It is essential for every organization to comply with all regulations that govern their industry. Businesses that fail to do so may face penalties or fines, audits, and remediation programs. They may also be forced to recall products. All this, with the negative publicity that accompanies such events, can result in a loss of trust among customers and partners, as well as degradation of their brand image
Complying with regulations produces a number of benefits. By specifying baseline requirements for security, the policies help organizations determine which measures they will put into practice. Because this improved security helps prevent incidents, it also reduces exposure to costly liability. A more secure environment further reduces chance of theft, breaches, employee mistakes, and other threats that can cost many millions of dollars.
The laws to which organizations must demonstrate compliance vary widely by industry. However, because every organization in every industry must put security measures into place, those regulations that govern security are important across all organizations and industries.
A few of the most significant areas of regulatory activity include the following:
The General Data Protection Regulation, or GDPR, protects data privacy of citizens of the European Union (EU). Any company that processes personal data of persons living in the EU is subject to the GDPR. It is not necessary for the organization to be located in the EU for the regulations to apply.
All organizations that manage healthcare data are subject to the Health Insurance Portability and Accountability Act. This bill protects the personal and health-related information of patients. These may include hospitals, insurance companies, doctors’ offices, clinics, and other groups.
The Federal Information Security Management Act requires federal agencies to demonstrate that they have robust data protection in place. This act made information security central to the protection of the country as a matter of national security.
Any company which handles credit card information is subject to the Payment Card Industry Data Security Standard. This set of regulations was put into place to mitigate credit card fraud.
The North American Electric Reliability Corporation critical infrastructure protection plan is designed to secure the assets required for operating North America's bulk electric system. The plan’s standards and requirements apply to owners, operators, and users of any portion of the system.
The Federal Identity, Credential, and Access Management standards require all Federal facilities to use Personal Identity Verification (PIV) credentials for their physical and logical access control systems. This improves security and personal privacy while reducing identity fraud.
Administered by the Department of Homeland Security, the Chemical Facility Anti-Terrorism Standards are focused specifically on security at high-risk chemical facilities. Under these standards, facilities are required to have security measures in place to reduce the risks associated with certain hazardous chemicals. Further, they must have systems in place to prevent them from being exploited in a terrorist attack.
And the list of regulations goes on…
A major component of compliance regulations involves controlling physical access to sensitive areas. Often, the first recommendation laid out by the guidelines is to assess which areas of the building contain sensitive data or personnel. Then, it is determined who should have access to those areas.
These recommendations – determining sensitive areas and assigning access accordingly – are required for all industries. Why? To prevent incidents of fraud, sabotage, or terrorism, which have the potential to cause major disruptions to their customer base or to society as a whole.
In addition to controlling physical access, these regulations often mandate that reasonable measures must be in place to prevent unauthorized entry. At the same time, those measures must maintain a record of those who were authorized and store those records for review or audit.
Many physical security products are specifically designed and engineered to control or prevent access within facilities or at the perimeter. These include, but are not limited to, security entrances, door locks, alarms, access control systems, security guards, and video surveillance. The use of these solutions to prevent access by unauthorized individuals is an important step in maintaining compliance. Their deployment also enables users to demonstrate adherence to those regulations.
While these physical security products all do the job of limiting physical access, their role in compliance varies with each specific regulation. For example...
Depending on the objective, each application has their own requirements for levels of security. Working with a responsible and experienced integrator, consultant or manufacturer is a key step in assuring that all security and compliance goals can be met with each installation.
Complying with regulations isn’t just an administrative necessity. Organizations must be able to show their adherence in order to do business at all. For example, credit card issuers require retailers to comply with the PCI-DSS as a prerequisite for accepting credit cards for payment. Similarly, before granting a facility license to sell food, the FDA requires that food manufacturers comply with provisions of the FSMA.
Within the compliance laws are severe penalties for non-conformance. For example, if the FDA finds a firm non-compliant with the FSMA, it can impose expensive product recalls, or even suspend the processing facility registration, effectively halting the business until the suspension is lifted. The FSMA also creates criminal liabilities for violations, with misdemeanors punishable by up to a year in prison and fines up to $100,000 for individuals.
If a food contamination incident results in death, the individual fine can go up to $250,000. Fines are doubled for organizations, and under a legal precedent called the Park Doctrine, the CEO of the company can be held personally responsible for violations committed by their employees.
In the energy industry, NERC can impose fines on regional electricity operators if they are found non-compliant with the NERC CIP requirements. After an audit in February of 2016, NERC levied a fine of $1.7 million on a company when it found a number of violations, including three perimeter doors with disabled locks “so people could enter without the burden of security,” among other issues. In October of that same year, NERC levied a $1.1 million dollar fine on an operator who failed to implement physical access controls. In that case, NERC reported that “the CIP violation could have allowed a malicious individual to enter the substation without a key, badge, or authorization and take unauthorized action. Further, if load were lost as a result of a cyber-violation, the applicable penalty would be more than $1-$2 million.”
In the case of the PCI standards, fines for non-compliance rise over time, typically from $10,000 per month, up to $100,000 per month for high-volume businesses with months of non-compliance.
Clearly then, the ability to demonstrate proof of compliance is essential for all regulated industries. Typically, this is managed on a continual basis through periodic audits and inspections. However, should there be some kind of an incident, the stakes rise as the organization could be liable for damages due to loss or harm, whether it is physical or financial.
It is not difficult for a business to show that they have installed security products. All of the products and solutions mentioned above can be presented as evidence of efforts to comply with the applicable regulations. The question remains, however: are they enough? If the goal is to eliminate the possibility of unauthorized access at a specific entry point, even the best ID card reader cannot prevent the theft and use of that card by someone else. For facilities with the most stringent security needs, even biometric locks aren’t good enough if a tailgater slips through the door behind the authorized user.
To ensure that compliance regulations are followed and met, the user needs to look at each individual entry point to determine the best solution for that location. If tailgating prevention is required, the best choice is to install a solution such as a mantrap portal that eliminates that possibility. If identity verification is essential, biometrics can be added inside the solution, creating two-stage authentication of a credential and identity. Again, working with an experienced team is a crucial step in planning for the optimal security program.
It should also be mentioned that if liability is determined in a criminal or civil suit, the financial value of penalties can easily rise to levels that go beyond the ability of a business to survive. Once a breach has happened, it may be a judge and jury who have the power to make this determination. This makes it even more critical for an organization to be able to show proof that they have taken all the necessary steps to implement a robust physical security program.
For any organization with compliance regulations to follow, security entrances, along with the support of people and processes, can improve overall physical security to achieve a risk posture that is defensible to regulators. Unlike standard entrances, security entrances are designed to deter, prevent, or eliminate tailgating. The different types of entrances address tailgating at these different security levels: some play a supportive role and require supervision, while others can eliminate tailgating with no additional supports in place.
At the most controlled level, security revolving doors or portals are configured with sophisticated anti-piggybacking and anti-tailgating sensors. This ensures that only one person can pass through on each set of credentials. Additional biometric sensors such as fingerprint or facial recognition may be integrated to confirm that the person entering matches the credentials being presented.
At lower levels of security, turnstiles can deter and/or detect unauthorized entry. At these entrances, organizations can deploy guard personnel or video surveillance as additional layers of security to prevent or document any non-credentialed individuals tailgating or otherwise entering the premises.
This range of choices makes security entrances ideal for implementation in a layered safety and security strategy. Those entrances with lower levels of control can be installed at supervised public entrances and lobbies, with portals and security revolving doors protecting the more sensitive areas within a facility. This enables management to implement appropriate access permissions for all staff, visitors and contractors.
When integrated with access control systems, security entrances provide a full accounting of who accessed which areas, when, and for how long. They can collect useful operational data, such as failed entry attempts, that can provide input for training programs. Any unused permissions or unusual usage patterns can be tracked. The system can also instantly and automatically update all revised or revoked access permissions, de-provisioning ID badges immediately upon an employee’s termination.
In providing a much stronger deterrent to access, security entrances help users achieve their compliance goals while protecting organizations from risk. Their ability to provide a wealth of usage data and metrics helps establish proof of compliance, further protecting organizations from liability and penalties.
It requires time, attention and budget investment to maintain compliance with government and industry regulations. However, it can also provide organizations with an opportunity. The information and extensive analysis that is required to create and support a compliance program can also be used by management to optimize business operations. Any red flags that emerge during the process are useful indicators of areas requiring improvement.
Many, if not most, organizations can benefit greatly from an overall analysis of their security program. Taking the time to work with experts in determining any shortfalls, and the best solutions to meet standards, will mitigate risk and liability and result in a more safe and secure environment.
With their wide range of security levels, capabilities and demonstrable positive outcomes, security entrances should be a part of every organization’s layered security strategy.