Making Sense of Alphabet Soup

The need for regulatory compliance is impacting the practice of security more than ever before. The ongoing development of new laws and standards requires security directors to maintain a high level of education and knowledge simply to remain ahead of the...


The need for regulatory compliance is impacting the practice of security more than ever before. The ongoing development of new laws and standards requires security directors to maintain a high level of education and knowledge simply to remain ahead of the curve and in full compliance. As many of these laws and standards relate to comprehensive monitoring and management of employee and visitor identities, along with control of access to critical areas, physical identity and access management (PIAM) is an important step in assuring compliance.

Each industry has its own list of rules and regulations, often represented by an alphabet soup of acronyms. Here we decode some of the most common acronyms, and provide a brief explanation for each of how PIAM addresses some of their requirements.

 

Healthcare

HIPAA – Health Insurance Portability and Accountability Act

Among other topics, Title II of the Act defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information. These rules apply to “covered entities” as defined by HIPAA and the HHS and include health plans, healthcare clearinghouses, such as billing services and community health information systems, and healthcare providers that transmit healthcare data in a way that is regulated by HIPAA.

How PIAM can help: With PIAM, the user defines who has access where and when and to what information based on their roles. Each identity — doctor, contractor, administrator, visitor, patient etc. — has access only to what policy dictates. If a role or policy changes, that alteration triggers an automatic, complementary revision in other sets. Once the policies and workflows have been created, PIAM software’s integrated monitoring and reporting features provide auto-remediation of compliance anomalies and reporting to enforce and maintain compliance. In the event of suspicious activity, identities can be easily tracked or trigger/alerts can be created.

 

Energy

NERC – North American Electric Reliability Corporation

CIP – Critical Infrastructure Protection, a sub-set of NERC

Formed in 2006 as the successor to the North American Electric Reliability Council, NERC is a nonprofit, self-regulatory organization. Its standards are mandatory and enforceable throughout the United States and several Canadian provinces. NERC’s major responsibilities include working with all stakeholders to develop standards for power system operation, monitoring and enforcing compliance with those standards, assessing resource adequacy, and providing educational and training resources as part of an accreditation program to ensure power system operators remain qualified and proficient.

How PIAM can help: PIAM enables compliance with the three enforceable NERC-CIP cyber-security standards to help organizations perform a wide range of required activities related to identity and access management, and avoid significant fines. For example, regulations require all operational and procedural controls to manage physical access at all perimeter access points to be documented 24/7, including for all authentication devices. Complex tasks like this are an essential element of a PIAM system.

 

Banking/Finance

FDIC – Federal Deposit Insurance Corporation.

This body is responsible for overseeing insured financial institution adherence to reporting requirements which are required by statute. All regulated financial institutions in the United States are required to file periodic financial and other information with their respective regulators and other parties.

How PIAM can help: Because PIAM software is designed for policy- and rules-based processes, instructions can be written in the system to automatically perform a required process such as a background check on identities at specific intervals. Another or accompanying policy can be written to perform background checks more frequently for contractors or temporary employees. Automatic alerts can be created if there is a change in status when a background check is performed.

This content continues onto the next page...