Managing Compliance Through Physical Identity and Access Management

Date:   Thursday , December 30, 2010

The turn of events at the beginning of this millennium will be etched in the memory of global security practitioners for the next few decades. While 9/11 ushered in a spate of changes in physical security management at government institutions and airports, it has also prompted businesses to assess their own risk exposure as they operate multiple locations spread throughout the world.

Internal threats such as employee pilferage and collusion pose even a greater threat for corporate entities, educational institutions and other non-government entities, creating new elements of cost and risk.

For organizations in today’s global economy, compliance has become much more than a simple buzzword; it has become a way of life.

Regulations such as Sarbanes-Oxley (SOX), ISO 27000, NERC/FERC, CFATS, GLBA, SAS 70, Basel II, U.S. government-mandated FIPS-201/HSPD-12 and numerous international and EU privacy laws have all driven the need to regularly enforce strict governance in financial reporting and security controls, across both physical and IT infrastructures.

To compound these challenges, many physical security policies and various administrative tasks are executed manually by the security staff, leading to costly, error-prone data entry that can lead to duplication and erroneous identity information within the system.

As most security processes are manual, security practitioners often need to spend additional efforts to ensure that compliance-related controls are operating effectively. They are also expected to prepare reports asserting their compliance. All these efforts spent may go waste if due to some oversight, compliance exceptions are reported by third-party agencies. These exceptions can not only result in fines and penalties for the organization but they can also dent the organization’s reputation.

Today, there are few means by which to ensure that compliance-related exceptions are not allowed in the first place. Off-boarding is a manual process which means that an employee can still have physical access despite having the logical access terminated. Delay in removal of physical access for a terminated employee can lead to compliance exceptions. Similarly, access management is a manual process which can be error-prone and lead to compliance violations.

In this environment, physical security practitioners need a centralized and streamlined approach to managing compliance and risk—on a more holistic level—to assess and deal with risk in a more proactive and corporate-wide fashion and meet governing, organizational and industry regulations.

The SAFE Approach to Managing Compliance and Risk
One thing is certain: the traditional way of solving physical security problems simply will not suffice. Additional hardware, standalone software solutions and adding more manpower will only compound the issue.

These challenges can be addressed by a unified approach towards physical security management using policy-driven software that can seamlessly manage identities, their physical access, and their correlation with physical security events in a multi-stakeholder environment while providing real-time compliance.

Using a unified approach involves centrally managing the following aspects of physical security:
l Identities through various stages of their lifecycle including on-/off-boarding, access provisioning, badging
l Integrations with all types of external systems (logical and physical) for ensuring one identity definition
l Policies which are rules governing relationships of identities across different systems, with different stakeholders (like IT, facility, physical security) and with physical security events
l Compliance and reporting as it relates to physical security.

Specifically related to compliance, this unified approach should allow security practitioners to enforce governance across diverse systems, and to create a transparent, traceable, and repeatable real-time unified compliance process. The solution should allow users to centrally define controls as per external regulations and internal policies. It should subsequently automate the measurement, remediation and reporting actions against these controls.

At Quantum Secure, we have created the industry’s first and most comprehensive physical security management software: the SAFE suite. SAFE is designed to connect disparate physical security and IT and operational systems, automate manual security processes and reduce both costs and risks.

Quantum Secure SAFE Compliance and Risk Management solutions allow security practitioners to enforce governance across diverse and disjointed physical access control systems (PACS), creating a transparent, traceable and repeatable real-time global compliance process.

SAFE Compliance and Risk Management solutions provide a comprehensive range of functions across the entire lifecycle of internal policies and external regulations, including:
l Centrally managing all the regulations and associated controls and automating assessment, remediation and reporting as per defined review cycle
1.Defining, auditing and enforcing Segregation of Duty (SOD) policies across your physical security infrastructure
2.Enabling physical security change management based on regulatory policies
3.Automatically triggering compliance-based actions based on physical access events
4.Managing infractions/violations and rule-based generation of actions/penalties
Managing internal watch list of identities who pose threat to the organization along with their risk profile and historical details

Detailed reporting and risk analysis
SAFE Compliance and Risk Management solutions allow organizations to automate compliance initiatives in real time. By quickly identifying and mitigating compliance concerns — such as ensuring that cardholder access is driven by policy, that change history is always available and dormant/orphaned accounts are reliably deactivated — physical security practitioners can create a robust security infrastructure that keeps pace with today’s ever-increasing compliance regulations.
Additionally, SAFE Compliance and Risk Management solutions can enable security practitioners to define both traditional and electronic correspondence (letters, emails, faxes, etc.) to be distributed by policies, process workflows and access events. For example, if a manual signature is needed to satisfy internal governance or external reporting regulations, that signature may be easily captured as part of the automated process.

If infractions occur against pre-defined policies, SAFE Compliance and Risk Management solutions provide the capability for an organization to log any type of security policy infraction against managed identities, triggering notifications or automating access privilege changes. This level of automation is especially important with regards to internal governance, as many organizations need to enforce global policies across a diverse employee, contractor and vendor base.
SAFE Compliance and Risk Management solutions also include customized assessment reports, whereas deviation to deployed policies can be reported across global locations to a single Web console. Additionally, daily, weekly and monthly operational reports can be automatically generated and sent to respective individuals within the organization, providing security practitioners with the information needed to optimize staffing, budging and other related resources.

Smarter Compliance Control With a Very Clear ROI
SAFE makes physical security compliance a real-time, repeatable, sustainable and cost-effective process. Since it eliminates manual compliance initiatives, it helps organizations avoid any penalties and ensures that the organization does not face any embarrassment because of compliance exceptions.
As a software-based solution for Physical Identity & Access Management, SAFE also enables physical security department to ensure a more secure and risk-free workplace. Automating policies using SAFE eliminates human-led errors and delays. Dashboards showing consolidated and correlated events reduce time and improve quality of response from security staff. SAFE delivers security practitioners unprecedented control over a scattered infrastructure, creating real-time benefits for the entire organization and a measureable ROI.

Ajay Jain
The author is President and CEO of Quantum Secure.