Financial Activities

 

 

https://sm.asisonline.org/Pages/Access-to-Bank-On.aspxAccess to Bank OnGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-01-01T05:00:00Zhttps://adminsm.asisonline.org/pages/holly-gilbert-stowell.aspx, Holly Gilbert Stowell<p>​The intersection of cyber and physical security is a critical consideration for banks with brick and mortar buildings, who also offer many of their services to customers online. To protect these assets, financial institutions have increased their information technology security spending by 67 percent since 2013, according to a recent survey by PricewaterhouseCoopers.</p><p class="p1">Zions Bancorporation is one such institution that has taken steps to converge its physical and cybersecurity systems to protect its customers and assets, which total approximately $60 billion. One of its affiliates, Nevada State Bank, recently upgraded its access control system to provide enhanced security, as well as convenience, for its workers.</p><p class="p1">To workers at Nevada State Bank, the old system of physical keys and hard locks was both a security concern and a nuisance. For example, an employee was at the park playing with her child when someone broke into her car. Along with the employee’s purse, the robber got away with a physical key to the bank’s branch where she worked. She made a phone call to corporate security, and the entire building had to be rekeyed that weekend. </p><p class="p1">“To rekey all the locks and replace keys could cost $3,000–or it could be even more costly if it’s a master key that’s lost,” says Bob Shandle, regional security officer for Zions Bancorporation. He adds that when employees lose their keys, “it almost always happens over the weekend,” an inconvenience to the security staff.  </p><p class="p1">Replacing physical keys with cards was one of the biggest advantages to upgrading access control at three Nevada State Bank branches, says Shandle, who introduced new security cameras and alarm systems as well. “Card access is just a small part of the big picture of what we’re trying to accomplish” in terms of security, he notes. </p><p class="p1">Zions worked with an integrator to find the best choice for an access control platform for the bank. In March 2015, it chose Sielox Pinnacle, the software that serves as the hub for the overall access control system. Sielox 1700 Network Controllers are used to support card readers installed at door locations, including hardwired doors located in the branch’s vault.</p><p class="p1">At the majority of its entryways, the bank first chose Allegion AD-400 wireless locks that integrated with the Sielox system. Because the locks are large and require drilling holes for installation, the AD-400 locks were functional but not ideal. In March 2016, Shandle purchased Schlage NDE locks, which have a smaller form factor and are more affordable. Both Schlage and Allegion are owned by manufacturer Ingersoll Rand, so the microchips inside employee access cards did not change. The cards were simply updated through the Pinnacle software. </p><p class="p1">“The NDE lock requires no special modifications to the door. It goes right on top of where your old lock used to be,” Shandle explains. This is especially useful given the “bandit barriers,” or bulletproof glass walls, that run throughout the branch to protect tellers from potential shooters. With a wired system, “you’d basically have to disassemble the entire door area” for installation, Shandle says. “With the NDE lock I was able to get the mount right on top of that heavy-duty Plexiglas, and it worked really well.” </p><p class="p1">He adds that the locks resulted in a “huge cost savings,” and says the price of the wireless access control system was roughly one-third the cost of a hard-wired one. Commissioning the lock to work with existing cards was also fairly seamless. Using a smartphone and tablet app from Allegion that integrates with the Sielox software, administrators create a username and password, and then link the wireless locks to Pinnacle. This enables the chips in the card to work with the control boards in the door readers. “Sielox is the only access controller provider in the market that seamlessly integrates the NDE locks from Allegion, so it really did work out well,” he adds.</p><p class="p1">In addition, someone at the bank is responsible for going through the card access database every day to ensure that it reflects employees who have been terminated, are on temporary leave, or have returned from leave. Changes can be managed within the Sielox Pinnacle online Web portal. Additionally, all actions are recorded and reported on every card, so security personnel can track activity and spot abnormalities in the log files. </p><p class="p1">Vendors who spend an extended period of time at a branch are assigned a bank employee who is responsible for their access card. “That supervisor or person from the bank would have to request the card in writing from us, and then we would issue it on a temporary basis,” he says. The assigned person from the bank is responsible for eventually getting the card back to security. </p><p class="p1">Currently three Nevada State Bank branches have card access throughout the building, as well as the central vault. Eventually Shandle says they hope to implement the system organization-wide. “We are trying to consolidate all of the branches under the Sielox Pinnacle card access system and eliminate the need for employees to carry keys altogether,” he notes. </p><p class="p1">The biggest concern with wireless access control readers is battery life, Shandle says, so Pinnacle has an application that tells security how long until the batteries on individual door readers are exhausted. And there is a small time-delay between putting the card up to the reader and when the door unlocks. “When it comes to presenting your credentials, the readers don’t always respond immediately like the hardwired ones do,” he notes. </p><p class="p1">However, these concerns are outweighed by the convenience of the overall system. A key can be disabled within minutes, no longer requiring an expensive and timely rekeying of the building. “It costs about $5, and I can have a key card removed from the system in a number of seconds,” Shandle says. “Even if you lose it on a Friday night, we can have that card disabled, so that the missing fob that grants access to our branch doesn’t work anymore.”</p><p class="p1"><i>For more information: Karen Evans, karen.evans@sielox.com, www.sielox.com, 856.861.4568​ ​</i></p>

Financial Activities

 

 

https://sm.asisonline.org/Pages/Access-to-Bank-On.aspx2017-01-01T05:00:00ZAccess to Bank On
https://sm.asisonline.org/Pages/Access-Under-Control.aspx2015-08-10T04:00:00ZAccess Under Control
https://sm.asisonline.org/Pages/Diebold’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspx2014-12-02T05:00:00ZDiebold’s Responsive Banking Concept Enhances ATM Security and Service
https://sm.asisonline.org/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/migration/Pages/fincen-releases-culture-compliance-guidance-financial-institution-leaders-0013620.aspx2014-08-14T04:00:00ZFinCEN Releases 'Culture of Compliance' Guidance for Financial Institution Leaders
https://sm.asisonline.org/Pages/Banking-on-a-Security-Upgrade.aspx2014-02-01T05:00:00ZBanking on a Security Upgrade
https://sm.asisonline.org/Pages/cybersecurity-money-laundering-are-top-threats-facing-financial-industry-2014-0013072.aspx2014-01-07T05:00:00ZCybersecurity, Money Laundering Are Top Threats Facing the Financial Industry in 2014
https://sm.asisonline.org/Pages/Virtual-Money-Real-Crime.aspx2014-01-01T05:00:00ZVirtual Money, Real Crime
https://sm.asisonline.org/Pages/using-economics-fight-terrorists-0013004.aspx2013-12-13T05:00:00ZUsing Economics to Fight Terrorists
https://sm.asisonline.org/Pages/visa-discusses-efforts-prevent-fraudulent-transactions-0012832.aspx2013-10-17T04:00:00ZVisa Discusses Efforts to Prevent Fraudulent Transactions
https://sm.asisonline.org/Pages/data-brokers-0012627.aspx2013-08-01T04:00:00ZFTC Warns Data Brokers
https://sm.asisonline.org/migration/Pages/dunbar-digital-armor-announces-partnership-with-nasdaq-0012531.aspx2013-06-13T04:00:00ZDunbar Digital Armor Announces Partnership with NASDAQ
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-february-0012386.aspx2013-05-01T04:00:00ZTop 10 Performing Security Industry Stocks for February
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-january-0012327.aspx2013-04-01T04:00:00ZTop 10 Performing Security Industry Stocks for January
https://sm.asisonline.org/Pages/Banking-on-Security.aspx2013-03-01T05:00:00ZBanking on Security
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-december-0012009.aspx2013-03-01T05:00:00ZTop 10 Performing Security Industry Stocks for December
https://sm.asisonline.org/Pages/presidio-combats-fraud-with-ironkey-0011372.aspx2013-01-01T05:00:00ZPresidio Combats Fraud with IronKey
https://sm.asisonline.org/Pages/terrorist-financing-money-laundering-and-tax-evasion-0011369.aspx2013-01-01T05:00:00ZTerrorist Financing, Money Laundering, and Tax Evasion
https://sm.asisonline.org/Pages/top-10-performing-security-industry-stocks-october-0011374.aspx2013-01-01T05:00:00ZTop 10 Performing Security Industry Stocks for October
https://sm.asisonline.org/Pages/how-do-financial-asset-investigations-0011080.aspx2012-12-01T05:00:00ZHow to Do Financial Asset Investigations

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/School-of-Threats.aspxSchool of Threats<p>​In the fall of 2015, a university sophomore we will call Sophia spoke with her college’s Title IX coordinator, called Mr. Jones for the purposes of this article. Sophia told Jones that her former boyfriend—a sophomore at the same college—sexually assaulted her in 2014.</p><p>The two broke up over the summer, but Sophia thought her ex-boyfriend was stalking her now that they were both back on campus for the fall semester.</p><p>Jones told Sophia about her various options, including reporting the stalking to campus police or to local law enforcement, or filing a complaint with the college’s Student Conduct Office, which would then investigate and take action against her ex-boyfriend if necessary. </p><p>Jones also gave Sophia a list of support resources that she could access, including the college’s counseling center, women’s centers, and community-based resources for victims of domestic violence.</p><p>Sophia said she did not want to file a report with campus police or local law enforcement, but she did want to file a report with the Student Conduct Office.</p><p>Two days after filing her report, Sophia alerted Jones that she thought her ex-boyfriend was escalating his efforts to stalk her. She was afraid of what he might do to retaliate against her, and feared for her physical safety.</p><p>When Sophia mentioned that she feared for her own safety, Jones offered another option: he could alert the college’s threat assessment team to address the situation from a safety perspective. </p><p>The team could evaluate whether there was any threat posed to Sophia by her ex-boyfriend and could intervene—as necessary—to reduce the risk to Sophia while her report was investigated by the Student Conduct Office.  </p><p>As higher education and security professionals are well aware, the last few years have seen many changes in the law and guidance addressing sexual violence, domestic violence, dating violence, and stalking issues on college and university campuses. </p><p>Colleges and universities in the United States are now obligated to undertake certain actions when they become aware of sexual assault, domestic violence, dating violence, or stalking at their institutions under new requirements from the U.S. Department of Education (DOE) through Title IX guidance and enforcement and amendments to the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) made by the Violence Against Women Reauthorization Act (VAWA).</p><p>Those requirements include taking swift action to investigate allegations of such incidents; notifying victims about the availability of protective and support resources; and notifying victims of their options to report the incident to law enforcement or to the institution’s conduct office or to opt not to report.</p><p>With the recent focus on the need for colleges and universities to aggressively pursue reports of sexual assault, interpersonal violence, and stalking, there has been little public discussion about the need to assess and maintain victim safety and campus safety while these investigations, called Title IX or Clery investigations, are undertaken. However, that is beginning to change.</p><p>Several prominent organizations and task forces have released reports on campus safety and violence prevention since the campus shootings at Virginia Tech in 2007 and at Northern Illinois University in 2008. All of these reports recommended that colleges and universities create threat assessment teams as a key measure to prevent violence before it occurs. </p><p>The threat assessment model is now advocated for use in higher education settings by entities at the federal and state levels, as well as various international and national associations. These include the U.S. Departments of Education, Justice, and Health and Human Services; the National Association of Attorneys General; the International Association of Campus Law Enforcement Administrators; and several state task forces.</p><p>In 2008, Virginia and Illinois both passed laws requiring colleges and universities to establish threat assessment teams. These laws apply to public higher education institutions in Virginia and to all higher education institutions in Illinois. In 2014, Connecticut also began requiring colleges and universities to be trained in campus threat assessment.</p><p>Additionally, in 2010 the American National Standards Institute (ANSI) approved a national standard for higher education risk analysis that is designed to identify, evaluate, and mitigate risks at higher education institutions and to help colleges and universities better allocate resources and prepare for emergencies.</p><p>“It is recommended that threat assessment teams be put into place on campus to help identify potential persons of concern and gather and analyze information regarding the potential threat posed by an individual(s),” the standard says.</p><p>Behavioral threat assessment is now recognized as a best practice for preventing campus violence and workplace violence at colleges and universities. Using threat assessment procedures can help enhance safety in Title IX and Clery cases in which there is a potential for ongoing interpersonal violence or stalking behavior, victims fear for their safety, or threats have been made before or after a victim files a police report or student conduct complaint.</p><p>In cases such as these, however, adhering to provisions of Title IX and the Clery Act is not enough; steps should be taken to identify and assess whether any threats are posed to those involved in these investigations and to manage the situation to reduce any such risk.​</p><h4>Integrating Threat Assessments</h4><p>In an environment in which victims, advocates, and public servants commonly express concerns about campus response to sexual violence, colleges and universities must also assess threats while investigating these incidents and publishing crime statistics—as required by federal law.</p><p>To best address these safety concerns, the institution’s threat assessment team or behavioral intervention team should be involved to run a parallel threat assessment investigation that is separate from, but coordinated with, the institution’s Clery investigation.</p><p>This level of coordination requires some effort, but is vital and can be done using five steps to maintain victim safety and campus security during investigations.</p><p>Create a threat assessment team. Institutions should have a threat assessment team—or a similar multidisciplinary team that is trained in behavioral threat assessment and threat management. </p><p>The best threat assessment teams include representatives from student affairs, academic affairs, the counseling center, human resources, campus police or security, and ad hoc members who might be needed for particular cases, such as veterans’ services for cases involving veterans or international programs members for cases involving international students.</p><p>Once the team is assembled, it should be trained in behavioral threat assessment, have the authority to engage in threat assessment on behalf of the institution, have procedures to guide activities of the team, and have access to case management and support resources—on campus and in the community—to intervene where needed.</p><p>Having training in best practice procedures is critical to ensuring that the team is equipped to objectively assess any risk or threat posed, and to take appropriate steps to intervene to reduce risk and manage the situation going forward.</p><p>Many institutions have established threat assessment teams, but only a subset of them have ever been trained in threat assessment procedures. One institution, whose threat assessment team lacked qualified training, did not know how to handle a stalking case that was escalating and decided to call in outside expertise to reduce the prospect that the situation could turn violent. </p><p>If a team has not received training in threat assessment procedures, the group should make sure to check the qualifications of potential training vendors before hiring them.</p><p>Understand Clery requirements. All personnel involved in threat assessment and safety should know that the DOE has issued guidance on requirements that institutions face under Title IX and preamble comments on regulations issued to implement the VAWA revisions to the Clery Act.</p><p>Under these laws, colleges and universities must respond swiftly to reports of sexual assault, dating violence, domestic violence, and stalking—not just those involving a threat assessment investigation. </p><p>This response must include providing information on confidential sources for victims to talk to and explaining reporting options to victims. The response must also include information on disciplinary and law enforcement reporting options should victims decide to report an incident to law enforcement or to the student conduct office.</p><p>In addition to responding to reports of sexual violence, colleges and universities must also actively work to prevent such crimes, including providing institutionwide training for students and employees.</p><p>Some colleges and universities are implementing mandated online training courses for students, as well as for faculty and staff, to raise awareness about sexual violence and the importance of bystander intervention. </p><p>But prevention efforts can also involve outreach from an institution’s threat assessment team to encourage people to report potentially dangerous situations and behaviors to the team when they become aware of them, so quick action can be taken to mitigate and reduce risk. </p><p>To address these wide-ranging duties and the increasing number of reports, institutions should have dedicated investigators to handle their Clery-related cases and responsibilities. In many cases, institutions will need to hire or retain these individuals.</p><p><strong>Alert the team.</strong> Once an institution has a threat assessment team, those taking reports from victims must learn when to alert the team. </p><p>Although reports of sexual assault, domestic violence, dating violence, and stalking are often referred to a Title IX coordinator or investigator, there may be ongoing safety concerns that should be addressed simultaneously and more broadly by a threat assessment team. If a report is made to an employee not designated as a “confidential employee,” that person can freely alert the threat assessment team. </p><p>Confidential employees include employees who are licensed medical, clinical, or mental-health professionals when acting in their professional role to provide services to a patient who is a university student. This category also includes university employees providing administrative, operational, and related support for healthcare providers performing these services.</p><p>Confidential employees are generally prohibited from reporting information to a college or university’s Title IX coordinator without permission from the individual who disclosed the information to them.</p><p>A confidential employee who receives a report should provide information about the threat assessment team to the victim or reporter, as well as provide options for reporting the incident and for safety planning. </p><p>If a risk is deemed sufficiently imminent to permit disclosure of privileged communications, the confidential employee could make other disclosures as necessary to promote safety. When victims better understand what a threat assessment team can do to enhance safety, they may be willing to have their situation reported to the team.</p><p><strong>Get legal advice.</strong> Teams should seek advice from the institution’s legal counsel on how to address situations in which a victim requests confidentiality or anonymity. </p><p>In 2014, the DOE’s Office of Civil Rights (OCR) published guidance on Title IX issues that clarified a 2011 document on the limits of confidentiality in certain situations.</p><p>For instance, the OCR recognized that institutions may not be able to respect requests for confidentiality where circumstances suggest there is an increased risk of further violence. The OCR included examples of these circumstances, such as multiple complaints about that person, a history of violence and arrests, multiple perpetrators, patterns of perpetration, use of weapons, and threats to commit further violence.</p><p>Train and practice, together. Personnel involved in Clery cases and those involved in threat assessment matters can learn a great deal about each other’s methods, resources, and obligations when they spend time together—preferably not just on active cases.</p><p>Finding opportunities to train together in tabletop exercises, and to train each other on their respective jurisdictions and areas of expertise, will enhance coordination and cooperation when faced with a high-risk case.</p><p>One threat assessment team, which had received training on trauma-informed investigations from its institution’s Title IX coordinator, increased its awareness about the effects of trauma. As a result, the team changed its approach to interviews with complainants of stalking. </p><p>Since the training, the team now chooses—where possible—to give its questions to Title IX investigators to ask of a complainant to avoid subjecting the individual to yet another interview on the same matter. This process is designed to minimize stress and additional trauma. ​</p><h4>Outcomes </h4><p>In Sophia’s case, involving the college’s threat assessment team helped the institution get a more complete picture of her safety and any potential danger she faced as the investigation unfolded. </p><p>One of the first options the team suggested was that either the Student Conduct Office or the campus police department issue a “no-contact order.” A no-contact order prohibits contact—whether in person, by phone, email, text, social media, or through a third party—between individuals at an institution where the college or university feels it is necessary to impose such a boundary. </p><p>No-contact orders are often issued by student conduct officers when they are investigating potential violations of a student code of conduct. The orders do not require the same level of evidence required to obtain a court-issued restraining order or protective order—but they carry significant consequences if violated. </p><p>For instance, some institutions can take immediate disciplinary and protective action if an order is violated, such as immediate suspension or barring the individual from campus.</p><p>This is a tool administered solely by the college and did not require Sophia to file a police report, even if the campus police department issued the order.</p><p>Following best practice threat assessment procedures, the threat assessment team in Sophia’s case gathered information from multiple sources about her ex-boyfriend and his recent behaviors and communications. </p><p>The team was able to corroborate Sophia’s accounts of his stalking behavior and discovered a series of disturbing posts he made on social media that suggested he was experiencing increasing desperation, and may have been suicidal. </p><p>A member of the team conducted a conversation with the ex-boyfriend, confirming his growing level of desperation. The team then assessed that Sophia’s case required inter­vention to reduce risk.</p><p>First, the team’s representative from the campus police department asked campus police to immediately transport Sophia’s ex-boyfriend to the college’s counseling center for a safety assessment to determine if he was suicidal. </p><p>At the same time, the team’s representative from the counseling center notified personnel at the center about the transport and provided information to the mental health provider who was conducting the assessment, so the provider had appropriate background information to include in the assessment.</p><p>In addition, the team asked the college’s Residential Life Office if it could provide Sophia with emergency alternate housing so her ex-boyfriend would not know where she was living. Campus police also provided Sophia with safety planning and offered to escort her around campus, if she wanted that service. </p><p>Sophia’s ex-boyfriend followed the no-contact order and did not have any contact with Sophia throughout the student conduct process. The team remained involved in monitoring the case as it proceeded and in conducting a follow-up assessment after her ex-boyfriend was sanctioned by the college.</p><p>The team was actively involved in the case until it assessed that Sophia’s ex-boyfriend no longer posed a threat to her—which was several months after the conclusion of the investigation.</p><p>Finding ways to improve communication and coordinate efforts between Title IX/Clery personnel and threat assessment teams can help security protect students. A multidisciplinary approach to training, assessing threats, and responding to incident reports can help ensure a safer campus for all. </p><p>--<br></p><p><em>Marisa R. Randazzo, Ph.D., is a managing partner of SIGMA Threat Management Associates and former chief research psychologist for the U.S. Secret Service. Jeffrey J. Nolan, JD, is a partner at Dinse, Knapp & McAndrew, P.C. Dorian Van Horn is a senior consultant with SIGMA Threat Management Associates and former division chief of the Threat Management Unit for the Naval Criminal Investigative Service. ​ ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Book-Review---Workplace-Safety.aspxBook Review: Workplace Safety<p>Butterworth-Heinema​nn; Elsevier.com; 180 pages; $49.95.</p><p>The threat of workplace violence is a continuous issue affecting the well-being of the American workforce. Horrific reports and images of violent acts in the workplace appear far too often in the media, disrupting the safety, well-being, and productivity of the general public. </p><p>In an attempt to help businesses and organizations deter or deflect these violent acts, Randall W. Ferris and Daniel Murphy authored <em>Workplace Safety: Establishing an Effective Violence Prevention Program. </em>This is a well-intended book designed to help organizations with the development of policies and practices to prevent violence in the workplace. The book offers information on applicable topics, including relevant definitions, justifications for workplace violence procedures, explanations of various types of violence, environmental causes, and possible motives behind the attacks, as well as details for creating and implementing methods to prevent violent incidents. The authors draw from the guidelines presented in the Occupational Safety and Health Administration’s standards for the prevention of workplace violence as their primary source of creditable information.</p><p>The book reads more like a how-to manual than a professional publication. The chapters are consistently formatted with a motivational quote, chapter contents, an abstract, and applicable key words. The chapters include various personal experiences from the authors, fictitious scenarios, and bulleted or numerical lists pertaining to the chapter’s content. Further diluting the professionalism is the use of common or slang terms in text that is often brash or casual. </p><p>There is value here for some audiences. For organizations that have not developed procedures to deter or respond to violent incidents in the workplace and those that do not understand the concept of these issues, this could be a helpful guide. Those working in human resources or facility management and individuals who are new to security management can gain some useful information. Also, managers desiring to completely redesign or reevaluate their workplace violence policies might use this book as a starting point. However, it should be viewed as a supplemental publication and not a primary source. Workplace Safety: Establishing an Effective Violence Prevention Program will not impress the educated or experienced reader or introduce new concepts that have not been previously explored. </p><p><em><strong>Reviewer: Joseph Jaksa, Ph.D., CPP, </strong>is an associate professor of criminal justice at Michigan’s Saginaw Valley State University. He is a member of ASIS International and the Saginaw Valley Chapter of ASIS.  </em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Access-Under-Control.aspxAccess Under Control<p>​<span style="line-height:1.5em;">Companies spend significant resources on access control equipment. Estimates of the size of the global market range from about $6 billion to around $22 billion, and a recent ASIS survey indicates that 57 percent of U.S. businesses will be increasing access control spending through 2016. </span></p><p>Upfront costs are just the start. Security professionals take time to determine which doors need to be locked and when.  They decide where to install readers and decide how to pro­cess visitors. Despite the effort spent on the access control equipment layout and maintenance, over time the access control database can become mismanaged. Requests for tweaks to reader groupings and access levels are continuous. One group may want time restrictions for the janitorial crew; another group may need access to one door but want to restrict others. If these accommodations are made without regard for the overall system, over time a complicated tangle of access control levels is created. The next thing you know, security no longer controls access; access control takes charge of the organization’s security, resulting in a chaotic mess.</p><p>BB&T, a large financial services institution headquartered in Winston-Salem, North Carolina, has protocols in place that ensure appropriate and accurate administration of access control systems at its corporate locations. The Fortune 500 company has more than 1,800 financial centers in 12 states.  In addition, it has approximately 120 corporate buildings–data centers, operations centers, call centers, corporate and regional headquarters–that have access control systems. ​</p><h4>Challenges</h4><p>Regulatory developments over the last decade make it necessary to closely maintain access control data. The Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 require health­care and financial organizations, respectively, to keep strict watch over sensitive and personal information. The Sarbanes-Oxley Act of 2002 forced a strengthening of internal controls within corporations. More recently, the Payment Card Industry Data Security Standard requires that companies keep tight control over credit and debit card data. </p><p>These regulations, as well as others that affect specific industries, have brought more scrutiny to the administration of access control data. Most large organizations, especially those in regulated industries, have experienced an increase in audit activity as it relates to physical access controls. This means that regular reviews of access reports are required in many cases. For this reason, it is critical that the data in a company’s access control database be clean and accurate.  </p><p>Numerous challenges can arise from failing to properly maintain an access control system. Maintenance lapses can result in thefts when, for example, terminated employees get into a facility. What good is an access control system if, due to negligence in maintaining the system, people can enter places they shouldn’t? If your access control database has been around for years and has turned into a Byzantine web of access permissions, what steps can be taken to get control over the data? </p><p>Access control database administrators must have an ongoing process of maintaining the accuracy of the data. A standards-based approach must be taken to manage any effective access control program. Standards include defining the types of users in the system–employees, vendors, visitors, temporary card users– and establishing credentials for which each of these user categories will be managed and reviewed. Once the user categories are defined, space definitions and ongoing maintenance procedures must be established. ​</p><h4>Database management</h4><p>BB&T categorizes its cardholders into three groups based on the users’ network login ID. There are employees and contractors with a company network login ID; vendors, tenants, and others without a company network login ID; and temporary users. BB&T uses the network login ID for employers and contractors because the network ID is also used in the IT security database. This allows security to match the IT access records to the physical access records. Human resource data was considered for this match, but the bank determined that many vendors, temporary employees, and contractors who have a BB&T network login ID are not included in its human resource system. Matching the network login ID covers a majority of the organization’s users. If the records do not match, the user’s access is terminated.   </p><p>For cards not involved in the matching process, BB&T identifies a company employee who can serve as a sponsor for each vendor and tenant. The company conducts quarterly reviews of those cards, during which the company sponsor ascertains whether the vendor or tenant employee still works for the third-party company and still needs the BB&T card.</p><p>All temporary cards in the system are assigned to the individuals who have the cards in their possession. The temporary cards may be used by visitors, trainees, vendors, and employees who forgot their badge at home. Information on the cardholder is housed within the access control database. Quarterly reports for all temporary cards are sent to one person who is responsible for ensuring that their temporary cards are accounted for.  ​</p><h4>Space</h4><p>BB&T has established criteria and definitions of the physical space in its environment and categorizes space into three categories: critical, restricted, and general. Criteria are established for each category of space. The critical category is reserved for high-risk, critical infrastructure areas, such as server rooms or HVAC sites. Restricted space is office space for departments that the company deems restricted. All critical and restricted space is assigned a space owner. The space owner is then responsible for approving or denying people’s access to that area. General access areas are common doors and hallways.</p><p>For each category of space, standards are established on how access is governed. For example, the data center standards might state that janitors or nonessential personnel are not granted access without an escort. Standards also dictate who can approve access to that space and how often access reports should be reviewed. For example, critical and restricted space reports are reviewed monthly or quarterly.</p><p>Access devices are grouped together based on the categories of space and the users that access the space. This streamlines the access request process and makes it easier for the requestors to understand what access they are selecting. Grouping as many readers together as possible minimizes the number of possible groupings meaning that there are fewer choices for those requesting access. It also makes it easier to ensure that access reports are accurate, and it simplifies the process of approving access and access report reviews. If all readers for critical space to a building are grouped together, only one approval would be required for critical space and only one report would need to be reviewed.  </p><p>However, in some cases, minimizing groupings may not possible. For example, one group of users may be allowed into the IT area but only a subset of that group has access to the server room that resides within the lab. In this case, groups would be categorized by the users rather than the readers.</p><p>It’s also important to make sure that access levels and device groupings don’t overlap. This can complicate the request process and the report reviews and could cause access reports to reflect an incomplete list of users who have access to a space. For example, in a building with three readers, grouping one may include the front and back doors, and grouping two may include the communications room. If, in addition to these two groupings, there is an overarching grouping three that includes all three readers, this could create a problem since each of the three individual readers belong to two different groupings. In this scenario, if a request is made to determine who has access to the communications room, rather than producing a report of the communications room reader group, an additional report of the group of all three readers would need to be provided. In many organizations, this second step is missed, causing an inaccurate representation of those with access to a specific area. This can be a major issue if discovered during an audit.</p><p>Another way to remedy this issue would be to run reader reports on individual doors, in this example, a reader report on the communications room only. Most access control systems allow for this type of report. However, in companies with a large number of individual card readers, this would require many more reports. The same users often need access to multiple doors, so combining them into groupings that don’t overlap makes more sense than running individual reader reports. As a rule, BB&T does not allow a reader that has been deemed critical or restricted to belong to more than one reader grouping. This ensures that access reports are accurate and complete.  It does, however, require that a user who needs access to a full building, such as a janitor or security officer, request access to each area of the building rather than requesting overarching access to the entire building. This is beneficial, not only for reporting reasons, but also because it requires that space owners approve all users who have access to their space and holds the space owners responsible for knowing who is entering their space. Controls in the report review process can be set up to ensure that a space owner does not remove access for a janitor or security officer. Some systems allow cards to be flagged and would require a higher level of scrutiny before access is removed. Nonetheless, this is a cleaner way to set up access levels and ensures that space owners will review a report of all users that have access to their space, which is what most auditors are looking for.   ​</p><h4>Clean-Up</h4><p>If an access control system has become muddled over time, a database clean-up is recommended. A good place to start is to deactivate all cards that have not been used in a specific timeframe, such as the previous six months. Thus there will be fewer cards to review. Then, security can find a common piece of data with another database in the company that provides a match of current employees. Human resource or information security data is best to determine whether active cardholders in the system still work for the company. Of the remaining cards for nonemployees, visitors, tenants, and contractors, security should research whether the card users can be associated with a manager or employee within the company. Security can work with these internal partners to implement an ongoing review of access cards. ​</p><h4>Maintenance</h4><p>Performing a regular match of human resource or information security data ensures that cards are deactivated for users whose information does not match that on the card. If a user is not captured in the match, that person should be assigned to a sponsor for quarterly review to determine whether any credentials need to be terminated. Access reports should be reviewed for all nongeneral space to ensure that users still need access to the designated areas. Such reviews should take place at regular intervals–not more than quarterly. An important piece of the access request process is to ensure that all necessary information is captured to support the new standards and to support the report review. For example, if the request is for a visitor, security should capture the name of the person who will have that card in their possession during the request.   ​</p><h4>Automation</h4><p>BB&T is working to upgrade the auto­mation of its access control request and audit reporting system by the end of 2015. It is considering software that automates the entire access control database management process from the onboarding human resource system to the access control system. This would include a software interface that would be fully integrated with the information security credentialing system. The ideal software would fully integrate with the access control system where approved access is automatically provisioned with no human intervention.</p><p>Cost is a major factor in implementing such automation. Some companies choose to automate pieces of the process. Some use a simple Web portal form that sends e-mails to approvers and ultimately e-mails the request to the team that provisions access or provides a dashboard for the access control team to view requests. Many companies have integrated with human resource or information security data to update their access control system, which allows for the automatic deactivation of cards for terminated employees, vendors, or contractors. Others have found a way to automate the report reviews. Few access control manufacturers provide these additional software tools in combination with their access control software. Some will work with or direct their customers to third-party solutions, while others are beginning to see the need for automation and are incorporating pieces into their standard software package, such as more robust reporting capabilities.  </p><p>These efforts may seem daunting, but once the standards are set and the database is cleaned up, ongoing maintenance is initiated, and some level of automation is implemented, the system will be under control. It is imperative that security professionals see beyond the equipment and installation and not rely solely on these for protection. A sound maintenance program ensures that, should access control processes be called into question, security can be confident that the company’s program is under control.  </p><p>--</p><p><em><strong>Briggette Jimenez, CPP,</strong> is physical security manager at BB&T where she manages the company’s security command center, security operations, and workplace violence prevention programs.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465