Making Sense of Alphabet Soup

The need for regulatory compliance is impacting the practice of security more than ever before. The ongoing development of new laws and standards requires security directors to maintain a high level of education and knowledge simply to remain ahead of the...


FFIEC – Federal Financial Institutions Examination Council

This inter-agency body of the U.S. government is empowered to prescribe uniform principles, standards and report forms for federal examination of financial institutions by various government agencies.

How PIAM can help: PIAM is ideal for setting role-based access; access authorization for secured areas is efficiently controlled with software. Authorized approvers/signatories are appointed and per the policy set forth in the policy engine, only those authorized identities will have access to areas for which they have been provisioned. When access is required, the authorized signatory is alerted via an automated process and they are required to approve (or deny) the request in a web-based portal before access is allowed. The automatically documented processes can be used for attestation reports which verify who approved access to what doors over any duration of time.

SAS 70 – Statement on Auditing Standards No. 70, Service Organizations

This is a widely recognized auditing standard of control objectives and control activities developed by the American Institute of Certified Public Accountants (AICPA).

How PIAM can help: PIAM addresses the provisioning, audit and reporting, and off-boarding processes. When provisioned, the system can automatically generate reports of who visited, who approved the visit, duration and where in the facility the visitors had access.

BASEL III – Third Basel Accord

This is a global voluntary standard regarding bank capital adequacy, stress testing and market liquidity risk developed by the Basel Committee on Banking Supervision.

How PIAM can help: PIAM enables convergence between physical and logical security systems in order to provide security intelligence and analytic data from a variety of sources. It facilitates the necessary checks used to measure liquidity risk exposure by pulling reports at pre-determined intervals. PIAM software also streamlines monitoring processes by having all policies reside in the system.

SOX 302 (a) (4) (C) (D) – Sarbanes-Oxley Act, Sections 302 and 404

This regards corporate responsibility for financial reports and laying the foundation for IT to enable SOX compliance.

How PIAM can help: With PIAM, the user can audit and report activity pertaining to identities within the organization. System reports identify individual’s activities such as who is where, accessing what, for what period of time or any changes to established policy rules. PIAM software can create alerts when policy- or rules-based criteria are not met. Audit reports can be generated on an as-needed basis or at specific intervals.

 

Government

HSPD-12 – Homeland Security Presidential Directive 12

FIPS 201 – Federal Information Processing Standard, publication 201

HSPD-12 was issued in 2004, and FIPS 201 was issued in response to HSPD-12 in 2005. HSPD-12 calls for a government-wide standard for secure and reliable forms of ID issued by the federal government to its employees and to employees of federal contractors for access to federally-controlled facilities and networks. This directive led to the development of a Federal personal identification verification (PIV) system. This standard is issued by the United States federal government and specifies Personal Identity Verification (PIV) requirements for federal employees and contractors.

How PIAM can help: PIAM addresses management of all forms of identity badges and any assets or authentication rights, including PIV smart cards which enable government employees to move between facilities and ensure that they are recognized across agencies.

FICAM – Federal Identity, Credential and Access Management

The FICAM Roadmap and Implementation Guidance version 2, completed in 2012, sometimes referred to as Federal ICAM provides agencies with architecture and implementation guidance to modernize, streamline and automate privilege management as it relates to both logical and physical access and ensure that the PIV and PIV-I cards are provisioned and managed securely throughout the lifecycle of the card holder.