacy, he says, makes it easier for different groups within Mohegan Sun to identify gaps in security and cooperate on fixing them. For example, he was able to use a human-resources database to create a record of employees who leave the organization, and to share it with the physical security staff. The casino has now implemented processes that can terminate both physical and electronic access to its facilities and networks at the same time.

Story Guide:

Sidebar: Candid Cameras at Mohegan Sun

Next Page: Automating Security

Next: ' Next Page' >>

test

>>> More Case Studies Articles          >>> More By Edward Cone