Financial Activities

 

 

https://sm.asisonline.org/Pages/The-Fraudians-Slip-In.aspxThe Fraudians Slip InGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-03-01T05:00:00Zhttps://adminsm.asisonline.org/pages/mark-tarallo.aspx, Mark Tarallo<p>​Fraud is thriving these days, and many of its practitioners have acquired daunting levels of skill and ingenuity for reading the current operational environment, finding weak links, and adjusting their methods to maximize the likelihood of successful scams, experts say.</p><p>"They are as skilled in committing these frauds as any skilled person is in any field of endeavor," says Alan Brill, a director with Kroll's cybersecurity and investigations practice. "They are criminals, but you have to respect the level of skill that they have, to know what you are up against."  </p><p>This fraudulent activity is affecting more and more companies, according to a new study. About two-thirds of U.S. companies reported an increase in fraud attempts over the past 12 months, according to The Fifth Annual Fraud Report: A New Landscape Emerges, a study issued by IDology, an Atlanta-based identity verification firm. Last year, fewer than half (42 percent) of U.S. companies reported such a rise.</p><p>And it's not only the sheer number of fraud attempts that is changing. Methods used in perpetrating fraud are evolving, too. </p><p>"The biggest challenge faced by businesses in the fight against fraud has been the continually shift­ing tactics used by fraudsters," reads the study, which finds that 71 percent of organizations cite "shifting fraud tactics" as their greatest challenge. </p><p>Use of fraudulent credit, debit, and prepaid cards is still the most prevalent type, with 65 percent of respondents saying that it is the most common method in their industry. However, there are signs that it is starting to decrease. That 65 percent figure is actually down from the 73 percent of respondents who cited that fraud type in last year's survey. </p><p>According to the report, the reason behind this decrease is the widespread adoption of EMV chip cards, which have reduced point-of-sale fraud. With chips making it harder to commit this type of fraud, more criminals are shifting to an online environment, where the customer is not present. "They will try to find the path of least resistance," IDology CEO John Dancu says.<img src="/ASIS%20SM%20Callout%20Images/0318%20NT%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:573px;" /></p><p>There's another driving factor behind the shifts in the fraud landscape, and it has to do with how nimbly the fraud­sters share knowledge. "They are really good at communicating among themselves," Dancu says. Sometimes, they will discuss methods on the Dark Web; this keeps them situationally aware and helps them change methods if necessary. </p><p>Some are also not shy with expressing pride of craft. "When they find a weak link, they are happy to tell everybody else about it," Dancu explains. "If you're on the Dark Web or their other forums, you can see the interactions and the professional enjoyment that they have in letting other people know what they have discovered. It's about being The Man." </p><p>Those dark websites and other places where fraudsters sell information and data are pretty sophisticated enterprises, Brill says. "There is a comradeship among people who do this. They do meet at the marketplaces, and these marketplaces don't look that different from eBay, with vendors getting rated by people that buy from them," he explains. Some vendors even offer BOGO specials, he adds.</p><p>As is true with most fields of endeavor, this increased professionalization brings about more specialization. So, some fraudsters specialize in malware, some in the monetization or selling of breached data, and some in "social engineering"—knowing how to get to the right entry point to access information, Brill explains.  </p><p>He offered the following example of a social engineering specialist. These days, many banks frequently advertise how effective they are in protecting customers against fraud. In this environment, it may then be no surprise if one day you get a phone call from Visa security, with the caller informing you that your card was just charged with suspicious activity—$300 from an adults-only emporium in Las Vegas. Horrified, you deny the charge and ask for it to be cancelled, and so you gladly give your card information, Social Security number, and date of birth when the caller asks if they can verify you as the cardholder. </p><p>But what you might not realize is that you just handed over your information to a criminal posing as security. This type of thief takes advantage of the expectations created by frequent bank commercials that promote their quick security operations. "In effect, you have been primed for a social engineering hit," Brill says.</p><p>Although the study finds that customer-present credit card fraud may be decreasing, it also finds that synthetic identity fraud (SIF) is a growing problem. In an SIF scam, a combination of real and fabricated identity information is often used to create a new identity. Thirty-one percent of businesses in the report say SIF has increased, and 58 percent are "extremely" or "very" worried about it. Helping to drive this problem is the recent flood of major data breaches, which gives criminals more identity data to use.</p><p>In Kroll's investigations practice, Brill is seeing a big increase in the following type of case. A fraudster obtains the Social Security number of a young child in the aftermath of a data breach, then uses it with other information to open a few credit accounts, including one or more credit cards. </p><p>The scammer then exploits the accounts for years, with charges that are never repaid and lapse into default. Finally, the young child becomes old enough to apply for a credit card, or a lease on an apartment, and is surprised to find out that his or her credit rating is abysmal. </p><p>Marcus Christian, an attorney in Mayer Brown's White Collar Defense & Compliance group, also sees SIF as an increasing problem. Christian, a former prosecutor in the U.S. Attorney's Office for the Southern District of Florida, has heard reports that some of the criminal organizations in South Florida have been shifting away from selling narcotics and toward identity scams. "The money is as good as, if not better than, the drug trade," he says. In addition, it is often perceived as a less dangerous practice, and through connections in local school systems and banks, these criminals can obtain stolen data, he adds.  </p><p>The second-most cited type of fraud in the report—first-party or friendly fraud—is also on the rise, with 51 percent of respondents saying they have been a victim of it, nearly double the percentage (26 percent) of respondents who cited it in last year's survey. </p><p>First-party or friendly fraud generally describes fraud committed by individuals using their own accounts. These types of fraudsters might make an online purchase and then dispute the charge after the merchandise has been received, or they might open credit card accounts with the intention of maximizing charges and then lapsing into default to avoid full repayment. </p><p>One reason first-party fraud is increasing, the study finds, is that it is difficult to foil; it is hard to disprove false claims that ordered merchandise was never received, for example. However, experts say that big data applications hold some potential in this area as a security tool, because they can be used to recognize patterns of excessive refund requests and other telling information.</p><p>Finally, Dorcu says that another cause for optimism in the fight against fraud is that an increasing number of companies are realizing the importance of working together. Fraud is a serious issue for companies regardless of industry, and since the perpetrators are sharing information and strategies, those fighting fraud need to do the same, under a consortium mindset.   </p><p>"Getting connected and talking with peers is really an important part of solving the problem," Dorcu says. "Be flexible, be collaborative, and be open-minded to what's going on out there." ​</p>

Financial Activities

 

 

https://sm.asisonline.org/Pages/The-Fraudians-Slip-In.aspx2018-03-01T05:00:00ZThe Fraudians Slip In
https://sm.asisonline.org/Pages/New-Technology-with-a-Personal-Touch.aspx2018-01-01T05:00:00ZNew Technology with a Personal Touch
https://sm.asisonline.org/Pages/An-Identity-Crisis.aspx2017-12-01T05:00:00ZAn Identity Crisis
https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspx2017-07-17T04:00:00ZBook Review - Business Theft and Fraud: Detection and Prevention
https://sm.asisonline.org/Pages/Accesos-Bajo-Control.aspx2017-06-01T04:00:00ZAccesos bajo Control
https://sm.asisonline.org/Pages/Teller-Trouble.aspx2017-03-01T05:00:00ZTeller Trouble
https://sm.asisonline.org/Pages/Access-to-Bank-On.aspx2017-01-01T05:00:00ZAccess to Bank On
https://sm.asisonline.org/Pages/Access-Under-Control.aspx2015-08-10T04:00:00ZAccess Under Control
https://sm.asisonline.org/Pages/Diebold’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspx2014-12-02T05:00:00ZDiebold’s Responsive Banking Concept Enhances ATM Security and Service
https://sm.asisonline.org/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/migration/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/Pages/Banking-on-a-Security-Upgrade.aspx2014-02-01T05:00:00ZBanking on a Security Upgrade
https://sm.asisonline.org/Pages/cybersecurity-money-laundering-are-top-threats-facing-financial-industry-2014-0013072.aspx2014-01-07T05:00:00ZCybersecurity, Money Laundering Are Top Threats Facing the Financial Industry in 2014
https://sm.asisonline.org/Pages/Virtual-Money-Real-Crime.aspx2014-01-01T05:00:00ZVirtual Money, Real Crime
https://sm.asisonline.org/Pages/using-economics-fight-terrorists-0013004.aspx2013-12-13T05:00:00ZUsing Economics to Fight Terrorists
https://sm.asisonline.org/Pages/visa-discusses-efforts-prevent-fraudulent-transactions-0012832.aspx2013-10-17T04:00:00ZVisa Discusses Efforts to Prevent Fraudulent Transactions
https://sm.asisonline.org/Pages/data-brokers-0012627.aspx2013-08-01T04:00:00ZFTC Warns Data Brokers
https://sm.asisonline.org/migration/Pages/dunbar-digital-armor-announces-partnership-with-nasdaq-0012531.aspx2013-06-13T04:00:00ZDunbar Digital Armor Announces Partnership with NASDAQ
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-february-0012386.aspx2013-05-01T04:00:00ZTop 10 Performing Security Industry Stocks for February
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-january-0012327.aspx2013-04-01T04:00:00ZTop 10 Performing Security Industry Stocks for January

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Bag-Checks-At-Hotels-Unlikely-To-Become-New-Normal,-Expert-Says.aspxBag Checks At Hotels Unlikely To Become New Normal, Expert Says<p>​In the aftermath of the Las Vegas shooting that killed 59 people and wounded more than 500 others, many are wondering if hotels will change their security policies and procedures. </p><p>One area of concern is if hotels will begin implementing bag checks because gunman Stephen Paddock was able to smuggle 23 firearms, along with other equipment, into his suite at Mandalay Bay to carry out Sunday’s massacre.<br></p><p>The Wynn resort in Las Vegas—located on the opposite end of the Vegas Strip from the Mandalay Bay resort—introduced security guards on Monday afternoon to screen visitors with metal-detector wands. It also implemented a bag check, which created a 10-minute wait to get inside the facility. <br></p><p>This is unlikely to become the new normal for hotel security in the near future, however, says Russell Kolins, CEO of the Kolins Security Group and chair of the ASIS International Hospitality, Entertainment, and Tourism Security council.<br></p><p>“Hotels are in the business of selling privacy—they’re offering hospitality and selling privacy,” Kolins explains, adding that hotels would likely start to lose business if they began checking bags—especially in locations like Las Vegas. <br></p><p>“In Vegas especially, what happens in Vegas stays in Vegas,” Kolins says. “People bring items they don’t want other people to see.”<br></p><p>At airports, travelers are subject to bag searches—as well as body scans—because they are a different kind of target than a hotel. Travelers also have no expectation of privacy while on a plane, except for in the bathroom, unlike in a hotel where travelers expect privacy within their room, Kolins says.<br></p><p>One policy that might need to be revisited following the shooting, however, is how hotels handle checking rooms that have a “Do Not Disturb” sign on the door. <br></p><p>Paddock checked into the Mandalay Bay on Thursday and kept a “Do Not Disturb” sign on his hotel door throughout his stay. This meant hotel cleaning staff did not enter his room, <a href="https://www.nytimes.com/2017/10/03/us/las-vegas-gunman.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region&region=top-news&WT.nav=top-news&_r=0" target="_blank">according to a hotel worker who spoke to The New York Times,​</a> because housekeeping is only allowed to enter a room with such a sign on it if a security guard is present.<br></p><p>Requiring a security guard be present to enter rooms with privacy signs is the right move, Kolins says, but hotels should consider changing their policies to require room checks every other day.<br></p><p>“That’s an arbitrary period of time, but I think a policy should be instilled to at least check on the rooms,” Kolins says, adding that hotels would have to make patrons aware of the policy. But such a policy could, potentially, prevent an individual from using a hotel room for an extended period of time to plot a criminal act.<br></p><p>Kolins leads a team of court-certified security experts at his firm. He says he thinks it’s unlikely that Mandalay Bay will be sued for negligence for the shooting because to sue for negligence, plaintiffs must be able to show foreseeability. <br></p><p>“This is unprecedented—nothing like this has ever happened,” Kolins explains. “If something happens the first time, it’s not foreseeable.”<br></p><p>Now that such an attack has happened, though, if a similar attack happens plaintiffs could potentially bring a lawsuit saying it was foreseeable. In response, Kolins says he expects the hotel security industry to begin having seminars and tabletop meetings to determine how they would handle a similar case.<br></p><p>“I think what this has done is show that the slogan ‘expect the unexpected’ is again proven to be true,” Kolins says. “It wasn’t foreseeable because it was unprecedented.”​<br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Soft-Targets---What-Security-Professionals-Can-Learn-From-the-Manchester-Attack.aspxSoft Targets: What Security Professionals Can Learn From the Manchester Attack<p><em>Michael J. Fagel is a crisis management expert with more than 30 years of experience in emergency planning and response. He has written several books and is co-author of </em>Soft Targets and Crisis Management: What Emergency Planners and Security Professionals Need to Know<em>. He is a member of the ASIS School Safety and Security Council. </em></p><p>Security Management <em>Associate Editor Holly Gilbert Stowell</em> <em>spoke to Fagel about the recent terror attack in Manchester, England, and what security professionals can do to prevent soft target attacks. Their conversation has been lightly edited for clarity.</em></p><p><strong>Stowell: From what we've seen over the last few months, attacks on soft targets—places of worship, study, and leisure—seem increasingly commonplace. What type of target is the Manchester Arena—a typical soft target, or some sort of hybrid with unique features? </strong></p><p><strong>Fagel: </strong>It is a typical soft target, given the fact that there are more and more security measures in place as people get closer to the venue. It's a pretty common occurrence in stadiums, to have nonsecure areas where people are approaching the building. Just think of an airport, think of a baggage claim, think of queuing up before you get in the airport. Everybody's milling about in these commons spaces before they go through security. </p><p><strong>Stowell: The Manchester attacker detonated a suicide bomb on the perimeter of the event as people were filing out of the concert. Do you think the perimeter is actually a bigger concern for a soft target than inside the venue itself? </strong></p><p><strong></strong><strong></strong><strong></strong><strong></strong><strong></strong><strong></strong><strong>Fagel:</strong>I think they're equally as critical. The perimeter is of equal significance and of equal danger as inside, because nobody knows who's walking about the perimeter and the nonsecure area. A backpack looks innocuous, a lunchbox, a briefcase, a shopping bag—any one of those things would be very common in a place of commerce and wouldn't look out of the ordinary. So anybody could be wandering with that object, and you would never know that they were engaging in malicious activity. </p><p><strong>Stowell: Are U.S. arenas, and other facilities similar to the Manchester Arena in the United States, now vulnerable to attack? If so, in what ways? </strong></p><p><strong>Fagel: </strong>I don't want to be an alarmist, I want to be a realist. Nothing is invulnerable to this type of attack. I've worked in the Middle East and all over the world. Our society right now is not prepared for this type of event. I've been training police officers, firefighters, and rescue personnel for the last 20 years, and we are continually striving to be better than we are, but the bad guys learn from each incident. Every time something occurs, they will get better, and if you look at the terrorist propaganda, there are explicit instructions on how to carry out these sort of events. These elements are cookbooks for the bad guys. </p><p>Terrorists take advantage of our openness, of our fairness, and our way of life, which they don't like for whatever reason. They use that against us. Do we want to change that? No. We're built on freedoms, but we have to be cautious that the bad guys are learning minute by minute—and nothing is off limits now. </p><p><strong>Stowell: Speaking of limits, this was an attack on a venue containing children and teenagers. Do we have a moral boundary in our minds that causes us to treat security differently for events concerning younger people? </strong></p><p><strong>Fagel: </strong>Have the bad guys crossed a line? The answer is yes. Have they done something that is heinous? Yes. I worked the Oklahoma City bombing in 1995 and carried out rescue and recovery during the attacks. I thought that was the worst thing I had ever seen, and having been a medic, firefighter, and police officer for many years, and seeing infants killed—I thought that crossed a line. </p><p>But bad guys now targeting the concert with a younger crowd, people as young as eight years old, to me that crosses every moral boundary. After September 11, people were really vigilant about security for the first few months, but then they started to get more lax. You can never let your guard down. As soon as you start to relax and think the threat is over with, the bad guys are watching our behaviors and will seize ​on that opportunity. They're watching our security postures. They're watching how we react to things. </p><p><strong>Stowell: What lessons can security professionals take away from this attack to help increase security at soft target venues? </strong></p><p><strong>Fagel: </strong>Think of soft targets like a bullseye with rings around it. Picture an airport where security needs to start prior to the secure area. If the airport is the bullseye, security needs to start in the parking lot, baggage delivery, at ticket counters. It needs to start way before you approach the secure zone, so that security is the culture of the entire area. </p><p>You have layers of defense, layers that protect you as you move closer and closer to the soft target in the middle. Let's say in an office building there's a security server for the Internet. If that's the bullseye—I have to prevent people from ever getting there. And an office​ worker is the softest target with Internet access and passwords. It's the concept and culture of hardening people, and hardening your venues so that you're more aware, and preventing something before it even gets close to your bullseye. </p><p>There must be a personal awareness. It's not somebody else's job, it's our responsibility as alert citizens to be cognizant of our surroundings, see something say something. If it doesn't look right, it probably isn't right. </p><p>Finally, the solution is having an attitude and an awareness for things that may be out of place. I'm not talking about profiling people, I'm talking about profiling behaviors and actions. The Virginia Tech shooter, [Seung-Hui​] Cho, was at the gun range, shooting holes in paper targets face down. That's a behavior. Omar Mateen wanted to buy body armor in Florida before carrying out the Pulse Nightclub massacre. Is the person acquiring weaponry? Are they buying precursory devices and material? Are they buying powder for explosives? Are they buying ammunition? Are they taking shotgun shells apart? Are they asking weird questions at the gun range, the gun shop, or the fireworks store? </p><p>Use commonly available tools and information to develop your intelligence quotient and your ability to see what may be happening. It's all about awareness. ​</p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Access-Under-Control.aspxAccess Under Control<p>​<span style="line-height:1.5em;">Companies spend significant resources on access control equipment. Estimates of the size of the global market range from about $6 billion to around $22 billion, and a recent ASIS survey indicates that 57 percent of U.S. businesses will be increasing access control spending through 2016. </span></p><p>Upfront costs are just the start. Security professionals take time to determine which doors need to be locked and when.  They decide where to install readers and decide how to pro­cess visitors. Despite the effort spent on the access control equipment layout and maintenance, over time the access control database can become mismanaged. Requests for tweaks to reader groupings and access levels are continuous. One group may want time restrictions for the janitorial crew; another group may need access to one door but want to restrict others. If these accommodations are made without regard for the overall system, over time a complicated tangle of access control levels is created. The next thing you know, security no longer controls access; access control takes charge of the organization’s security, resulting in a chaotic mess.</p><p>BB&T, a large financial services institution headquartered in Winston-Salem, North Carolina, has protocols in place that ensure appropriate and accurate administration of access control systems at its corporate locations. The Fortune 500 company has more than 1,800 financial centers in 12 states.  In addition, it has approximately 120 corporate buildings–data centers, operations centers, call centers, corporate and regional headquarters–that have access control systems. ​</p><h4>Challenges</h4><p>Regulatory developments over the last decade make it necessary to closely maintain access control data. The Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 require health­care and financial organizations, respectively, to keep strict watch over sensitive and personal information. The Sarbanes-Oxley Act of 2002 forced a strengthening of internal controls within corporations. More recently, the Payment Card Industry Data Security Standard requires that companies keep tight control over credit and debit card data. </p><p>These regulations, as well as others that affect specific industries, have brought more scrutiny to the administration of access control data. Most large organizations, especially those in regulated industries, have experienced an increase in audit activity as it relates to physical access controls. This means that regular reviews of access reports are required in many cases. For this reason, it is critical that the data in a company’s access control database be clean and accurate.  </p><p>Numerous challenges can arise from failing to properly maintain an access control system. Maintenance lapses can result in thefts when, for example, terminated employees get into a facility. What good is an access control system if, due to negligence in maintaining the system, people can enter places they shouldn’t? If your access control database has been around for years and has turned into a Byzantine web of access permissions, what steps can be taken to get control over the data? </p><p>Access control database administrators must have an ongoing process of maintaining the accuracy of the data. A standards-based approach must be taken to manage any effective access control program. Standards include defining the types of users in the system–employees, vendors, visitors, temporary card users– and establishing credentials for which each of these user categories will be managed and reviewed. Once the user categories are defined, space definitions and ongoing maintenance procedures must be established. ​</p><h4>Database management</h4><p>BB&T categorizes its cardholders into three groups based on the users’ network login ID. There are employees and contractors with a company network login ID; vendors, tenants, and others without a company network login ID; and temporary users. BB&T uses the network login ID for employers and contractors because the network ID is also used in the IT security database. This allows security to match the IT access records to the physical access records. Human resource data was considered for this match, but the bank determined that many vendors, temporary employees, and contractors who have a BB&T network login ID are not included in its human resource system. Matching the network login ID covers a majority of the organization’s users. If the records do not match, the user’s access is terminated.   </p><p>For cards not involved in the matching process, BB&T identifies a company employee who can serve as a sponsor for each vendor and tenant. The company conducts quarterly reviews of those cards, during which the company sponsor ascertains whether the vendor or tenant employee still works for the third-party company and still needs the BB&T card.</p><p>All temporary cards in the system are assigned to the individuals who have the cards in their possession. The temporary cards may be used by visitors, trainees, vendors, and employees who forgot their badge at home. Information on the cardholder is housed within the access control database. Quarterly reports for all temporary cards are sent to one person who is responsible for ensuring that their temporary cards are accounted for.  ​</p><h4>Space</h4><p>BB&T has established criteria and definitions of the physical space in its environment and categorizes space into three categories: critical, restricted, and general. Criteria are established for each category of space. The critical category is reserved for high-risk, critical infrastructure areas, such as server rooms or HVAC sites. Restricted space is office space for departments that the company deems restricted. All critical and restricted space is assigned a space owner. The space owner is then responsible for approving or denying people’s access to that area. General access areas are common doors and hallways.</p><p>For each category of space, standards are established on how access is governed. For example, the data center standards might state that janitors or nonessential personnel are not granted access without an escort. Standards also dictate who can approve access to that space and how often access reports should be reviewed. For example, critical and restricted space reports are reviewed monthly or quarterly.</p><p>Access devices are grouped together based on the categories of space and the users that access the space. This streamlines the access request process and makes it easier for the requestors to understand what access they are selecting. Grouping as many readers together as possible minimizes the number of possible groupings meaning that there are fewer choices for those requesting access. It also makes it easier to ensure that access reports are accurate, and it simplifies the process of approving access and access report reviews. If all readers for critical space to a building are grouped together, only one approval would be required for critical space and only one report would need to be reviewed.  </p><p>However, in some cases, minimizing groupings may not possible. For example, one group of users may be allowed into the IT area but only a subset of that group has access to the server room that resides within the lab. In this case, groups would be categorized by the users rather than the readers.</p><p>It’s also important to make sure that access levels and device groupings don’t overlap. This can complicate the request process and the report reviews and could cause access reports to reflect an incomplete list of users who have access to a space. For example, in a building with three readers, grouping one may include the front and back doors, and grouping two may include the communications room. If, in addition to these two groupings, there is an overarching grouping three that includes all three readers, this could create a problem since each of the three individual readers belong to two different groupings. In this scenario, if a request is made to determine who has access to the communications room, rather than producing a report of the communications room reader group, an additional report of the group of all three readers would need to be provided. In many organizations, this second step is missed, causing an inaccurate representation of those with access to a specific area. This can be a major issue if discovered during an audit.</p><p>Another way to remedy this issue would be to run reader reports on individual doors, in this example, a reader report on the communications room only. Most access control systems allow for this type of report. However, in companies with a large number of individual card readers, this would require many more reports. The same users often need access to multiple doors, so combining them into groupings that don’t overlap makes more sense than running individual reader reports. As a rule, BB&T does not allow a reader that has been deemed critical or restricted to belong to more than one reader grouping. This ensures that access reports are accurate and complete.  It does, however, require that a user who needs access to a full building, such as a janitor or security officer, request access to each area of the building rather than requesting overarching access to the entire building. This is beneficial, not only for reporting reasons, but also because it requires that space owners approve all users who have access to their space and holds the space owners responsible for knowing who is entering their space. Controls in the report review process can be set up to ensure that a space owner does not remove access for a janitor or security officer. Some systems allow cards to be flagged and would require a higher level of scrutiny before access is removed. Nonetheless, this is a cleaner way to set up access levels and ensures that space owners will review a report of all users that have access to their space, which is what most auditors are looking for.   ​</p><h4>Clean-Up</h4><p>If an access control system has become muddled over time, a database clean-up is recommended. A good place to start is to deactivate all cards that have not been used in a specific timeframe, such as the previous six months. Thus there will be fewer cards to review. Then, security can find a common piece of data with another database in the company that provides a match of current employees. Human resource or information security data is best to determine whether active cardholders in the system still work for the company. Of the remaining cards for nonemployees, visitors, tenants, and contractors, security should research whether the card users can be associated with a manager or employee within the company. Security can work with these internal partners to implement an ongoing review of access cards. ​</p><h4>Maintenance</h4><p>Performing a regular match of human resource or information security data ensures that cards are deactivated for users whose information does not match that on the card. If a user is not captured in the match, that person should be assigned to a sponsor for quarterly review to determine whether any credentials need to be terminated. Access reports should be reviewed for all nongeneral space to ensure that users still need access to the designated areas. Such reviews should take place at regular intervals–not more than quarterly. An important piece of the access request process is to ensure that all necessary information is captured to support the new standards and to support the report review. For example, if the request is for a visitor, security should capture the name of the person who will have that card in their possession during the request.   ​</p><h4>Automation</h4><p>BB&T is working to upgrade the auto­mation of its access control request and audit reporting system by the end of 2015. It is considering software that automates the entire access control database management process from the onboarding human resource system to the access control system. This would include a software interface that would be fully integrated with the information security credentialing system. The ideal software would fully integrate with the access control system where approved access is automatically provisioned with no human intervention.</p><p>Cost is a major factor in implementing such automation. Some companies choose to automate pieces of the process. Some use a simple Web portal form that sends e-mails to approvers and ultimately e-mails the request to the team that provisions access or provides a dashboard for the access control team to view requests. Many companies have integrated with human resource or information security data to update their access control system, which allows for the automatic deactivation of cards for terminated employees, vendors, or contractors. Others have found a way to automate the report reviews. Few access control manufacturers provide these additional software tools in combination with their access control software. Some will work with or direct their customers to third-party solutions, while others are beginning to see the need for automation and are incorporating pieces into their standard software package, such as more robust reporting capabilities.  </p><p>These efforts may seem daunting, but once the standards are set and the database is cleaned up, ongoing maintenance is initiated, and some level of automation is implemented, the system will be under control. It is imperative that security professionals see beyond the equipment and installation and not rely solely on these for protection. A sound maintenance program ensures that, should access control processes be called into question, security can be confident that the company’s program is under control.  </p><p>--</p><p><em><strong>Briggette Jimenez, CPP,</strong> is physical security manager at BB&T where she manages the company’s security command center, security operations, and workplace violence prevention programs.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465