How to manage identities in an era of regulation
ID and security solutions enable industries to address unique compliance challenges
17 February, 2014
category: Corporate, Financial, Government, Smart Cards
By Ajay Jain, President and CEO, Quantum Secure
Identity is the new firewall. Recognizing the need for rigorous identity management is built on understanding that no individual in a facility or campus can ever be allowed access to an area they are not authorized to enter. This is a major security issue at most organizations, and is often mission-critical with no margin for error.
Beyond the essential physical safety of all individuals on the property, this concern relates to the security of data, the protection of both physical and logical technology located on the premises, intellectual property theft, vandalism, workplace violence and liability. The need for protection and total control of identities resides at the center of a large portion of today’s compliance regulations.
Additionally, the ongoing development of new compliance laws and standards relating to the comprehensive monitoring and management of employee and visitor identities requires security directors to maintain a high level of education and knowledge about physical identity and access management. Every industry has a unique set of rules and regulations developed to address the specific needs of its own facilities and organizations. Just as each industry is different, so too is the manner in which physical identity and access management addresses each industry’s requirements.
Health care
The Health Insurance Portability and Accountability Act (HIPAA), among other topics, defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information. These rules apply to “covered entities” as defined by HIPAA and the Department of Health and Human Services and include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.
With physical identity and access management, the user defines who has access, where and when they gain said access and to what information they have access based on their specific role. Each identity – doctor, contractor, administrator, visitor, patient, etc. – can access only what policy dictates. So if a role or policy changes, that alteration triggers an automatic, complementary revision in other sets.
Once the policies and workflows have been created, physical identity and access management software’s integrated monitoring and reporting features provide auto-remediation of compliance anomalies and reporting to enforce and maintain compliance. In the event of suspicious activity, identities can be easily tracked or alert triggers can be created.
Energy
The North American Electric Reliability Corporation (NERC) is a nonprofit, self-regulatory organization whose standards are mandatory and enforceable throughout the United States and several Canadian provinces.
NERC’s major responsibilities include working with stakeholders to develop standards for power system operation, monitoring and enforcing compliance with those standards, assessing resource adequacy, and providing educational and training resources as part of an accreditation program to ensure power system operators remain qualified and proficient.
Physical identity and access management solutions enable compliance with the three enforceable cyber-security standards defined in NERC’s Critical Infrastructure Protection document. This can help organizations perform a wide range of required activities and avoid significant fines. For example, regulations require all operational and procedural controls to manage physical access at all perimeter access points to be documented 24/7. Complex tasks like this are an essential element of a physical identity and access management system.