By Drew Rothstein, Head of Engineering
The purpose of this post is to discuss our evolution of physical safety & security standards that we have built and set for our team and to share some of the details. The reason for this is that we could not find any reasonable resources when we went looking for them for our team’s homes vs. offices. Some of this may be hidden in obscurity or may not be defined / set for most organizations. Much of the information available relates to technology and the hardware we work / operate on which completely makes sense: company laptops, phones, et cetera and to protecting offices (NIST SP 800-171, ISO 27001, et cetera).
We, as many Bay Area-founded companies, during the COVID-19 pandemic saw our team begin to move and spread out across the globe. We also started to hire more globally. As our team spread out and some folks moved out of metropolitan cities, their safety and security profiles also changed. Living in a large apartment complex in mid-Market San Francisco vs. a single family home in the suburbs was quite different both for them but also how we thought about setting a standard.
While our digital assets are well protected relying on industry leading cold storage solutions, in today’s remote world we share the challenges of general technology companies with more laptops in more places. While one may also argue that a non-crypto company will continue to become a thing of the past - the focus explicitly on crypto motivates some attackers more than others whether physical or otherwise (example).
As a team we started to discuss the different types of things that mattered to us individually and to our families. All of the expected items came up: an alarm system, cameras, a safe, etc. Then, some more safety-related items came up: smoke alarms, knowing your neighbors, having local hospital names / numbers readily available. We quickly realized that this “security framework” we were initially drafting was actually a safety & security framework.
We discussed hiring external firms to audit each of our residences and practices. We called a few, got some idea of what they could do, what they would cost, and this quickly became untenable.
- We were in too many disparate locations. Some were willing to fly around but this seemed a bit much both for us and for them.
- They were overkill and the recommendations we would receive would not match realistic action. They were focused on extremely high net-worth individuals and not exactly what we were trying to do / set.
We decided a self-assessment was best. This would provide flexibility to everyone to complete on their time, not have to invite people into their homes that just got off a flight immediately (until remediation), and for us to really flesh out what we believed was most important.
If folks felt they wanted or needed to operate at a level above the standard we set we would happily encourage it but this was much more about setting a known baseline that we could work from over time.
We put together two primary categories for evaluating safety.
These categories were:
In the Surroundings category we captured everything off of their property that we felt was reasonable and actionable: neighbor contact information, neighbor regular touch point, emergency contacts, local hospital information, etc.
In the Premise category: smoke and carbon monoxide detectors, fire extinguishers, emergency ladders, family meeting points, etc.
We put together three primary categories for evaluating security.
These categories were:
In the Alarm category we set standards on entry sensors, glass break sensors, notifications, monitoring, etc.
In the Cameras category we set standards on which doors / entryways need cameras, ISP configurations, UPS configurations, recording time, archival availability, etc.
In the Safe category we set standards on fire ratings, weight, locations, mechanisms, when / how it is used, etc.
Hardware / Service Recommendations
As we put together the assessment it became apparent that many folks appreciated just a list of things to click buy / install on and didn’t want to necessarily do the in-depth research required. Knowing that the Amerex B500 is the standard fire extinguisher trusted by many fire departments (the brand, not necessarily the model) isn’t something everyone wanted to spend time / energy researching.
We provided a list of recommendations for purchase in every category.
For all categories we asked everyone to give themselves a Meets Bar or Does Not Meet Bar rating and add any applicable notes, usually for remediation timelines. We found that most folks were not meeting several of the standards and needed to remediate.
This provided the minimum standard and expectation and allowed folks to track this over time. Engineers, Product Managers, and many folks in software development generally appreciate checklists and tracking progress over time (as long as it isn’t in Jira).
We were explicit in that all remediation was able to be expensed. This enabled less of an excuse not to remediate and to take advantage of the offer given to everyone.
We would love to see something like this open sourced and built upon with different levels and recommendations based-on those levels. We thought about open sourcing what we have put together in completeness but we don’t believe it is well enough evaluated or tested that it would benefit the crypto community (and others) enough at this time. There are also some legal implications that we would need to overcome as this relates to physical security vs. digital security.
It may also over-expose us (and others) to additional attacks if attackers know the cameras we recommend, alarm system configurations, safe recommendations, etc. I’d love to see and understand ways in which this could be more open, potentially as part of a larger framework, that does not expose us or anyone to additional concern.
If there are resources available that we missed during our research - we would love pointers to them and to potentially collaborate on them.
An open set of questions-
- What has your team / company done in this space?
- Did you develop your own set of standards and ask folks to self-assess?
- Did you hire firms? How did that work out?
We would be curious to know more-
If you are interested in this and similar challenges - we are building a team in Austin, solely focused on security tooling and security operations. Globally, we are hiring for a variety of positions and teams. If you are interested in chatting with us - you can reach out to us here: https://boards.greenhouse.io/cryptolabs.