Fraud/White Collar Crime

 

 

https://sm.asisonline.org/Pages/Tigers-and-Flies.aspxCorruption and Cultural DifferencesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-06-01T04:00:00Zhttps://adminsm.asisonline.org/pages/claire-meyer.aspx, Claire Meyer<p>​In 2013, China’s then-president-in-waiting Xi Jinping vowed to crack down on corruption, promising to pursue both “tigers” and “flies”—powerful leaders, lowly bureaucrats, domestic and international businesses. The announcement was not an empty promise for President Xi. </p><p>Later that same year, pharmaceutical company GlaxoSmithKline (GSK) offices were raided throughout China, kicking off a 10-month investigation into bribery of nongovernment personnel. The Public Security Ministry accused the company of bribing doctors to prescribe their drugs and concocting a scheme to raise drug prices. Chinese officials said GSK executives admitted to using bribes, kickbacks, and other fraudulent measures to boost sales in China. In 2014, GSK agreed to pay a fine of $500 million, and the head of its Chinese operations was deported. </p><p>During the five years following Xi’s speech, China punished more than 1.5 million officials and investigated 440 senior officials, according to a statement from the Communist Party of China. In 2018, China established an anticorruption body called the National Supervision Commission and adopted a Supervision Law. </p><p>“The Chinese authorities are tak­ing [anticorruption] incredibly seriously,” says Kent Kedl, senior partner at Control Risks, who has been working in or around China for decades. “Before this, foreign companies and particularly American companies were primarily concerned with the anticorruption laws that had some sort of extraterritoriality to them. But now, they also have to be concerned about the Chinese antibribery initiatives. The environment for scrutiny by a number of regulatory bodies has certainly increased in China, and it is ramping up the nervousness for Chinese and foreign companies and individuals.” </p><p>Up until 2013, GSK had been experiencing radical growth in the country, but after the investigation, it lost 60 to 80 percent of its business in China, Kedl says. The company’s growth of 30 to 40 percent a year was exciting but unsustainable, because GSK “didn’t shore up that growth with a big focus on behavior in the market. It’s essential to take a hard look—is your growth sustainable and resilient? Will it hold up to scrutiny? You need to have an accurate view of the pressures your people, distributors, and agents are facing.”</p><p>As businesses adjust to the new regulatory environment, China’s inconsistent enforcement has made it difficult for organizations to decide on a clear path forward. </p><p>“It’s very challenging now to operate in China because of the inconsistent way that laws are enforced,” says Pamela Passman, president and CEO for the Center for Responsible Enterprise and Trade (CREATe). “It’s also an environment where the economy is going through changes. There’s a very significant focus on the growth of state-owned enterprises and their global reach, and so I think it’s one the of the most challenging times to do business in China.” </p><p>According to Transparency International’s <em><a href="https://www.transparency.org/cpi2018" target="_blank">Corruption Perceptions Index 2018,</a></em> the average global score for corruption is just 43 out of 100, with only 20 countries making significant progress in their ethical standards in recent years. For comparison, Denmark is the top-scoring country at 88; Somalia is the lowest-scoring country at 10. The United States has a score of 71. China scores 39. </p><p>According to Gillian Dell, head of the conventions unit for Transparency International and coauthor of the report <em><a href="https://www.transparency.org/whatwedo/publication/exporting_corruption_2018" target="_blank">Exporting Corruption—Progress Report 2018: Assessing Enforcement of the OECD Anti-Bribery Convention,</a></em> navigating ethical compliance in certain regions is a prisoner’s dilemma for competing organizations. That is especially true when there is a perception that other companies are flouting the rules because their home country lacks the political will to punish corruption performed abroad or because low-level bribery appears to be par for the course in that region. </p><p>Despite the country’s efforts to clean up corruption within its borders, “the state of international corruption management in China is miserable,” Dell says. She cites a 2018 case where three Chinese nationals were charged in Kenya for paying a bribe of approximately $5,000 to influence the outcome of a fraud investigation into a railway project. Multiple Chinese companies have been the subject of publicly reported corruption investigations in numerous countries, including the United States, Ethiopia, Sri Lanka, and Bangladesh. </p><p>According to publicly available information, however, no investigations or charges were ever opened in China against its companies, citizens, or residents for foreign corrupt practices, Dell says. The lack of enforcement or deterrents that China imposes on its citizens working abroad leaves gaps for corruption to be exported internationally, resulting in an uneven playing field for other businesses.</p><p>When operating in a country with frequent bribery or competing with companies that adhere to lower ethical standards, organizations face tough choices. In China, for example, it can be expected for salespeople to give a bribe (often presented in a red envelope called a hongbao or lai see) of up to 10 percent of the final invoice amount to seal a deal, Kedl says. However, hongbao are traditionally given as a show of respect or good fortune at holidays and special events between family members, friends, and business associates, creating an ethical quandary—when does a culture of gift-giving cross the line into bribery? </p><p>Passman notes that organizations have two options: either establish a global anticorruption policy that remains strict about gift-giving regardless of local culture or employ a flexible policy that allows for nominal gifts at appropriate holidays, provided they are not used to facilitate a transaction. In either case, establishing clear guidance communicated from the top-down is essential. </p><p>“There’s a culture of kickbacks you have to address. Foreign companies see [ethics] as a rules thing, but very often, your local employees can’t figure out how to obey the rules and do their jobs,” Kedl says. If a salesperson is trying to close a deal but refuses to give a bribe, he or she may easily lose that sale, and that’s challenging for someone trying to earn a commission.</p><p>In response, Kedl emphasizes resistance strategies—how to say “no” and still have a chance to make the deal. This could involve denoting respect to the client in other ethical ways. He implemented roleplay training with his staff so they could practice refusing bribery more positively. He also implemented a program mandating that if a salesperson could prove that he or she could not close a deal because of a bribe, Kedl would still honor 50 percent of the commission. </p><p>Multiple organizations can also band together to improve the ethical landscape for a particular region or project, Dell says. For example, multiple engineering companies competing for the same contracts in East Africa can collectively agree that they will refuse to act illegally in pursuit of the deal. These “integrity pacts,” Dell says, help companies avoid having to resort to unethical conduct to compete. </p><p>In addition, businesses can cite recent events such as when Uzbek telecommunications executive Gulnara Karimova was charged in March 2019 of conspiring to violate the U.S. Foreign Corrupt Practices Act (FCPA) with a money laundering scheme. Even if the fraud falls through, Dell says, companies run the risk of being charged with conspiracy or passive bribery (the act of soliciting a bribe). </p><p>“So your response to a request for unethical behavior is no longer just ‘I could be punished’ but ‘I could be prosecuted, and so could you,’” she says. </p><p>Developing a culture of integrity, ethics, and respect was the most important ethics and compliance objective companies cited in the<em><a href="https://www.ethics.org/knowledge-center/2018-gbes-2/" target="_blank"> 2018 Ethics & Compliance Third-Party Risk Management Benchmark Report​</a></em> from NAVEX Global, eclipsing past years’ leading objective—avoiding regulatory and enforcement matters. </p><p>Managing ethical standards becomes more complicated when third parties are involved along an international supply chain. Forty-five percent of large organizations (with more than 5,000 employees) surveyed for the NAVEX report engage more than 5,000 third parties. The top challenge organizations cited was consistently monitoring third parties; while a majority of survey respondents follow some form of screening and monitoring, nearly 40 percent do not monitor their third parties, leaving them open to risk. </p><p>Passman says that managing ethical risk is similar to managing cybersecurity risks. Corruption can happen in any country, and it only takes one person to expose the organization to risk. However, focusing on continuous improvement and regularly reevaluating the supply chain’s risks (which third parties are working with government officials or contracts, who owns each third-party partner) can improve compliance programs. </p><p>Self-reporting also wins favor from prosecutors during investigations, Passman adds. In March 2018, the U.S. Department of Justice announced expanded use of the FCPA Enforcement Policy guidelines so companies that self-report FCPA violations and fully cooperate with the resulting investigation may be granted a 50 percent reduction off the minimum sentence, if they are criminally charged at all. </p><p>The Justice Department looks at compliance programs at the time of violation as well as the time of sentencing, Passman says, so companies can demonstrate both the anticorruption measures they had in place and what they have done to address any loopholes or vulnerabilities that have been uncovered. </p><p>“Ethics and compliance at large are something where leaders have to articulate this on an ongoing basis in business discussions with their own people, in their business discussions with third parties. It’s not something you hear just once a year or when you’re onboarded into a company,” she says. “Employees want to hear from their managers, then they are more likely to report matters when they see them.”</p>

Fraud/White Collar Crime

 

 

https://sm.asisonline.org/Pages/Tigers-and-Flies.aspx2019-06-01T04:00:00ZCorruption and Cultural Differences
https://sm.asisonline.org/Pages/Book-Review-Why-They-Do-It.aspx2019-05-01T04:00:00ZBook Review: Why They Do It
https://sm.asisonline.org/Pages/Book-Review-Retail-Risk.aspx2018-12-01T05:00:00ZBook Review: Retail Risk
https://sm.asisonline.org/Pages/Access-With-A-Twist.aspx2018-12-01T05:00:00ZAccess With A Twist
https://sm.asisonline.org/Pages/The-Fraudster-Down-the-Hall.aspx2018-08-01T04:00:00ZThe Fraudster Down the Hall
https://sm.asisonline.org/Pages/The-Fraudians-Slip-In.aspx2018-03-01T05:00:00ZThe Fraudians Slip In
https://sm.asisonline.org/Pages/The-Unique-Threat-of-Insiders.aspx2017-10-01T04:00:00ZThe Unique Threat of Insiders
https://sm.asisonline.org/Pages/Book-Review---Insider-Threat.aspx2017-07-01T04:00:00ZBook Review: Insider Threat
https://sm.asisonline.org/Pages/Trade-Secret-Asset-Management-2016.aspx2017-06-05T04:00:00ZTrade Secret Asset Management 2016
https://sm.asisonline.org/Pages/Loss-Prevention-Lab.aspx2017-06-01T04:00:00ZLoss Prevention Lab
https://sm.asisonline.org/Pages/Who’s-Who-in-Retail-Loss-Prevention.aspx2017-06-01T04:00:00ZWho’s Who in Retail Loss Prevention
https://sm.asisonline.org/Pages/Book-Review--Crime-Prevention.aspx2017-05-01T04:00:00ZBook Review: Crime Prevention
https://sm.asisonline.org/Pages/Facebook-Takes-Action-To-Limit-Spread-of-Propaganda.aspx2017-04-28T04:00:00ZFacebook Takes Action To Limit Spread of Propaganda
https://sm.asisonline.org/Pages/Wells-Fargo-To-Pay-$110-Million-To-Settle-Class-Action-Lawsuits.aspx2017-03-29T04:00:00ZWells Fargo To Pay $110 Million To Settle Class Action Lawsuits
https://sm.asisonline.org/Pages/Teller-Trouble.aspx2017-03-01T05:00:00ZTeller Trouble
https://sm.asisonline.org/Pages/Crime-of-Opportunity.aspx2016-12-01T05:00:00ZCrime of Opportunity
https://sm.asisonline.org/Pages/Playing-Clean.aspx2016-12-01T05:00:00ZPlaying Clean
https://sm.asisonline.org/Pages/Book-Review---Anti-Fraud-Program-Design.aspx2016-06-01T04:00:00ZBook Review: Anti-Fraud Program Design
https://sm.asisonline.org/Pages/Book-Review---Fraud-Identification-and-Prevention.aspx2016-06-01T04:00:00ZBook Review: Fraud Identification and Prevention
https://sm.asisonline.org/Pages/Upping-the-Ante-on-Corruption.aspx2016-03-01T05:00:00ZUpping the Ante on Corruption

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Training-Your-Team.aspxTraining Your Team<p>​</p><p>Whether the action is on the battlefield or the basketball court, you can be certain that the winning team owes its success in large measure to extensive training. Recognizing the importance of training to any team’s performance, the Cincinnati Children’s Hospital Medical Center set out to makes its own training program better. </p><p>The existing training program, which the director of protective services felt lacked specificity, consisted of one of the shifts’ veteran officers sitting with the new security employees and covering several department and hospital-specific policies along with administrative topics. Additionally, the new officers would be given several commercially produced security training videotapes to view, after which they were required to complete the associated tests. Following the completion of the tapes and review of the policies and administrative procedures, officers would go through brief hands-on training for certain subjects such as the use of force and pepper spray.</p><p>Once they completed these tests and training sessions, the officers would then begin their on-the-job training. Officers have historically stayed in the on-the-job phase of training between three and five weeks, depending on how quickly the officers learned and were comfortable with command center operations. When the officers completed their training program, they had to pass the protective services cadet training test as well as a test on command center procedures.</p><p>Training council. To help devise a better training program, the security director chose several members of the staff to sit on a training council. The group, which included the director, three shift managers, and the shift sergeants, met to discuss the current training program and what could be done to enhance it.</p><p><br>Through discussions with new employees, the council learned that the existing program was boring. The council wanted to revitalize the training to make it more interesting and more operationally oriented. The intent was to emphasize hands-on, performance-oriented training. The council also wanted to improve the testing phase so that the program results could be captured quantitatively to show the extent to which officers had increased their knowledge and acquired skills. <br> <br>Phases. The council reorganized training into four phases: orientation, site-specific (including on-the-job), ongoing, and advanced. Under the new program, the officers now take a test both before training, to show their baseline knowledge, and after the training, to verify that they have acquired the subject matter knowledge; they must also successfully demonstrate the proper techniques to the instructors.</p><p>Orientation training. The orientation training phase begins with the new employees attending the hospital’s orientation during their first day at the facility. The security department’s training officer then sits down with the new officers beginning on their second day of employment. This training covers all of the basic administrative issues, including what the proper clock-in and clock-out procedures are, when shift-change briefings occur, and how the shift schedules and mandatory overtime procedures function.   </p><p>The training officer also administers a preliminary test to the new officers that covers 12 basic security subjects including legal issues, human and public relations, patrolling, report writing, fire prevention, and emergency situations. New employees who have prior security experience normally score well on the test and do not need to view security training tapes on the subjects. The officers must receive a minimum score of 80 percent to receive credit for this portion of the training. If an officer receives an 80 percent in most topics but is weak in one or two subjects, that officer is required to view just the relevant tapes, followed by associated tests.</p><p>All officers, regardless of the amount of experience, review the healthcare-specific tapes and take the related tests for the specific subjects including use of force and restraint, workplace violence, disaster response, bloodborne pathogens, assertiveness without being rude, and hazardous materials. Also included in the orientation training phase are classes covering subjects such as pepper spray, patient restraint, defensive driving, and the hospital’s protective services policies.</p><p>Site-specific training. During site-specific training, officers learn what is entailed in handling specific security reports. The shift manager, shift officer-in-charge, or the training officer explains each of the reports and has the new employee fill out an example of each. Examples of reports covered in site-specific training include incident reports, accident reports, field interrogation reports, fire reports, motorist-assist forms, ticket books, safety-violation books, broken-key reports, work orders, bomb-threat reports, and evidence reports.</p><p>On-the-job training is also part of the site-specific training phase. The new employee works with a qualified security officer for a period of two to three weeks following the first week of orientation training with the departmental training officer. The new employee works through all of the various posts during this time. At least one week is spent in the command center. The site-specific phase of training culminates with both the security officer cadet training exam and the command center exam, which were also given in the original program.</p><p>Ongoing training. The ongoing training includes refresher training in which shift managers have their officers review selected films covering healthcare security and safety subjects. The training occurs during shift hours. The officers also receive annual refresher training covering topics such as using pepper spray and employing patient-restraint methods.</p><p>Another type of ongoing training, shift training, is conducted at least weekly. Managers conduct five-to ten-minute meetings during duty hours to refresh the security staff on certain subjects, such as customer service. These sessions are not designed to deal with complex topics. Managers can tie these sessions to issues that have come up on the shift.</p><p>Advanced training. Advanced training includes seminars, management courses, and sessions leading to professional designations and certifications. Qualified personnel are urged to attend seminars sponsored by several professional societies and groups such as ASIS International, the International Healthcare Association for Security and Safety, and Crime Prevention Specialists. Staff members are also encouraged to attain the Crime Prevention Specialist (CPS) certification, the Certified Protection Professional (CPP) designation, and the Certified Healthcare Protection Administrator (CHPA) certification.</p><p>Staff members are urged to pursue special interests by obtaining instructor certification such as in the use of pepper spray or the use of force. This encouragement has already paid off for the hospital. For example, the department’s security systems administrator has trained officers on each shift in how to exchange door lock cylinders, a task that would previously have required a contractor. Officers are currently being trained to troubleshoot and repair CCTV, access control systems, and fire alarm equipment problems.</p><p>Training methods. A special computer-based training program was developed to help quantify and track the success in each of the training modules. Additionally, a program was developed to present training subjects during shift changes.</p><p>Computer training. Security used off-the-shelf software to create computer-based training modules and included them in the site-specific training and ongoing training phases, both of which occur during shift hours. The training council tasked each shift with creating computer-based training modules for the various security officer assignments on the hospital’s main campus and off-campus sites. These training modules cover life safety, the research desk, the emergency department, exterior patrols, foot and vehicle patrols, and the command center.</p><p>The training council asked officers to participate in the creation of the computer-based training modules. The officers produced the training modules during their respective shifts when it did not interfere with other responsibilities.  </p><p>The group participation paid off. For example, the officers who created the command center and the emergency-department training modules not only spent several hours discussing what information should be included in the modules, but then allowed their creativity to flow by using the software to make these modules interactive. These particular modules include test questions of the material, and the program will respond appropriately to the employees as they answer the questions correctly or incorrectly. The volunteers also created tests for before and after an officer goes through each of the computer modules to track the effectiveness of the training.</p><p>Shift-change training. A major question with ongoing training is how to fit it into the officer’s routine. For most industries using shift work, difficulties arise when trying to carve out enough training time without creating overtime. The training council decided to take advantage of downtime that occurs as officers come to work ready for their shift to begin. They are required to show up six minutes before the shift. This time is now used for training.</p><p>The shift-change training is used to cover specific topics—already covered in some of the training phases—that can be easily encapsulated into a six-minute program. For example, some topics include departmental policies, radio communication procedures, command center refresher sessions, self-defense subjects, confronting hostile people, proper report writing, and temporary restraint training. By implementing the shift-change training sessions on a weekly basis, the department created an additional five hours of training per year for each officer.</p><p>One of the security supervisors created a six-minute training binder to house all of the lesson plans. Each shift supervisor uses the same lesson plan so that the training is consistent across the shifts. As with all other training, the before-and-after tests are given to quantitatively document changes in subject knowledge or skills.</p><p>Results. After implementing the training program, the training council wanted to check the initial results to see whether the training was effective. There were numerous quantifiable measurements that the council could use to evaluate the new training program, such as tracking the rate of disciplinary actions from the previous year to the current year. However, since the council desired to have a quick assessment of the training program changes, it decided to compare the after-training test scores to the before-training test scores for the computer-based training modules as well as the scores of the six-minute training tests. </p><p>To the council’s surprise, the initial tabulated scores resulted in an average before-training test score of 93 percent and an after-training test score of 95 percent. The council also found in many of the officers’ tests that they missed the same questions on both the before and after tests.</p><p>Based on these results, the council decided to make several changes. First, the test questions were reviewed and tougher questions were added. Based on the preliminary test score, the council felt that the questions were not challenging enough and might not indicate how competent the officers were with the subject matter. </p><p>The training council assigned each shift the task of revising the tests for their computer-based training modules as well as the six-minute training tests. The goal was to make the tests more challenging and to obtain more accurate assessments of the effectiveness of the training program. </p><p>The training council also reviewed how the different shifts were conducting the six-minute lessons. Managers noted that the shifts initially followed the schedule of the six-minute subjects from week to week, but then they began to conduct their own lessons without an accepted lesson plan or to forgo training altogether. </p><p>To avoid this problem, the training council determined that the training program needed to be more structured. The group created a schedule to indicate which class would be covered each week. One of the shift supervisors volunteered to take over the six-minute training program and formally structure it so that each shift would conduct training in a consistent manner.</p><p>The training council has plans to further hone the training program in the near future. The council plans to analyze the program us­ing other quantitative evaluative instruments such as an employee survey and a comparison of disciplinary action data from previous years. </p><p>In battle, it is said that an army fights as it has trained. Thus, commanders know the value of training. In the businessworld, though the stakes are different, training is no less critical to the success of the mission.</p><p>Ronald J. Morris, CPP, is senior director of protective services at Cincinnati Children’s Hospital Medical Center. Dan Yaross, CPP, is manager of protective services. Colleen McGuire, CPS (crime prevention specialist), is sergeant of protective services. Both Morris and Yaross are members of ASIS International.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Access-Under-Control.aspxAccess Under Control<p>​<span style="line-height:1.5em;">Companies spend significant resources on access control equipment. Estimates of the size of the global market range from about $6 billion to around $22 billion, and a recent ASIS survey indicates that 57 percent of U.S. businesses will be increasing access control spending through 2016. </span></p><p>Upfront costs are just the start. Security professionals take time to determine which doors need to be locked and when.  They decide where to install readers and decide how to pro­cess visitors. Despite the effort spent on the access control equipment layout and maintenance, over time the access control database can become mismanaged. Requests for tweaks to reader groupings and access levels are continuous. One group may want time restrictions for the janitorial crew; another group may need access to one door but want to restrict others. If these accommodations are made without regard for the overall system, over time a complicated tangle of access control levels is created. The next thing you know, security no longer controls access; access control takes charge of the organization’s security, resulting in a chaotic mess.</p><p>BB&T, a large financial services institution headquartered in Winston-Salem, North Carolina, has protocols in place that ensure appropriate and accurate administration of access control systems at its corporate locations. The Fortune 500 company has more than 1,800 financial centers in 12 states.  In addition, it has approximately 120 corporate buildings–data centers, operations centers, call centers, corporate and regional headquarters–that have access control systems. ​</p><h4>Challenges</h4><p>Regulatory developments over the last decade make it necessary to closely maintain access control data. The Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 require health­care and financial organizations, respectively, to keep strict watch over sensitive and personal information. The Sarbanes-Oxley Act of 2002 forced a strengthening of internal controls within corporations. More recently, the Payment Card Industry Data Security Standard requires that companies keep tight control over credit and debit card data. </p><p>These regulations, as well as others that affect specific industries, have brought more scrutiny to the administration of access control data. Most large organizations, especially those in regulated industries, have experienced an increase in audit activity as it relates to physical access controls. This means that regular reviews of access reports are required in many cases. For this reason, it is critical that the data in a company’s access control database be clean and accurate.  </p><p>Numerous challenges can arise from failing to properly maintain an access control system. Maintenance lapses can result in thefts when, for example, terminated employees get into a facility. What good is an access control system if, due to negligence in maintaining the system, people can enter places they shouldn’t? If your access control database has been around for years and has turned into a Byzantine web of access permissions, what steps can be taken to get control over the data? </p><p>Access control database administrators must have an ongoing process of maintaining the accuracy of the data. A standards-based approach must be taken to manage any effective access control program. Standards include defining the types of users in the system–employees, vendors, visitors, temporary card users– and establishing credentials for which each of these user categories will be managed and reviewed. Once the user categories are defined, space definitions and ongoing maintenance procedures must be established. ​</p><h4>Database management</h4><p>BB&T categorizes its cardholders into three groups based on the users’ network login ID. There are employees and contractors with a company network login ID; vendors, tenants, and others without a company network login ID; and temporary users. BB&T uses the network login ID for employers and contractors because the network ID is also used in the IT security database. This allows security to match the IT access records to the physical access records. Human resource data was considered for this match, but the bank determined that many vendors, temporary employees, and contractors who have a BB&T network login ID are not included in its human resource system. Matching the network login ID covers a majority of the organization’s users. If the records do not match, the user’s access is terminated.   </p><p>For cards not involved in the matching process, BB&T identifies a company employee who can serve as a sponsor for each vendor and tenant. The company conducts quarterly reviews of those cards, during which the company sponsor ascertains whether the vendor or tenant employee still works for the third-party company and still needs the BB&T card.</p><p>All temporary cards in the system are assigned to the individuals who have the cards in their possession. The temporary cards may be used by visitors, trainees, vendors, and employees who forgot their badge at home. Information on the cardholder is housed within the access control database. Quarterly reports for all temporary cards are sent to one person who is responsible for ensuring that their temporary cards are accounted for.  ​</p><h4>Space</h4><p>BB&T has established criteria and definitions of the physical space in its environment and categorizes space into three categories: critical, restricted, and general. Criteria are established for each category of space. The critical category is reserved for high-risk, critical infrastructure areas, such as server rooms or HVAC sites. Restricted space is office space for departments that the company deems restricted. All critical and restricted space is assigned a space owner. The space owner is then responsible for approving or denying people’s access to that area. General access areas are common doors and hallways.</p><p>For each category of space, standards are established on how access is governed. For example, the data center standards might state that janitors or nonessential personnel are not granted access without an escort. Standards also dictate who can approve access to that space and how often access reports should be reviewed. For example, critical and restricted space reports are reviewed monthly or quarterly.</p><p>Access devices are grouped together based on the categories of space and the users that access the space. This streamlines the access request process and makes it easier for the requestors to understand what access they are selecting. Grouping as many readers together as possible minimizes the number of possible groupings meaning that there are fewer choices for those requesting access. It also makes it easier to ensure that access reports are accurate, and it simplifies the process of approving access and access report reviews. If all readers for critical space to a building are grouped together, only one approval would be required for critical space and only one report would need to be reviewed.  </p><p>However, in some cases, minimizing groupings may not possible. For example, one group of users may be allowed into the IT area but only a subset of that group has access to the server room that resides within the lab. In this case, groups would be categorized by the users rather than the readers.</p><p>It’s also important to make sure that access levels and device groupings don’t overlap. This can complicate the request process and the report reviews and could cause access reports to reflect an incomplete list of users who have access to a space. For example, in a building with three readers, grouping one may include the front and back doors, and grouping two may include the communications room. If, in addition to these two groupings, there is an overarching grouping three that includes all three readers, this could create a problem since each of the three individual readers belong to two different groupings. In this scenario, if a request is made to determine who has access to the communications room, rather than producing a report of the communications room reader group, an additional report of the group of all three readers would need to be provided. In many organizations, this second step is missed, causing an inaccurate representation of those with access to a specific area. This can be a major issue if discovered during an audit.</p><p>Another way to remedy this issue would be to run reader reports on individual doors, in this example, a reader report on the communications room only. Most access control systems allow for this type of report. However, in companies with a large number of individual card readers, this would require many more reports. The same users often need access to multiple doors, so combining them into groupings that don’t overlap makes more sense than running individual reader reports. As a rule, BB&T does not allow a reader that has been deemed critical or restricted to belong to more than one reader grouping. This ensures that access reports are accurate and complete.  It does, however, require that a user who needs access to a full building, such as a janitor or security officer, request access to each area of the building rather than requesting overarching access to the entire building. This is beneficial, not only for reporting reasons, but also because it requires that space owners approve all users who have access to their space and holds the space owners responsible for knowing who is entering their space. Controls in the report review process can be set up to ensure that a space owner does not remove access for a janitor or security officer. Some systems allow cards to be flagged and would require a higher level of scrutiny before access is removed. Nonetheless, this is a cleaner way to set up access levels and ensures that space owners will review a report of all users that have access to their space, which is what most auditors are looking for.   ​</p><h4>Clean-Up</h4><p>If an access control system has become muddled over time, a database clean-up is recommended. A good place to start is to deactivate all cards that have not been used in a specific timeframe, such as the previous six months. Thus there will be fewer cards to review. Then, security can find a common piece of data with another database in the company that provides a match of current employees. Human resource or information security data is best to determine whether active cardholders in the system still work for the company. Of the remaining cards for nonemployees, visitors, tenants, and contractors, security should research whether the card users can be associated with a manager or employee within the company. Security can work with these internal partners to implement an ongoing review of access cards. ​</p><h4>Maintenance</h4><p>Performing a regular match of human resource or information security data ensures that cards are deactivated for users whose information does not match that on the card. If a user is not captured in the match, that person should be assigned to a sponsor for quarterly review to determine whether any credentials need to be terminated. Access reports should be reviewed for all nongeneral space to ensure that users still need access to the designated areas. Such reviews should take place at regular intervals–not more than quarterly. An important piece of the access request process is to ensure that all necessary information is captured to support the new standards and to support the report review. For example, if the request is for a visitor, security should capture the name of the person who will have that card in their possession during the request.   ​</p><h4>Automation</h4><p>BB&T is working to upgrade the auto­mation of its access control request and audit reporting system by the end of 2015. It is considering software that automates the entire access control database management process from the onboarding human resource system to the access control system. This would include a software interface that would be fully integrated with the information security credentialing system. The ideal software would fully integrate with the access control system where approved access is automatically provisioned with no human intervention.</p><p>Cost is a major factor in implementing such automation. Some companies choose to automate pieces of the process. Some use a simple Web portal form that sends e-mails to approvers and ultimately e-mails the request to the team that provisions access or provides a dashboard for the access control team to view requests. Many companies have integrated with human resource or information security data to update their access control system, which allows for the automatic deactivation of cards for terminated employees, vendors, or contractors. Others have found a way to automate the report reviews. Few access control manufacturers provide these additional software tools in combination with their access control software. Some will work with or direct their customers to third-party solutions, while others are beginning to see the need for automation and are incorporating pieces into their standard software package, such as more robust reporting capabilities.  </p><p>These efforts may seem daunting, but once the standards are set and the database is cleaned up, ongoing maintenance is initiated, and some level of automation is implemented, the system will be under control. It is imperative that security professionals see beyond the equipment and installation and not rely solely on these for protection. A sound maintenance program ensures that, should access control processes be called into question, security can be confident that the company’s program is under control.  </p><p>--</p><p><em><strong>Briggette Jimenez, CPP,</strong> is physical security manager at BB&T where she manages the company’s security command center, security operations, and workplace violence prevention programs.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465