Articles by Kim Rahfaldt
Today’s security leaders encounter many challenges. They have to operate with reduced budgets and face challenging and evolving risks on a daily basis. Security leaders are often ignored and only called upon when needed or in disaster situations. Many don’t have an ongoing relationship with the C-suite because the C-suite doesn’t understand the value they bring to the whole business. In order to resolve these challenges, a security leader can apply a risk-based approach to their security program. According to dictionary.com, risk is “exposure to the chance of injury or loss; a hazard or dangerous chance”. Risk is broader than a security concern and involves the entire business. Through utilising a 3R model - considering resources, risks and resolutions - a security leader can evaluate the output from the model to build the foundation of a strong plan. This allows the leader to make security decisions based on a quantified risk measure. A business determines what resources it wants to protect, what risks it needs to protect the resources from and what resolutions it can put in place to mitigate the risk. Decisions are based on measurable evidence. Free online risk assessment tools are available to provide a fast, easy way to determine an organisation's basic security risks through an investigative approach The 3 Rs The first step in the 3R model is to figure out what resources need protection. This could be physical - such as buildings, critical infrastructure or valuable equipment, knowledge-based - such as intellectual property, or organisational - such as people or governance structure. Understanding the business will help the security leader develop a list of critical elements. Look for tangible resources such as buildings and machinery, and intangible resources like reputation, knowledge and processes. Second, determine what the resources need to be protected from. Anything that threatens harm to the organisation, its mission, its employees, customers, partners, its operations or its reputation could be at risk. These can include contextual risks (workplace safety or natural disasters), criminal risks (theft or cybercrime) or business risks (compliance or legal issues). Anything that threatens harm to the organisation, its mission, its employees, customers, partners, its operations or its reputation could be at riskFree online risk assessment tools are available to provide a fast, easy way to determine an organisation's basic security risks through an investigative approach. The tools ask several questions and determine risk based on an organisation’s location and the answers provided. Security leaders can also work with security companies and consultants that offer risk assessments to determine their company’s needs, and then offer solutions based on that assessment. The third objective is to determine how businesses can best protect the identified resource. The last of the 3 Rs - resolutions - are those security activities that enable the business to mitigate the impact of security risks. Resolutions can potentially prevent a security incident from occurring, contain the impact to resources if an event does occur and also assist the organisation in recovering from an impact more quickly or easily. The first step in the 3R model is to figure out what resources need protection, this could physical such as buildings or critical infrastructure The path forward Understanding what risks a business faces in totality provides an opportunity for the security leader to collaborate with other department heads. This gives security leaders an opportunity to engage with functions outside their norm as well as a chance to demonstrate their subject matter expertise. A risk-based approach also helps security leaders fully understand an organisation’s needs and concerns, which they can communicate to the C-suite to help them make better business decisions. Metrics can also help business leaders understand the cost/benefit of resolutions C-suite and executives help define an acceptable level of security risk tolerance to resources and make quality, educated decisions about mitigating security risks. Through collaborating with security leaders using a risk-based approach and the 3R model, metrics and reports show the impact of security expenses, and there is a transparent view of security risk. The final decision about how to mitigate and resolve risks is up to the business owner of the resource and the risk stakeholders. To obtain funding, show the risk and value of resources exposed to potential impact. Then present the recommended resolution that reduces the potential level of impact and the associated cost benefit savings. By providing this information, security leaders can ensure that the business owners can make an educated decision. Measuring success A risk-based approach aligns the security mission with the organisation’s mission. Security leaders should have these conversations with their business leaders on a regular basis. Understanding the thresholds of risk tolerance and showing when incidents or activities are trending outside of acceptable boundaries will help business leaders make educated decisions. The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program Determining a baseline of acceptance gives a foundation for security leaders to point out when the organisation is not meeting its own requirements. Metrics can also help business leaders understand the cost/benefit of resolutions and demonstrate when costs may be trending outside of acceptable boundaries. The 3R model also helps a business to track occurrences, quantify the direct and ancillary impact and make continuous adjustments to the security program. It is important to note that this process is not stagnant, and needs to be constantly revisited. Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting Defining risks and vulnerabilities Continuous conversations using the 3R model also help business leaders understand what security risks could interfere with meeting business objectives. It also aligns the total cost of ownership for the security program with the business value of the resources at risk.The approach puts the security risk decisions in the hands of the ones impacted by those risks And it defines the security role as risk management, not just task management. The approach puts the security risk decisions in the hands of the ones impacted by those risks…the “owners” of the resources. Examining risks, resources and resolutions in a systematic way will help security leaders understand what they are protecting, what they are protecting it from, and how they can help prevent, contain or recover against a specific risk. Followers of this approach are in a better position to ask for funding because they can clearly define and quantify risks and vulnerabilities. Applying these principles will equip security leaders with the knowledge needed to have better dialogue with colleagues in other departments, encouraging more proactive discussions about security.
Companies have vast amounts of data at their fingertips to help them make better business decisions about how to secure their buildings and improve business processes. What we will see next year is more companies determining HOW to use their data to help make better business decisions. Physical identity and access management systems with intuitive dashboards will help users determine how to use their data to save money. For example, reducing manual processes can free up hours of time. CSOs can find more productive projects for their staff now, rather than have them chase manual compliance audits. Ensuring compliance with access control We have also noticed that companies are looking at how to use their access control systems to better enforce and fulfill burdensome compliance requirements. We are having conversations with end users in regulated industries whose biggest concern is how to manage HIPAA, NERC CIP or SOX audits in a timely fashion to meet compliance so they do not encounter huge fines. Using unified platforms to manage access control and identities is the solution. Companies are looking at how to use their access control systems to better enforce and fulfillcompliance requirements While many companies continue to manage their audits manually, more are investigating how to operationalise their access control systems to improve internal processes and help build efficiencies using identity and access management platforms. By automating back end processes, such as onboarding and offboarding employees and recertifying access to specific locations, productivity becomes more effective, costs are reduced and information required to meet compliance is automatically provided. Mobile access control technology Mobile technology will continue to gain in popularity and acceptance. As universities and other industries replace or add to their access control systems, they will migrate to Bluetooth readers. Biometric apps will provide authentication to confirm the correct person is using the credentials on the phone. AMAG had a very successful 2017. We launched Symmetry CONNECT, our new identity and access management platform and are seeing how it has positively impacted our customers with meeting compliance requirements and reducing costs. We are looking forward to helping entire estates function smoother using incident management, identity management and visitor management data. AMAG will continue to evolve its technology to build efficiencies for our customers.
Access control and video management systems provide much more data than originally intended An organisation is a complex environment that is ever changing and continuously growing to include more servers, more buildings, more systems and as a result -- includes more risk, costs and threats. As a Chief Operations Officer looks at the many objectives across an organisation, he needs to evaluate how to increase profits, manage risk, and provide a cost-effective route for improving processes, managing incidents and securely operating an enterprise. The only true way to address security risk is to manage the people and the systems they use. An organisation must manage the system intelligence driven to those people, using a dashboard to create a data-centric approach model to identify behaviours, manage risk and decrease costs. How should an organisation accomplish this? How can security managers and C- Level executives attain a higher-level understanding of how a data-centric approach can be more effective in combating silos of data, convergence of IT/OT and the multitude of risks across an enterprise/global environment? Collecting relevant data An organisation must first determine what data to collect to best protect their people, assets and infrastructure. Access control and video management systems provide much more data than originally intended. Beyond managing who has access to certain doors and when that access is allowed, it can identify behaviour patterns. When correlating physical behaviour patterns with logical activities, we can understand someone’s intentions. After data has been collected an organisation must then understand who is coming into their building and the risks they represent For example, understanding why a Certified Nursing Assistant tried to access the pharmacy three times in one week could mean many things. When the data is viewed as a whole, it demonstrates a possible threat that would have been overlooked if reviewed in separate silos. Identifying the behaviour and then tracking it will provide intelligence to determine if there is a problem. Analysis will determine if an investigation is warranted. In this example, identifying an unusual behaviour mitigates risk and could save thousands of dollars in missing drugs, inventory replacement, possible legal fees and employee turnover. After data has been collected an organisation must then understand who is coming into their building and the risks they represent. Three types of identities enter a company every day: employees, contractors and visitors. Employees are more often considered a threat these days than in the past. And while the nightly news and movies will have us believe this happens more than we think, in truth, employees are the most vetted of all identities. Background checks, thorough interviewing procedures and recommendations occur before someone is hired. Contractors are somewhat vetted. When an organisation hires a contractor, they trust that the company where the contractor is employed has done its due diligence and vetted its employee. Organisations can proactively manage visitors using a web-based visitor management system Web-based visitor management system Visitors pose the biggest threat. Visitors range from the friendly sales person who is checking on his favourite account to an estranged husband who is searching for his wife. Companies can no longer afford to use the “sign the notebook” system. Now, organisations can proactively manage visitors using a web-based visitor management system. A web-based visitor management system gets employees involved in the vetting of a visitor, collecting the necessary data and minimising risk. Employees schedule meetings via the system, which sends an automatic email to the visitor. This creates a record of the visit and notifies the security department of who is coming to the building. The company can enforce its security policies by making the visitor acknowledge the policy before the visit. Temporary access is given to the exact areas where the visit will occur and automatically terminate access when the scheduled time has expired. A web-based visitor management system gets employees involvedin the vetting of a visitor,collecting the necessary data andminimizing risk This process allows unfriendly visitors to be placed on a watch list. The security team is automatically notified when a watch list visitor enters the building and can take extra precautions. Knowing who is entering a building before they arrive creates a safer environment. Using a web-based visitor management system provides a data-centric approach to visitor management, giving the necessary departments insight into data and metrics that can help them better staff lobbies at busy times or reduce headcount when it makes sense. Visitors are property vetted and the security staff is aware of their arrival and departure times. The data collected helps COOs properly staff lobbies based on time of day, foot traffic and when necessary, even on who is visiting, such as a VIP. An organisation can use the data it collects from different systems to streamline processes and improve efficiencies Data-centric approach By taking a closer look at its operating procedures, an organisation can use the data it collects from different systems to streamline processes and improve efficiencies, dispute data silos, converge IT and operations and reduce overall risks. For example, a policy-based identity management system can help companies streamline their internal on-boarding processes by reducing paper and/or email trails, bring together the different departments involved such as HR, IT, Security and the department for which the new employee works. When a new employee starts, their information can be entered into the identity management system and automatically shared with the individuals involved in the on-boarding process. This eliminates errors, unifies the process and is more efficient. Collecting data from building management systems such as HVAC and lighting systems can help put systems in place that meet internal audit requirements, save energy and reduce costs. Using the reporting capabilities offered in policy-based identity management systems, companies can easily meet complex audit and compliance regulations required by the government when the proper data is collected and save money. Security managers and C-level executives will be able to better analyse information gleaned from the spectrum of systems when consolidated in a dashboard. They will be able to see everything at a glance and run reports to help make better business decisions. Applying a data-centric approach to business will help organisations reduce risk, reduce costs, meet compliance requirements and become more efficient. Save
As security systems age, their components become obsolete, end users outgrow them, or end users may be faced with expensive and time consuming upgrades. Users can spend months researching new solutions or take a chance on a lengthy upgrade with unforeseen challenges and costs. Both options include finding money in the budget for a new system, upgrades or labour expenses that often were not planned for or expected. However, Kim Rahfaldt, Public Relations Manager at AMAG Technology, offers another solution. A retrofit solution offers hardware, software, and processes that allow a company to upgrade quickly, easily and affordably while protecting their current security investment. A retrofit solution allows users to reuse much of their existing infrastructure, frequently including enclosures, wiring, readers, and cards. This offers a large savings in both time and money. Installation time is drastically reduced compared to full system replacement, minimising business disruptions. The easiest to install retrofit systems on the market take only minutes to swap out and no tools are required. The installer simply unplugs and removes the obsolete circuit boards and replaces them with the new equivalent board. The plug and play boards slide into the existing enclosure and are reconnected. Activate the power and the new system is operational within minutes per location. End users save big on installation costs and integrators complete system upgrades quickly. Preparation is Key to Success End users should analyse the company’s projected needs for at least the next 10 years to determine what type of retrofit solution to choose. What is the expected growth? Which technologies are necessary to support that growth? Video, intrusion, visitor management, and other options must be considered. The system should integrate with key technology partners to provide a complete solution for any security need, whether it be video, audio, biometric technology, fault tolerant servers, etc. Choosing the right product upfront can save thousands of dollars later. When selecting a vendor, end users should contact two or three to ask questions and learn more about the company, products, and delivery against commitments. After all, in addition to installing a new security platform, end users are entering into a long time relationship with the supplier. Look for a manufacturer that provides professional services and product lifecycle management support. These support teams show users how to leverage their security system capabilities to the fullest extent, implementing and maximising all feature sets within the access control software. When done right, a professional services team instils a teamwork approach with the end user, integrator and manufacturer to ensure all parties’ voices are heard and the product is being utilised to its fullest extent. Choose manufacturers that have ISO 9001, ISO 14000, ISO 27000, RoHS, UL294 compliance, and are CE Certified. What are the End User’s Needs? End users cannot shut down their security systems for long periods of time. The manufacturer and integrator must work together to ensure a smooth transition from the old, obsolete system to the new retrofit solution with minimal to no system downtime. A plug-and-play retrofit system that can operate alongside the old system provides a low-risk, easy to install option. Retrofits are quick to install so integrators won’t waste weeks at job sites performing a rip and replace The end user needs to find a true partner in their manufacturer. The manufacturer must produce quality products, deliver exceptional customer service and believe in cultivating relationships. End users demand an easy to use, intuitive access control retrofit system that is easy to learn and train staff, is cost effective, scalable and can grow with them. How Does the Integrator Benefit? When a product becomes antiquated or support is no longer offered, the integrator is often who deals with an irate customer through no fault of their own. Offering a retrofit solution could be the best alternative. The integrator saves the day and the end user saves money because they can reuse their existing readers, cards, enclosures and wiring. Retrofits are quick to install so integrators won’t waste weeks at job sites performing a rip and replace. They’ll swap out the boards, make sure everything is running smoothly and move on to the next job. They are working smarter and positively impacting their bottom line. On the flip side, retrofit solutions offer an opportunity for ongoing work over a period of time. Some customers have large systems with multiple locations that they need to retrofit. These large customers will want to plan out and phase in their systems. This means they’ll purchase product and installation services month after month until completed. The Benefits of a Plug-and-Play Retrofit Solution End users must consider the installation process as they migrate to their new networked system. Simple circuit board replacement offers the most cost and time saving. The end user reuses the existing enclosures, fitting the same wall space. A simple change out of the boards is all that is required. All wiring infrastructure remains intact, saving money on the labour expense to remove it and install new wiring. The new circuit board operates flawlessly with the existing wiring. Support for all existing communications topologies of the legacy system, including downstream controllers where multiple access control panels communicate with the host software through one Ethernet port is essential. This should be supported through a plug-and-play procedure where no wiring changes are required. Dial-up support may also be a requirement. Choose a retrofit system that supports reader protocols that match existing equipment (such as F/2F, often used in legacy systems). This allows the end user to reuse its existing readers and badges, which saves on time, cost, and disruption caused when replacing an access control system. When an access control system retrofit is done properly, end users receive a new, state-of-the-art, hardware and software platform that meets their requirements, upgrades their system to modern technology standards, eliminates risk, protects current investments and reduces costs Experience Matters – Not Just Product Today there are commodity plug-and play boards that allow any vendor to claim to offer a retrofit solution. The reality, however, is that replacing the boards are only a part of a retrofit, and in some ways the easier part. Research the solutions available. Does the manufacture have a PROVEN database conversion process? The last thing a customer wants is to be the “guinea pig” as manufacturers figure things out on the fly. An experienced supplier provides support to identify and plan the entire migration. This will minimise downtime and duplication of effort. While many suppliers can assist with conversion of cardholder data, investigate what else can be transferred to the new system. Some manufacturers can convert access rights and areas, significantly reducing the manual effort involved in a conversion. Understand the specifics regarding database conversion and overall migration process before committing to a retrofit product. Make sure that this process has been honed by real-world experience. When an access control system retrofit is done properly, end users receive a new, state-of-the-art, hardware and software platform that meets their requirements, upgrades their system to modern technology standards, eliminates risk, protects current investments and reduces costs. Integrators can offer solutions to frustrated customers and watch their business grow. Both parties win, making retrofit solutions a great alternative.
Automated procedures reduce manual errors & help meet regulatory requirements End user demands are growing exponentially every day. Whether it is managing who has access to buildings or areas and when, recording events on video, managing incidents, meeting compliance requirements or demonstrating proof of compliance, the list goes on and on as to what end users must manage to keep their buildings, assets and people safe. Physical security equipment and an effective security team will always be required to keep a building safe. But what about having reliable policies and procedures to enforce operational effectiveness? Sure, companies can invest in the best electronic security systems and cyber security programmes available, but if their internal policies are outdated and security procedures are dependent on manual processes, how can the overall security program be effective? What if the wrong person gains access to a critical area due to a manual error? How do companies know if their policies, procedures, and command and control activities are enforced 100% of the time? How do they prove it? To be sure, companies must implement policy-based procedures that reduce manual errors, help meet regulatory requirements and provide proof of compliance for audit requirements in the most efficient way possible. Improve onboarding process When onboarding a new employee, contractor or visitor, security often manually assigns an access card and grants privileges based on what the employee’s supervisor or guest host directs. Normally that process involves the security team receiving notification via email that a new employee, contractor or visitor needs access privileges. Security calls or emails the area owner to see if the new person should be given access. Security waits for a response. The area owner responds with a yes or no. Security enters that access into the physical security system and then emails the card owner and tells them they have access. The same process is true with ad-hoc adding of areas and single doors inside the facility. All this manual back and forth leaves a lot of room for errors to occur leaving companies vulnerable. To mitigate risk and decrease vulnerabilities, end users must implement an automated process using software to enforce a predetermined corporate policy when granting access to employees, visitors and contractors. A few simple clicks and an email simplify the process. The automated process takesseconds to complete, ratherthan wasting minutes andhours, reducing total cost ofownership for the company The requesting party clicks on a link in the software and selects a building and the level of access they would like to acquire for the new employee, contractor or visitor. An email is sent to the door owner, bypassing the security department, and the door owner can approve or reject the request by clicking a link. Upon approval, access is immediately provisioned to the physical access control system. The software also automatically deactivates cards for contractors and visitors with a predetermined expired access time, and the deactivations are provisioned to the security management system. The automated process takes seconds to complete, rather than wasting minutes and hours, reducing total cost of ownership for the company. Proper and automated procedures are followed that provide an accurate audit trail. Accurate auditing made easy At least once a year, sometimes more, companies are required to perform an audit. Normally, the security department runs a report for every door and emails the report to the door owners. The owner's review the report, going through it carefully to see if those who have access should have access. People are confirmed or removed and the report is returned to the security department after a month. If an audit is performed once a year, the data provided in the report could be one to 364 days old, imposing a serious risk that individuals may have access to doors they should not over that timeframe. After that month, the reports are emailed back to the security department where staff must manually go into the physical security system and remove those flagged from the software. For a 1,000 door system, that is months of manual labour while exposing the company and its employees to potentially dangerous high levels of security risk. "Organisations that require quarterly audits realise diminished risk even more and save more money", says Jeff LeBlanc, VP- Client Services, AMAG When an organisation aligns their security processes with business operations using policy- based software, they mitigate risk, save money and meet compliance requirements. The software allows area owners to log into the software from their desktop and view the audit dashboard that includes everyone who has access to their doors. Within minutes the door owner can complete an audit. And when someone is removed from their audit list, the access is automatically removed from their record in the security management system, bypassing the security department, saving months of work and providing a total cost savings to the organisation. “The cost savings are almost immeasurable,” said AMAG Technology, Vice President - Client Services, Jeff LeBlanc. “Organisations that require quarterly audits realise diminished risk even more and save more money.” Many industries must adhere to third party government imposed audits such as Sarbanes Oxley for the banking industry, HIPAA for the healthcare sector or Transportation Workers Identity Credential for workers who need access to secure areas of maritime facilities and vessels. While these audits are mandatory, they do not require a company to be in 100% compliance all the time. They demand the controls are in place to identify when they have fallen out of compliance. The software helps organisations implement audits to help them remain in compliance and meet standards imposed by the government. Set policies to mitigate risk Organisations must set and manage policies that improve processes and save money, keep them secure without security team involvement and in compliance. While organisations have to meet third party audit requirements, which often prompt policy setting, most often policies are set to meet internal standards based on a set of parameters determined by the company in advance. When an organisation alignstheir security processes withbusiness operations usingpolicy- based software, theymitigate risk, save money andmeet compliance requirements For example, a policy can be created based on a person’s job title and building location. If a person has “director” in their title, they are issued a higher level of access throughout a bank or hospital. If the person’s title changes, the system will automatically change the default access assigned before and add a new level of access, which may include moving from one building to another or gaining a higher level of access within a building. Other policies help mitigate risk exponentially such as a card revocation rule. If an access card is not used within a specified time, say 60 days, the system will automatically revoke the card temporarily. When this policy is implemented, companies discover just how many active cards are out there, not liable, and not used. Approximately 95% of temporary card revocations become permanent, meaning, a company discovers they are exposed to a big risk. Another effective policy is the use it or lose it rule. When a card is not used at a specific door or access group within a specific amount of time, access is removed. This rule has produced amazing results for organisations. One client removed 60% of their access assignments when they implemented this policy. About 800,000 assignments were removed, and they received only 10 phone calls asking about access levels. Setting a policy like this helps keep an organisation's infrastructure in place and eliminate potential damage to its brand, reputation, intellectual property, assets and physical property. When aligning security plans with reliable policies and procedures, organisations can reduce manual errors, meet compliance, improve operational effectiveness and save on total cost of ownership.