Regulations: ‘Golden’ Rules or Ruling You?
Depending on the size and type of business or government agency, there are rules, regulations, standards, legislation and court rulings that impact the security mission, and sometimes conflict with each other or are confusing.
But don’t automatically knock regulations and rules; most have a genuine security purpose and can enhance the perception of the security operation while also helping justify the purchase of equipment and the contracting of services. They can be both “golden” rules to security’s bottom line and a regular headache.
For bank security executives, it comes down to such regulations as the Bank Protection Act (BPA) and the Bank Secrecy Act (BSA).
A Must-Have Security PlanRevised in 1991, the BPA requires banks to adopt appropriate security procedures to discourage bank robberies, burglaries and larcenies, and to assist in the identification and prosecution of persons who commit such acts. A bank’s board of directors is responsible for compliance, which requires a written security program for the bank’s main office and branches. Each bank is required to have a designated security officer. The Federal Reserve, the Office of Thrift Supervision, the Office of the Comptroller of the Currency and the FDIC each has its particular version of the BPA to enforce, but there is very little difference in the language in these versions.
In addition to door access controls, intrusion and holdup alarms and security video, bankers today must think about suspicious transactions, criminal referral forms and money laundering. Because of the BSA, many banks, for example, no longer sell negotiable instruments when purchased with cash, requiring the purchase to be withdrawn from an account at that institution.
According to John Shriner, senior vice president and director of physical security at Wells Fargo, the financial company, bank regulations are part of the routine business of these businesses. “There are compliance and risk management people aware of the overall environment. There is internal reporting to alert to potential noncompliance and security vulnerability on a regular basis.” For him, a more recent challenge relates to physical access controls at the many branches around the country to meet both security and business needs.
With more than 20 years in the banking business, Shriner has seen a lot of change and improvements. A while back, banks changed from still camera use in lobbies to digital cameras. And financial institutions, especially in Japan and some other countries, employ biometrics at ATMs.
Hackers a New Financial Threat
Just this summer, a hacker in Miami was indicted for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards.
Legislation and government regulations addressing these new-age threats have accelerated after the tragedy of 9/11. An initial step in fighting terrorism domestically, there is the USA Patriot Act, a statute originally enacted in October 2001 that has touched most everyone. The act increased the ability of law enforcement agencies to search telephone, e-mail communications, medical, financial, and other records; eased restrictions on foreign intelligence gathering within the United States; expanded the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities; and enhanced the discretion of law enforcement and immigration authorities in detaining and deporting immigrants suspected of terrorism-related acts. The act also expanded the definition of terrorism to include domestic terrorism.
Rules Covering Specific Businesses
Just as often, such rules are wrapped around an alphabet soup of terms such as TWIC, HIPPA, FIPS 201 and REAL ID, to name just a few. Knowledge and understanding of the rules and regulations specific to a type of business or agency can lead to security strength and specialties.
For instance, the unique circumstances and institutional cultural issues found in healthcare facilities play a major role in decisions regarding security staffing, according to a recent survey of hospital executives.
While quality of service, professionalism and cost were cited as important factors in staffing decisions, survey respondents agreed that security personnel must understand the cultural sensitivities and security challenges specific to a hospital setting.
The survey, which included interviews with senior level administrators at 22 organizations representing 190 acute care and specialty hospitals across the country, also underscored the importance of specialized training. In addition to understanding HIPAA and other healthcare regulations, administrators believe security personnel should receive training to de-escalate common hospital incidents and protect vulnerable populations including infants and behavioral health patients.
Healthcare Best Practices
Erik Dietrich, senior consultant, national facilities services, physical security and systems technology for Kaiser Permanente, said he stays ahead of the curve with “best practices that are out there. There also are construction standards which cover security and life safety.”
Using self-imposed audits, Dietrich is measuring the performance of the security operations centers using a number of metrics such as ratios of systems to people and response time of the operator. “Operators appreciate this, feel more professional and improve with the input,” he said.
Specific to HIPPA regulations, the Office for Civil Rights enforces that privacy rule, which protects the privacy of individually identifiable health information, and the confidentiality provisions of the Patient Safety Rule, which protects identifiable information used to analyze patient safety events and improve patient safety. HIPPA goes beyond protecting records to include the placement, use, handling and storage of certain security video, too.
A more recent twist on HIPPA requirements may affect businesses not traditionally covered, according to Andrew Serwin, a partner with Foley & Lardner LLP, where he is chair of the privacy, security and information management practice. .
The FTC’s Health Breach Notification Rule has its origins in the American Recovery and Reinvestment Act of 2009. According to most privacy experts, one of the administration’s priorities is the expansion of personal health records (PHRs), while trying to maintain the privacy and security of these electronic health files. Vendors of PHR systems were recognized as falling outside the scope of HIPAA, even though the data stored within a PHR may be no different from that covered in another context by HIPAA’s privacy and security requirements, said Serwin. The Final Rule specifies that notice of a breach must be made without unreasonable delay but, in no event, no more than 60 days from discovery. It also details the method and content of notification as well as a humbling notice to media if an incident affects more than 500 people.
While it may appear that the impact of the FTC’s Final Rule is small because it focuses on vendors of PHRs, it also applies to related entities of the PHR vendor and any service providers supporting PHRs. Microsoft, Google, hospitals and health systems are increasingly offering PHRs to consumers, pointed out Serwin.
Accreditation Impact on Security
For hospitals in urban settings, as one example, the potential for violence in the emergency department often comes with the territory. Emergency departments (ED) are the country’s 24/7 medical safety net, so any crime, drug-related activity, weapons and behavioral health issues that exist within the area surrounding the hospital can sometimes enter through the front door.
William (Bill) Masterton, chief operating officer, and Mike Dunning, director of security and emergency management, at the Atlanta Medical Center – part of Tenet Georgia, shared the commitment that “safety of the patients, employees and visitors is all important,” said Masterton. Dunning added, “Located in the heart of the city, Atlanta Medical Center’s ED treats patients from across the socioeconomic spectrum and accepts the challenges that accompany that mission. A year ago, the ED staff spoke up to request additional help securing the ED so they could keep their focus on caring for patients. To ensure success, everyone had to be on the same page from the beginning.” So an ad-hoc security advisory committee was created, which included the ED manager and chief physicians. Among its accomplishments:
- Newly installed panic buttons promote a sense of “contact” with security for certain situations.
- A limit of two visitors per patient and the installation of card readers, intercoms and door buzzers help security control foot traffic.
- A system of codes allows security to know when not to let a visitor into the patient care area of the ED.
- Physical barriers and containment areas were set up for violent patients along with “quiet rooms” if they are placed in seclusion.
Much like healthcare facilities, colleges and universities are micro-communities with a diversity of stakeholders, including far-away parents; sprawling campuses in urban, suburban and rural areas; and unique regulations by some states and on the federal level.
eated in part by a lawsuit payout in a tragic campus murder, Security On Campus, an advocacy group honored last year as one of the 25th Most Influential by Security magazine, first lobbied states for safety and security regulations and then pushed through the Student Right to Know and Campus Security Act on the federal level. One aspect of the federal legislation is the posting and distribution of statistics of certain crimes and offenses.
Challenges at Colleges and Universities
In fact, for the latter life safety need, more campus safety regulations on the federal side are coming down the road. Triggered by new higher education legislation, the proposed guidelines would overhaul how colleges and universities respond to and report campus emergencies, fires in student residences on campus, missing students and hate crimes. The U.S. Department of Education will publish the final rules next month.
Under the new guidelines, colleges would, among other things, have to articulate how they will confirm “all hazards” emergencies on campus and issue immediate notifications to the affected segment or segments of their campus population. They will also have to report an expanded list of hate crime statistics, including intimidation and theft. Colleges with student residential facilities on campus will have to disclose the level of fire safety in residences along with three years worth of statistics on fires as well as fire related deaths and injuries, in addition to its policy for dealing with missing students.
While there have been physical security improvements covering security video, bollards and door/gate access control, the granddaddy of much federally-directed anti-terror regulations, the federal Homeland Security Presidential Directive 12, got the identity ball rolling when the National Institute of Standards and Technology (NIST) initiated a program for improving the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems. FIPS 201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies personal identity verification (PIV) requirements for Federal employees and contractors.
It also provides detailed specifications that will support technical interoperability among PIV systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve identity credentials from the card. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard.
No doubt, there have been successes and bumps along the FIPS 201 road.
Identity and Authentication
This is where specialty software development in physical security plays an essential role, according to Geri Castaldo, CEO of Codebench. “It takes a keen understanding of middleware and interfaces in the areas of HSPD-12, TWIC, First Responder Authentication Credential (FRAC) identity cards, and PIV II, among others,” she said.
Castaldo worked with Bill Crews, port security and emergency operations manager for the Port of Houston Authority, on his TWIC project.
Anyone needing unescorted access to secure areas of the Port of Houston Authority, as well as any federally regulated facility along the Houston Ship Channel, must either have a TWIC card or be escorted while on the property.
The TWIC is a “smartcard” that contains the worker’s name, photo and biometric information (fingerprint template). To obtain a TWIC, an individual must successfully pass a security threat assessment conducted by TSA, which looks at criminal background, immigrant status, terrorist watch list screening as well as mental capacity. It takes an average of 21 days from application to receive the credential. Individuals who are required to have a TWIC include certain port employees, longshoremen, truckers, steamship lines personnel, stevedores and vendors.
Crews wears a number of hats. “My job combines three things – maritime security, emergency operations and law enforcement.” But, as with other security executives, he said “I have a business mission focus. It’s all about moving the commerce, now with the aid of TWIC.” Of course, there is intelligent video and intrusion detection as well as the on-site law enforcement and security officers. Still, the access control system (Amag Technology) tied into TWIC, thanks to Codebench as well as appropriate use of Datastrip handheld readers, makes the difference in meeting the regulation.
“It’s a continuous process,” contended Crews, who keeps closely in touch with colleagues at other ports and through the American Association of Port Authorities. “For key technology, you need to check out active installations and products that are being used.” It also counts when service and systems providers know facilities such as ports and the government market overall.
So it’s not surprising that many vendors and systems integrators have a focus on the sector. Joseph Menke, president, Electronic Security Concepts, sees solid growth in the government sector. “We handle work for the city of Phoenix and the Grand Canyon Airport, for example,” he said. Many government agencies emphasize the need to have an audit track of who is coming into the sites. And with more sophisticated systems to meet regulations, mandates and even encryption, “you have to know what you are doing specific to information technology.”
Cybersecurity Mandates Coming
There are, however, glimmers of hope. NIST recently published cybersecurity recommendations for government users to create a unified framework that will result in the defense, intelligence and civil communities using a common strategy to protect critical federal information systems and associated infrastructure. “NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations represents a solidification of the partnership between the Department of Defense, the Intelligence Community and NIST and their efforts to bring common security solutions to the federal government and its support contractors,” said Ron Ross, of NIST’s computer security division. “The aim is to provide greater protection for federal information systems against cyber attacks.”
Another case in point is the Common Access Card (CAC), a United States Department of Defense (DoD) smartcard issued as standard identification for active-duty military personnel, reserve personnel, civilian military employees and state employees of the National Guard and eligible contractor personnel. There are numerous versions of the CAC. It’s used as a general identification card as well as for authentication to enable access to DoD computers, networks and certain DoD facilities. The CAC enables encrypting and cryptographically signing e-mail, facilitating the use of Public Key Infrastructure (PKI) authentication tools and establishes an authoritative process for the use of identity credentials.
Changing CAC requirements was one challenge at the National Defense University, within Fort McNair in Washington, D.C. It provides graduate-level, joint professional military education for future leaders of the armed forces, State Department and other United States government agencies. Lincoln Hall, its newest among seven campus buildings, is a 250,000 square foot facility that houses classroom, meeting room and conference space.
Integrator Diebold was tasked with the design and layout of the electronic security solution and subsystems, and to represent the electronic aspects of the security subject matter. One particular challenge required an understanding of how the existing and next-generation common access card (CAC-NG) credential would impact the new system. The access system was engineered to ensure compatibility with current and forthcoming security card technology, including the more stringent FIPS 201 and HSPD-12 standards. The result: a “contactless” card technology that remotely connects with the reader’s operating system but communicating the new upgraded technology and information.
Local Government and Information Requirements
So one firm saw an opportunity. With no standardized, dedicated and secure distribution infrastructure for disseminating critical instructions and information issued by local, state and federal officials that overcomes the delays and incomplete-distribution limitations of the everyday news-coverage system, enter America’s Emergency Network (AEN). Its goal is to be sure that every emergency manager, whether from a large county or small town, has an outlet to reach the public, the media and other government officials. The AEN satellite-based video distribution system is designed to continue to operate after a disaster when all power and communications lines are knocked out.
Working more recently with VBrick’s advanced IP-video distribution technology, AEN has deployed VBrick Systems to power its satellite-based emergency video distribution system.
Privately-owned or operated critical infrastructure ranging from utilities to petrochemical plants call for myriad life safety and security measures, especially as the U.S. Department of Homeland Security and various infrastructure industries work through the various facilities and types of businesses with new physical and cyber rules and regulations.
Screening and Rules
Beyond smart hiring, a number of critical infrastructure security system solutions are fairly straightforward but important when it comes to security and utility operations in meeting rules and regulations.
To protect the water storage tanks of the borough of Kutztown, Pa., officials brought in IP video. The two massive tanks, located at separate remote sites, hold up to one million gallons and serve 15,000 residents. The existing surveillance system was upgraded after a group of individuals climbed one of the tanks – a prank which cost the municipality $9,000 and forced a 48-hour shutdown in order to inspect the premises and ensure the water supply was not compromised.
Both tanks have been equipped with wide dynamic range IP cameras (ioimage) with built-in self-sustained video analytics to monitor the top hatches and service maintenance ladders. Surveillance staff at the monitoring center is instantly alerted to unauthorized vehicles and persons entering the premises, loiterers and accidental security breaches such as an employee neglecting to lock a gate. Notifications are also sent to officials’ Blackberries and via e-mail. The project and system, partially funded by the Pennsylvania Department of Community and Economic Development and installed by LANtek Inc., worked well, according to Frank Caruso, IT director for Kutztown. “Our previous surveillance system was unreliable and prone to false alarms,” he said. “We had to search through reams of video to find what triggered an alert, which could have been anything from a deer to one of our own maintenance vehicles.”
Grid Security More Complex
However, with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards, the electric power industry has taken the lead in applying government mandated physical and cyber security requirements to the country’s aging electrical grid.
The chemical industry followed suit with its own Chemical Facility Anti-Terrorism Standards (CFATS), designed to properly regulate high-risk chemical facilities.
Rob Hile, director of integrated security systems with Siemens Building Technologies, said, “Elements can include command and control, multiple technologies, business process management, branding and public relations” as well as chemical industry and CFATS compliance issues.” Hile’s firm has a CFATS white paper available on the Web.
Future technology approaches, according to Hile, will include geospatial sensors and artificial intelligence as well as situational awareness. On the geospatial side, such sensors and devices can include, for example, flood gauges, air pollution monitors, stress gauges on bridges, Webcams and satellite-borne earth imaging devices. In much the same way that HTML and HTTP standards enabled the exchange of any type of information on the Web, micro and macro sensor networks built on standards could one day alert and track chemical-related security needs.
This is causing many companies to seek out solutions that simply allow for a defensible position from an audit perspective, rather than a layered defense technology deployment that would allow for the company to truly achieve the physical and cybersecurity standards originally put forth, warned Brian Ahern, president and CEO of Industrial Defender. The company has performed more than 100 security assessments on critical infrastructure facilities such as chemical plants, electric power generation plants, transmission energy control centers, water plants and oil/gas production, refining and pipeline systems, since 2002. His bottom line advice: The government and private sectors can work together in order to move compliance solutions from “defensible” to “effective.”
Enterprises should not base their security actions solely on avoidance of penalties, continued Ahern. There must be incentives on both the physical and logical sides. “Tax credits. The rate base. Are the citizens of the U.S. willing to pay for a secure infrastructure?” asked Ahern.
And, according to Ahern, there will be additional regulatory and legal concerns when it comes to the so-called smart grid. “We may be looking at a potential digital Pearl Harbor.”
Avoiding the Dangers
“You just have to make sure that you are facilitating the business,” observed Andrew Wartell, CEO, Wartell Consulting, LLC. Wartell was vice president of global security and director of special projects at Goldman Sachs, where he provided facility physical and technical security design, including the $2.1 billion Goldman Sachs headquarters building in New York City, among other security and compliance projects.
“For some industries facing new and emerging regulations, it will be tough for them to carve out the money for security,” he added. “But, when it comes to systems, avoid grabbing onto technology just because it is neat.”