The need for regulatory compliance is impacting the practice of security more than ever before. The ongoing development of new laws and standards requires security directors to maintain a high level of education and knowledge simply to remain ahead of the curve and in full compliance. As many of these laws and standards relate to comprehensive monitoring and management of employee and visitor identities, along with control of access to critical areas, physical identity and access management (PIAM) is an important step in assuring compliance.
Each industry has its own list of rules and regulations, often represented by an alphabet soup of acronyms. Here we decode some of the most common acronyms, and provide a brief explanation for each of how PIAM addresses some of their requirements.
Healthcare
HIPAA – Health Insurance Portability and Accountability Act
Among other topics, Title II of the Act defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information. These rules apply to "covered entities" as defined by HIPAA and the HHS and include health plans, healthcare clearinghouses, such as billing services and community health information systems, and healthcare providers that transmit healthcare data in a way that is regulated by HIPAA.
How PIAM can help: With PIAM, the user defines who has access where and when and to what information based on their roles. Each identity — doctor, contractor, administrator, visitor, patient etc. — has access only to what policy dictates. If a role or policy changes, that alteration triggers an automatic, complementary revision in other sets. Once the policies and workflows have been created, PIAM software’s integrated monitoring and reporting features provide auto-remediation of compliance anomalies and reporting to enforce and maintain compliance. In the event of suspicious activity, identities can be easily tracked or trigger/alerts can be created.
Energy
NERC – North American Electric Reliability Corporation
CIP – Critical Infrastructure Protection, a sub-set of NERC
Formed in 2006 as the successor to the North American Electric Reliability Council, NERC is a nonprofit, self-regulatory organization. Its standards are mandatory and enforceable throughout the United States and several Canadian provinces. NERC’s major responsibilities include working with all stakeholders to develop standards for power system operation, monitoring and enforcing compliance with those standards, assessing resource adequacy, and providing educational and training resources as part of an accreditation program to ensure power system operators remain qualified and proficient.
How PIAM can help: PIAM enables compliance with the three enforceable NERC-CIP cyber-security standards to help organizations perform a wide range of required activities related to identity and access management, and avoid significant fines. For example, regulations require all operational and procedural controls to manage physical access at all perimeter access points to be documented 24/7, including for all authentication devices. Complex tasks like this are an essential element of a PIAM system.
Banking/Finance
FDIC – Federal Deposit Insurance Corporation.
This body is responsible for overseeing insured financial institution adherence to reporting requirements which are required by statute. All regulated financial institutions in the United States are required to file periodic financial and other information with their respective regulators and other parties.
How PIAM can help: Because PIAM software is designed for policy- and rules-based processes, instructions can be written in the system to automatically perform a required process such as a background check on identities at specific intervals. Another or accompanying policy can be written to perform background checks more frequently for contractors or temporary employees. Automatic alerts can be created if there is a change in status when a background check is performed.
FFIEC – Federal Financial Institutions Examination Council
This inter-agency body of the U.S. government is empowered to prescribe uniform principles, standards and report forms for federal examination of financial institutions by various government agencies.
How PIAM can help: PIAM is ideal for setting role-based access; access authorization for secured areas is efficiently controlled with software. Authorized approvers/signatories are appointed and per the policy set forth in the policy engine, only those authorized identities will have access to areas for which they have been provisioned. When access is required, the authorized signatory is alerted via an automated process and they are required to approve (or deny) the request in a web-based portal before access is allowed. The automatically documented processes can be used for attestation reports which verify who approved access to what doors over any duration of time.
SAS 70 – Statement on Auditing Standards No. 70, Service Organizations
This is a widely recognized auditing standard of control objectives and control activities developed by the American Institute of Certified Public Accountants (AICPA).
How PIAM can help: PIAM addresses the provisioning, audit and reporting, and off-boarding processes. When provisioned, the system can automatically generate reports of who visited, who approved the visit, duration and where in the facility the visitors had access.
BASEL III – Third Basel Accord
This is a global voluntary standard regarding bank capital adequacy, stress testing and market liquidity risk developed by the Basel Committee on Banking Supervision.
How PIAM can help: PIAM enables convergence between physical and logical security systems in order to provide security intelligence and analytic data from a variety of sources. It facilitates the necessary checks used to measure liquidity risk exposure by pulling reports at pre-determined intervals. PIAM software also streamlines monitoring processes by having all policies reside in the system.
SOX 302 (a) (4) (C) (D) – Sarbanes-Oxley Act, Sections 302 and 404
This regards corporate responsibility for financial reports and laying the foundation for IT to enable SOX compliance.
How PIAM can help: With PIAM, the user can audit and report activity pertaining to identities within the organization. System reports identify individual’s activities such as who is where, accessing what, for what period of time or any changes to established policy rules. PIAM software can create alerts when policy- or rules-based criteria are not met. Audit reports can be generated on an as-needed basis or at specific intervals.
Government
HSPD-12 – Homeland Security Presidential Directive 12
FIPS 201 – Federal Information Processing Standard, publication 201
HSPD-12 was issued in 2004, and FIPS 201 was issued in response to HSPD-12 in 2005. HSPD-12 calls for a government-wide standard for secure and reliable forms of ID issued by the federal government to its employees and to employees of federal contractors for access to federally-controlled facilities and networks. This directive led to the development of a Federal personal identification verification (PIV) system. This standard is issued by the United States federal government and specifies Personal Identity Verification (PIV) requirements for federal employees and contractors.
How PIAM can help: PIAM addresses management of all forms of identity badges and any assets or authentication rights, including PIV smart cards which enable government employees to move between facilities and ensure that they are recognized across agencies.
FICAM – Federal Identity, Credential and Access Management
The FICAM Roadmap and Implementation Guidance version 2, completed in 2012, sometimes referred to as Federal ICAM provides agencies with architecture and implementation guidance to modernize, streamline and automate privilege management as it relates to both logical and physical access and ensure that the PIV and PIV-I cards are provisioned and managed securely throughout the lifecycle of the card holder.
How PIAM can help: PIAM software can help address compliance with rigorous physical identity management requirements of high-security government buildings across a disparate infrastructure of security systems.
OMB M-11-11 requires that an agency’s existing logical access control systems be upgraded to align with the FICAM Guidelines for PIV usage, and validate and use PIV cards issued outside a given agency.
How PIAM can help: To address these three requirements, PIAM software provides processes to manage the intersection of digital identities, various credentials and physical identities into a comprehensive policy-based management approach. It streamlines and consolidates disparate systems into a single and centralized FICAM-aligned, integrated and auditable system. Software provides a one-step policy-based approach to manage and enroll PIV cardholders, including biometric/biographic data capture from the PIV card, into various physical access control systems (PACS). Lifecycle management of the PIV card in PACS including activation, status inquiry, lost/stolen cards, provisioning and revocation, expiration and so on can all be managed centrally.
Moreover PIAM is the missing ingredient in legacy federal PACS systems, which connect the authoritative and trusted data sources for identities and PIV attribute to PACS to ensure security and achieve the target state for a modernized physical security system.
PIAM software can also analyze risk and compile key data across the physical security infrastructure. Integrated infraction management can automatically trigger notifications and/or change access privileges. The software can define, audit and enforce Segregation of Duty (SOD) policies across the physical infrastructure. It can manage risk levels associated with persons of interest (POI), based on lists of physical identities that are potential threats to an organization along with their risk profile and historical details. Customized assessment reports covering global locations can be provided to a single Web console; and daily, weekly and monthly operational reports can be generated automatically to provide security practitioners with information to optimize staffing, budgeting and other resources.
For government, financial, healthcare and many other industries, security requirements demand a comprehensive security infrastructure that includes both the physical and logical security spectrums. PIAM effectively addresses the challenges with best practice processes that reduce both costs and risks.
Ajay Jain is President and CEO of Quantum Secure. Request more info on the company at www.securityinfowatch.com/10214753.
