|Automated procedures reduce manual errors & help meet regulatory requirements|
End user demands are growing exponentially every day. Whether it is managing who has access to buildings or areas and when, recording events on video, managing incidents, meeting compliance requirements or demonstrating proof of compliance, the list goes on and on as to what end users must manage to keep their buildings, assets and people safe.
Physical security equipment and an effective security team will always be required to keep a building safe. But what about having reliable policies and procedures to enforce operational effectiveness?
Sure, companies can invest in the best electronic security systems and cyber security programmes available, but if their internal policies are outdated and security procedures are dependent on manual processes, how can the overall security program be effective? What if the wrong person gains access to a critical area due to a manual error? How do companies know if their policies, procedures, and command and control activities are enforced 100% of the time? How do they prove it?
To be sure, companies must implement policy-based procedures that reduce manual errors, help meet regulatory requirements and provide proof of compliance for audit requirements in the most efficient way possible.
Improve onboarding process
When onboarding a new employee, contractor or visitor, security often manually assigns an access card and grants privileges based on what the employee’s supervisor or guest host directs. Normally that process involves the security team receiving notification via email that a new employee, contractor or visitor needs access privileges. Security calls or emails the area owner to see if the new person should be given access. Security waits for a response. The area owner responds with a yes or no. Security enters that access into the physical security system and then emails the card owner and tells them they have access. The same process is true with ad-hoc adding of areas and single doors inside the facility.
All this manual back and forth leaves a lot of room for errors to occur leaving companies vulnerable. To mitigate risk and decrease vulnerabilities, end users must implement an automated process using software to enforce a predetermined corporate policy when granting access to employees, visitors and contractors. A few simple clicks and an email simplify the process.
The automated process takes
The requesting party clicks on a link in the software and selects a building and the level of access they would like to acquire for the new employee, contractor or visitor. An email is sent to the door owner, bypassing the security department, and the door owner can approve or reject the request by clicking a link. Upon approval, access is immediately provisioned to the physical access control system. The software also automatically deactivates cards for contractors and visitors with a predetermined expired access time, and the deactivations are provisioned to the security management system.
The automated process takes seconds to complete, rather than wasting minutes and hours, reducing total cost of ownership for the company. Proper and automated procedures are followed that provide an accurate audit trail.
Accurate auditing made easy
At least once a year, sometimes more, companies are required to perform an audit. Normally, the security department runs a report for every door and emails the report to the door owners. The owner's review the report, going through it carefully to see if those who have access should have access. People are confirmed or removed and the report is returned to the security department after a month.
If an audit is performed once a year, the data provided in the report could be one to 364 days old, imposing a serious risk that individuals may have access to doors they should not over that timeframe. After that month, the reports are emailed back to the security department where staff must manually go into the physical security system and remove those flagged from the software. For a 1,000 door system, that is months of manual labour while exposing the company and its employees to potentially dangerous high levels of security risk.
"Organisations that require quarterly audits realise diminished risk even more and save more money", says Jeff LeBlanc, VP- Client Services, AMAG
When an organisation aligns their security processes with business operations using policy- based software, they mitigate risk, save money and meet compliance requirements. The software allows area owners to log into the software from their desktop and view the audit dashboard that includes everyone who has access to their doors. Within minutes the door owner can complete an audit. And when someone is removed from their audit list, the access is automatically removed from their record in the security management system, bypassing the security department, saving months of work and providing a total cost savings to the organisation.
“The cost savings are almost immeasurable,” said AMAG Technology, Vice President - Client Services, Jeff LeBlanc. “Organisations that require quarterly audits realise diminished risk even more and save more money.”
Many industries must adhere to third party government imposed audits such as Sarbanes Oxley for the banking industry, HIPAA for the healthcare sector or Transportation Workers Identity Credential for workers who need access to secure areas of maritime facilities and vessels. While these audits are mandatory, they do not require a company to be in 100% compliance all the time. They demand the controls are in place to identify when they have fallen out of compliance. The software helps organisations implement audits to help them remain in compliance and meet standards imposed by the government.
Set policies to mitigate risk
Organisations must set and manage policies that improve processes and save money, keep them secure without security team involvement and in compliance. While organisations have to meet third party audit requirements, which often prompt policy setting, most often policies are set to meet internal standards based on a set of parameters determined by the company in advance.
When an organisation aligns
For example, a policy can be created based on a person’s job title and building location. If a person has “director” in their title, they are issued a higher level of access throughout a bank or hospital. If the person’s title changes, the system will automatically change the default access assigned before and add a new level of access, which may include moving from one building to another or gaining a higher level of access within a building.
Other policies help mitigate risk exponentially such as a card revocation rule. If an access card is not used within a specified time, say 60 days, the system will automatically revoke the card temporarily. When this policy is implemented, companies discover just how many active cards are out there, not liable, and not used. Approximately 95% of temporary card revocations become permanent, meaning, a company discovers they are exposed to a big risk.
Another effective policy is the use it or lose it rule. When a card is not used at a specific door or access group within a specific amount of time, access is removed. This rule has produced amazing results for organisations. One client removed 60% of their access assignments when they implemented this policy. About 800,000 assignments were removed, and they received only 10 phone calls asking about access levels.
Setting a policy like this helps keep an organisation's infrastructure in place and eliminate potential damage to its brand, reputation, intellectual property, assets and physical property.
When aligning security plans with reliable policies and procedures, organisations can reduce manual errors, meet compliance, improve operational effectiveness and save on total cost of ownership.