How to manage identities in an era of regulation
ID and security solutions enable industries to address unique compliance challenges
17 February, 2014
category: Corporate, Financial, Government, Smart Cards
Banking/Finance
The Federal Deposit Insurance Corporation (FDIC) is responsible for overseeing that insured financial institutions adhere to reporting requirements required by statute. All regulated financial institutions in the U.S. are required to file periodic financial data and other information with their respective regulators and involved parties.
As physical identity and access management software is designed for policy-based and rules-based processes, instructions can be written in the system to automatically perform required tasks such as initiating background checks on identities at specific intervals. Accompanying policy could be written to perform background checks more frequently for contractors or temporary employees. Automatic alerts can even be created if there is a change in status when a background check is performed.
The Federal Financial Institutions Examination Council (FFIEC) is an inter-agency body of the U.S. government empowered to prescribe uniform principles, standards and report forms for examination of financial institutions by various government agencies.
Physical identity and access management is ideal for setting role-based access and authorization for secured areas. Authorized approvers/signatories are appointed, and per the policy set forth in the policy engine, only those authorized identities will have access to areas for which they have been provisioned.
When access is required, the authorized signatory is alerted via an automated process and they are required to approve or deny the request in a web-based portal before access is enabled. The automatically documented processes can be used for attestation reports that verify who approved access to what doors over any duration of time.
The Statement on Auditing Standards Number 70 (SAS 70) is a widely recognized auditing standard of control objectives and control activities developed by the American Institute of Certified Public Accountants.
Physical identity and access management addresses the provisioning, auditing, reporting and off-boarding processes. Once provisioned, the system can automatically generate reports of who visited, who approved the visit, duration and where in the facility the visitors had access.
BASEL III, the Third Basel Accord, is a global voluntary standard for bank capital adequacy, stress testing and market liquidity risk developed by the Basel Committee on Banking Supervision.
Physical identity and access management enables convergence between physical and logical security systems in order to provide security intelligence and analytic data from a variety of sources. It facilitates the necessary checks used to measure liquidity risk exposure by pulling reports at pre-determined intervals. Physical identity and access management software also streamlines monitoring processes by having all policies reside in the system.
The Sarbanes-Oxley Act addresses corporate responsibility for financial reports and lays the foundation for IT to enable compliance.
With physical identity and access management, users can readily audit and report activity pertaining to identities within the organization. System reports identify an individual’s activities such as location, what they are accessing, for what period of time they have access or any changes to established policy rules. Physical identity and access management software can create alerts when policy or rules-based criteria are not met. Audit reports can also be generated on an as needed basis or at specific intervals.
Government
There are three progressive regulatory initiatives, which together build a very strong case for physical identity and access management in addressing conformance and compliance.
The Homeland Security Presidential Directive 12 (HSPD-12) issued in 2004 calls for a government-wide standard for secure and reliable forms of ID issued by the federal government to its employees and to employees of federal contractors for access to federally-controlled facilities and networks. This directive led to the development of a Federal Personal Identity Verification (PIV) system.
Physical identity and access management addresses management of all forms of identity badges and any assets or authentication rights, including PIV smart cards which enable government employees to move between facilities and ensure that they are recognized across agencies.
The Federal Information Processing Standard Publication 201 (FIPS 201) was issued in 2005 in response the HSPD-12 directive. It specifies PIV requirements for federal employees and contractors.
The Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance Version 2 was completed in 2012. The purpose of the FICAM document is to provide agencies with architecture and implementation guidance to modernize, streamline and automate privilege management as it relates to both logical and physical access. It also ensures that the PIV and PIV-I cards are provisioned and managed securely throughout the lifecycle of the card holder.
Finally, OMB M-11-11 requires that an agency’s existing logical access control systems be upgraded to align with the FICAM Guidelines for PIV usage, and validate and use PIV cards issued outside a given agency.
To address these three requirements, physical identity and access management software provides processes to manage the intersection of physical identities, digital identities and various credentials into a policy-based management approach. It streamlines and consolidates disparate systems into a single and centralized FICAM-aligned, integrated and auditable system.
Software provides a one-step policy-based approach to manage and enroll PIV cardholders – including biometric and biographic data capture from the PIV card – into various physical access control systems. Lifecycle management of the PIV card in physical access systems including activation, status inquiry, lost or stolen card handling, provisioning and revocation, expiration and so on can all be managed centrally. Moreover physical identity and access management is the missing ingredient in legacy federal systems, which connect the authoritative and trusted data sources for identities and PIV attributes to physical access control systems to ensure security and achieve the target state for a modernized physical security system.
Cross-industry capabilities
While the functions of physical identity and access management software are complex and diverse, technology does exist to help manage governance and compliance of the many government or industry-issued access and identity rules and standards. With adherence to specific regulatory guidelines built into the rules of the software, users can perform important identity and access control functions while meeting regulatory requirements.
Physical identity and access management software can also analyze risk and compile key data across the physical security infrastructure. Integrated infraction management can automatically trigger notifications or change access privileges. The software can define, audit and enforce Segregation of Duty policies across the physical infrastructure.
These systems can also manage risk levels associated with persons of interest based on lists of physical identities that are potential threats to an organization along with their risk profile and historical details. Customized assessment reports covering global locations can be provided to a single Web console, allowing for daily, weekly and monthly operational reports to be generated automatically to provide security practitioners with information to optimize staffing, budgeting and other resources.
For government, financial, health care and many other industries, security requirements demand a comprehensive security infrastructure that includes both the physical and logical security spectrums. Physical identity and access management effectively addresses these challenges with best practice processes that reduce both costs and risks.