21 May 2015

“Better, Faster, Cheaper – choose any two” is the old adage for computerised systems.  When it comes to businesses subjected to federal or industry security regulations, the equivalent saying might be, “mitigate risk, achieve compliance, or reduce cost – choose any two.” So if there were a way to have all three that would get your attention.

Complying with regulations

More and more industries are subjected to some form of regulation.  Publicly traded companies must adhere to Sarbanes-Oxley (S-Ox), financial companies have Dodd-Frank, and the electric energy sector has FERC/NERC. There are also HIPAA, CFATS, TWIC, and more to come. Dealing with the requirements of these regulations has been challenging, and in many cases, the processes that will be audited are relatively manual. For instance, consider the granting of physical and logical access privileges. More often than not, this is initiated by an email to security who fills out a paper form. It is passed to appropriate managers for signature or an email confirmation may suffice (which is printed and attached to the form), and then changes are manually made in the access control systems. 

Failure to comply with regulations could expose the company to huge fines or other liability.

Some companies may have recognised this inefficiency and moved forward with Active Directory integration between logical and physical access control systems. However, this only streamlines the actual provisioning or de-provisioning of cardholders and doesn’t track the approval process.

Automated process

A more efficient method is to automate the process using a policy-based web hosted software platform that allows personnel to request access for an individual to a particular facility or area. The workflow driven software can be configured to require various approvals prior to authorising access. Each approval (request and grant) is logged within the database, simplifying auditing and reporting to the point of a few clicks of the mouse.

A more efficient method is to automate the process using a policy-based web hosted software platform that allows personnel to request access for an individual to a particular facility or area

Compare this with having to store email approvals from various line managers and area owners. After getting trained on how to complete an approval, personnel have to manually implement the approval and attempt to consolidate information for reporting and auditing purposes. The cumbersome process takes time, costing money, and the liability of storing paper records is inefficient and difficult to manage. Plus, there is no way to accurately track human error or if policies were not followed.

If an employee requires access to a particular facility to complete a job assignment, rather than waiting for a manual process to be completed (that could take several days and irritate the personnel that have to babysit the approval process), the employee could log into a web portal and request the access. An automated policy management system determines the employees certifications for access to the area, gets the manager and area owner approvals (and any other necessary approvals) and then makes the access privilege change in the access control system. All of these steps and the data collected are stored in a hosted, high security environment, protecting the data, but at the same time making it available to managers and other authorised personnel to provide their reports for evidence of compliance.

Web hosted software

When achieving compliance, organisations designate employees with specified roles. Some roles require certifications that must be updated annually to continue to have access to certain areas. The policy-based software automatically notifies the employee and manager when a certification is about to expire, prompting action. Updates may be needed for training, background checks or to maintain a specialised certification that requires a class.

A policy-based web hosted software automates periodic attestation. Managers are required to validate access for personnel on a scheduled basis (such as once per quarter). They are provided with an indication that prerequisites are met and must determine that access is still appropriate. This is completed through electronic compliance audits, and these audits help companies meet cyber and industry specific regulations such as NERC CIP. The software forces policy to be followed, mitigating risk of violation or inappropriate access.

When used with an access control software system, auditing all access privileges allows companies to meet compliance requirements.

To reduce risk and meet compliance, a policy-based web hosted software logs every step of the security process

To reduce risk and meet compliance, a policy-based web hosted software logs every step of the security process: provisioning of access during on boarding of employees/contractors and the de-provisioning of access during off-boarding. The software easily changes access privileges due to changing responsibilities, roles or other reasons. It helps companies meet compliance through regularly scheduled (defined by company or compliance regulations) attestation of access privileges. All information is stored together, in secure, redundant, high security manner for easy and reliable retrieval for audit or reporting purposes.

Security management made easy

Providing evidence of compliance now becomes a few clicks of the mouse rather than rummaging through a file cabinet full of paper. The solution is designed to reduce effort, improve reliability, and overall simplify the compliance process.

When a security management system and policy-based system are used together, it reduces the cost of managing and maintaining regulatory compliance while mitigating risk of fines, policy violations, or inappropriate access through a streamlined compliance management solution.

When this streamlined approach is provided in a Software as a Service (SaaS) model, the solution is provided on a subscription basis, eliminating a heavy initial outlay of capital, thereby significantly reducing the cost of such a valuable function. There are no servers to maintain, no OS patching to be concerned with, and no information protection concerns.

You really can have it all. Mitigate risk to the company and the facility due to not following security policies; achieve regulatory compliance; and reduce the cost of implementing the automated governance solution by eliminating manual processes, relocating physical assets to avoid the IT costs associated with maintaining an on-site solution, and only paying for the system based on actual use by means of a subscription service.