Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Regulations: ‘Golden’ Rules or Ruling You?

October 1, 2009
/ Print / Reprints /
ShareMore
/ Text Size+


The days when security leaders needed only a few strong instincts and a few plain rules are over, if they ever existed.
  
Depending on the size and type of business or government agency, there are rules, regulations, standards, legislation and court rulings that impact the security mission, and sometimes conflict with each other or are confusing.
     
But don’t automatically knock regulations and rules; most have a genuine security purpose and can enhance the perception of the security operation while also helping justify the purchase of equipment and the contracting of services. They can be both “golden” rules to security’s bottom line and a regular headache.
     
For bank security executives, it comes down to such regulations as the Bank Protection Act (BPA) and the Bank Secrecy Act (BSA).


Compliance and risk management are a way of life at banks and financial institutions, according to John Shriner, senior vice president and director of physical security at Wells Fargo, the financial company. In addition, he finds value in working on a project aiming at card access at branches for both security and business results.

A Must-Have Security Plan

Revised in 1991, the BPA requires banks to adopt appropriate security procedures to discourage bank robberies, burglaries and larcenies, and to assist in the identification and prosecution of persons who commit such acts. A bank’s board of directors is responsible for compliance, which requires a written security program for the bank’s main office and branches. Each bank is required to have a designated security officer. The Federal Reserve, the Office of Thrift Supervision, the Office of the Comptroller of the Currency and the FDIC each has its particular version of the BPA to enforce, but there is very little difference in the language in these versions.
     
In addition to door access controls, intrusion and holdup alarms and security video, bankers today must think about suspicious transactions, criminal referral forms and money laundering. Because of the BSA, many banks, for example, no longer sell negotiable instruments when purchased with cash, requiring the purchase to be withdrawn from an account at that institution.
     
According to John Shriner, senior vice president and director of physical security at Wells Fargo, the financial company, bank regulations are part of the routine business of these businesses. “There are compliance and risk management people aware of the overall environment. There is internal reporting to alert to potential noncompliance and security vulnerability on a regular basis.” For him, a more recent challenge relates to physical access controls at the many branches around the country to meet both security and business needs.
     
With more than 20 years in the banking business, Shriner has seen a lot of change and improvements. A while back, banks changed from still camera use in lobbies to digital cameras. And financial institutions, especially in Japan and some other countries, employ biometrics at ATMs.

Hackers a New Financial Threat

Globally, financial institutions and their card processing facilities face another problem – hackers.
     
Just this summer, a hacker in Miami was indicted for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards.
     
Legislation and government regulations addressing these new-age threats have accelerated after the tragedy of 9/11. An initial step in fighting terrorism domestically, there is the USA Patriot Act, a statute originally enacted in October 2001 that has touched most everyone. The act increased the ability of law enforcement agencies to search telephone, e-mail communications, medical, financial, and other records; eased restrictions on foreign intelligence gathering within the United States; expanded the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities; and enhanced the discretion of law enforcement and immigration authorities in detaining and deporting immigrants suspected of terrorism-related acts. The act also expanded the definition of terrorism to include domestic terrorism.


Rules Covering Specific Businesses

Yet, the regulations and requirements aimed at specific types of businesses – hospitals, colleges, ports, chemical plants, utilities and often spurred by privacy concerns, incidents of violence and federal anti-terror actions – challenge, encourage and have changed the face of security more than Sarbanes-Oxley.
     
Just as often, such rules are wrapped around an alphabet soup of terms such as TWIC, HIPPA, FIPS 201 and REAL ID, to name just a few. Knowledge and understanding of the rules and regulations specific to a type of business or agency can lead to security strength and specialties.
     
For instance, the unique circumstances and institutional cultural issues found in healthcare facilities play a major role in decisions regarding security staffing, according to a recent survey of hospital executives.
     
While quality of service, professionalism and cost were cited as important factors in staffing decisions, survey respondents agreed that security personnel must understand the cultural sensitivities and security challenges specific to a hospital setting.
     
The survey, which included interviews with senior level administrators at 22 organizations representing 190 acute care and specialty hospitals across the country, also underscored the importance of specialized training. In addition to understanding HIPAA and other healthcare regulations, administrators believe security personnel should receive training to de-escalate common hospital incidents and protect vulnerable populations including infants and behavioral health patients.


Healthcare Best Practices

For certain types of businesses, best practices and construction standards also can assist enterprise security directors.
     
Erik Dietrich, senior consultant, national facilities services, physical security and systems technology for Kaiser Permanente, said he stays ahead of the curve with “best practices that are out there. There also are construction standards which cover security and life safety.”
     
Using self-imposed audits, Dietrich is measuring the performance of the security operations centers using a number of metrics such as ratios of systems to people and response time of the operator. “Operators appreciate this, feel more professional and improve with the input,” he said.
     
Specific to HIPPA regulations, the Office for Civil Rights enforces that privacy rule, which protects the privacy of individually identifiable health information, and the confidentiality provisions of the Patient Safety Rule, which protects identifiable information used to analyze patient safety events and improve patient safety. HIPPA goes beyond protecting records to include the placement, use, handling and storage of certain security video, too.
     
A more recent twist on HIPPA requirements may affect businesses not traditionally covered, according to Andrew Serwin, a partner with Foley & Lardner LLP, where he is chair of the privacy, security and information management practice. .
     
The FTC’s Health Breach Notification Rule has its origins in the American Recovery and Reinvestment Act of 2009. According to most privacy experts, one of the administration’s priorities is the expansion of personal health records (PHRs), while trying to maintain the privacy and security of these electronic health files. Vendors of PHR systems were recognized as falling outside the scope of HIPAA, even though the data stored within a PHR may be no different from that covered in another context by HIPAA’s privacy and security requirements, said Serwin. The Final Rule specifies that notice of a breach must be made without unreasonable delay but, in no event, no more than 60 days from discovery. It also details the method and content of notification as well as a humbling notice to media if an incident affects more than 500 people.
     
While it may appear that the impact of the FTC’s Final Rule is small because it focuses on vendors of PHRs, it also applies to related entities of the PHR vendor and any service providers supporting PHRs. Microsoft, Google, hospitals and health systems are increasingly offering PHRs to consumers, pointed out Serwin.


Accreditation Impact on Security

Speaking of accreditation, the healthcare industry also self-polices physical safety and security. The Joint Commission, once known as the Joint Commission on Accreditation of Healthcare Organizations, covers standards for patient safety and emergency preparedness, among other issues.
     
For hospitals in urban settings, as one example, the potential for violence in the emergency department often comes with the territory. Emergency departments (ED) are the country’s 24/7 medical safety net, so any crime, drug-related activity, weapons and behavioral health issues that exist within the area surrounding the hospital can sometimes enter through the front door.
     
William (Bill) Masterton, chief operating officer, and Mike Dunning, director of security and emergency management, at the Atlanta Medical Center – part of Tenet Georgia, shared the commitment that “safety of the patients, employees and visitors is all important,” said Masterton. Dunning added, “Located in the heart of the city, Atlanta Medical Center’s ED treats patients from across the socioeconomic spectrum and accepts the challenges that accompany that mission. A year ago, the ED staff spoke up to request additional help securing the ED so they could keep their focus on caring for patients. To ensure success, everyone had to be on the same page from the beginning.” So an ad-hoc security advisory committee was created, which included the ED manager and chief physicians. Among its accomplishments:
  • Newly installed panic buttons promote a sense of “contact” with security for certain situations.
  • A limit of two visitors per patient and the installation of card readers, intercoms and door buzzers help security control foot traffic.
  • A system of codes allows security to know when not to let a visitor into the patient care area of the ED.
  • Physical barriers and containment areas were set up for violent patients along with “quiet rooms” if they are placed in seclusion.
Atlanta Medical Center and its security partner, AlliedBarton, reduced violence and security concerns in the center’s ED even while its patient volume increased by an estimated 25 percent in one year. No matter the rules or regulations, “If you are going to have a successful program, you have to get the key stakeholders and everyone involved,” commented Masterton.
     
Much like healthcare facilities, colleges and universities are micro-communities with a diversity of stakeholders, including far-away parents; sprawling campuses in urban, suburban and rural areas; and unique regulations by some states and on the federal level.
     
eated in part by a lawsuit payout in a tragic campus murder, Security On Campus, an advocacy group honored last year as one of the 25th Most Influential by Security magazine, first lobbied states for safety and security regulations and then pushed through the Student Right to Know and Campus Security Act on the federal level. One aspect of the federal legislation is the posting and distribution of statistics of certain crimes and offenses.


Challenges at Colleges and Universities

“Universities are designed to be open places. Security needs to be there, too. The balance must have buy-in from the people you are protecting,” said James Overton, chief of police at Delaware State University, which has card access control in student residences as well as a security video network of more than 250 cameras. Vendor Honeywell worked with Chief Overton to produce a Web-based video report on the value and use of the security technology. There are also emergency phones and mass notification.
     
In fact, for the latter life safety need, more campus safety regulations on the federal side are coming down the road. Triggered by new higher education legislation, the proposed guidelines would overhaul how colleges and universities respond to and report campus emergencies, fires in student residences on campus, missing students and hate crimes. The U.S. Department of Education will publish the final rules next month.
     
Under the new guidelines, colleges would, among other things, have to articulate how they will confirm “all hazards” emergencies on campus and issue immediate notifications to the affected segment or segments of their campus population. They will also have to report an expanded list of hate crime statistics, including intimidation and theft. Colleges with student residential facilities on campus will have to disclose the level of fire safety in residences along with three years worth of statistics on fires as well as fire related deaths and injuries, in addition to its policy for dealing with missing students.
     
While there have been physical security improvements covering security video, bollards and door/gate access control, the granddaddy of much federally-directed anti-terror regulations, the federal Homeland Security Presidential Directive 12, got the identity ball rolling when the National Institute of Standards and Technology (NIST) initiated a program for improving the identification and authentication of Federal employees and contractors for access to Federal facilities and information systems. FIPS 201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies personal identity verification (PIV) requirements for Federal employees and contractors.
     
It also provides detailed specifications that will support technical interoperability among PIV systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve identity credentials from the card. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard.
     
No doubt, there have been successes and bumps along the FIPS 201 road.


Identity and Authentication

In the transportation industry, especially in relation to America’s ports, an identity mandate – the Transportation Worker Identity Card or TWIC – was designed by the Transportation Security Administration, DHS, and the U.S. Coast Guard to provide a tamper-resistant biometric credential and background screening to maritime workers requiring un-escorted access to secure areas of a port, a facility, and to vessels regulated under the U.S. Maritime Transportation Security Act, as well as to all Coast Guard credentialed mariners with an Merchant Mariner’s Document.
     
This is where specialty software development in physical security plays an essential role, according to Geri Castaldo, CEO of Codebench. “It takes a keen understanding of middleware and interfaces in the areas of HSPD-12, TWIC, First Responder Authentication Credential (FRAC) identity cards, and PIV II, among others,” she said.
     
Castaldo worked with Bill Crews, port security and emergency operations manager for the Port of Houston Authority, on his TWIC project.
     
Anyone needing unescorted access to secure areas of the Port of Houston Authority, as well as any federally regulated facility along the Houston Ship Channel, must either have a TWIC card or be escorted while on the property.
     
The TWIC is a “smartcard” that contains the worker’s name, photo and biometric information (fingerprint template). To obtain a TWIC, an individual must successfully pass a security threat assessment conducted by TSA, which looks at criminal background, immigrant status, terrorist watch list screening as well as mental capacity. It takes an average of 21 days from application to receive the credential. Individuals who are required to have a TWIC include certain port employees, longshoremen, truckers, steamship lines personnel, stevedores and vendors.
     
Crews wears a number of hats. “My job combines three things – maritime security, emergency operations and law enforcement.” But, as with other security executives, he said “I have a business mission focus. It’s all about moving the commerce, now with the aid of TWIC.” Of course, there is intelligent video and intrusion detection as well as the on-site law enforcement and security officers. Still, the access control system (Amag Technology) tied into TWIC, thanks to Codebench as well as appropriate use of Datastrip handheld readers, makes the difference in meeting the regulation.
     
“It’s a continuous process,” contended Crews, who keeps closely in touch with colleagues at other ports and through the American Association of Port Authorities. “For key technology, you need to check out active installations and products that are being used.” It also counts when service and systems providers know facilities such as ports and the government market overall.
     
So it’s not surprising that many vendors and systems integrators have a focus on the sector. Joseph Menke, president, Electronic Security Concepts, sees solid growth in the government sector. “We handle work for the city of Phoenix and the Grand Canyon Airport, for example,” he said. Many government agencies emphasize the need to have an audit track of who is coming into the sites. And with more sophisticated systems to meet regulations, mandates and even encryption, “you have to know what you are doing specific to information technology.”


Cybersecurity Mandates Coming

Just as there are separate cybercrime programs within the White House for the federal civilian government and within the Pentagon, there are various government and military tracks for better personal identification and authentication.
     
There are, however, glimmers of hope. NIST recently published cybersecurity recommendations for government users to create a unified framework that will result in the defense, intelligence and civil communities using a common strategy to protect critical federal information systems and associated infrastructure. “NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations represents a solidification of the partnership between the Department of Defense, the Intelligence Community and NIST and their efforts to bring common security solutions to the federal government and its support contractors,” said Ron Ross, of NIST’s computer security division. “The aim is to provide greater protection for federal information systems against cyber attacks.”
     
Another case in point is the Common Access Card (CAC), a United States Department of Defense (DoD) smartcard issued as standard identification for active-duty military personnel, reserve personnel, civilian military employees and state employees of the National Guard and eligible contractor personnel. There are numerous versions of the CAC. It’s used as a general identification card as well as for authentication to enable access to DoD computers, networks and certain DoD facilities. The CAC enables encrypting and cryptographically signing e-mail, facilitating the use of Public Key Infrastructure (PKI) authentication tools and establishes an authoritative process for the use of identity credentials.
     
Changing CAC requirements was one challenge at the National Defense University, within Fort McNair in Washington, D.C. It provides graduate-level, joint professional military education for future leaders of the armed forces, State Department and other United States government agencies. Lincoln Hall, its newest among seven campus buildings, is a 250,000 square foot facility that houses classroom, meeting room and conference space.
     
Integrator Diebold was tasked with the design and layout of the electronic security solution and subsystems, and to represent the electronic aspects of the security subject matter. One particular challenge required an understanding of how the existing and next-generation common access card (CAC-NG) credential would impact the new system. The access system was engineered to ensure compatibility with current and forthcoming security card technology, including the more stringent FIPS 201 and HSPD-12 standards. The result: a “contactless” card technology that remotely connects with the reader’s operating system but communicating the new upgraded technology and information.


Local Government and Information Requirements

Responding to city, state and federal emergency management mandates, requirements that communications be immediate, clear and cover all important issues and affected geographic areas (i.e., more than a just short sound bite) cannot be fulfilled by a traditional news gathering framework.
     
So one firm saw an opportunity. With no standardized, dedicated and secure distribution infrastructure for disseminating critical instructions and information issued by local, state and federal officials that overcomes the delays and incomplete-distribution limitations of the everyday news-coverage system, enter America’s Emergency Network (AEN). Its goal is to be sure that every emergency manager, whether from a large county or small town, has an outlet to reach the public, the media and other government officials.  The AEN satellite-based video distribution system is designed to continue to operate after a disaster when all power and communications lines are knocked out.
     
Working more recently with VBrick’s advanced IP-video distribution technology, AEN has deployed VBrick Systems to power its satellite-based emergency video distribution system.
     
Privately-owned or operated critical infrastructure ranging from utilities to petrochemical plants call for myriad life safety and security measures, especially as the U.S. Department of Homeland Security and various infrastructure industries work through the various facilities and types of businesses with new physical and cyber rules and regulations.


Screening and Rules

Many are getting tougher with screening employees before hiring and are using firms with more muscle and brains. And those firms may use companies such as ClearStar.net, a technology provider for the employment screening industry. According to Bob Vale, ClearStar.net’s CEO, his 150 or so client screening firms see him fulfilling a real need. For example, one company, METSCheck, Inc., a national background screening and drug testing company, looks to Vale, a founding member of the National Association of Professional Background Screeners, to provide the infrastructure for its screening services.
     
Beyond smart hiring, a number of critical infrastructure security system solutions are fairly straightforward but important when it comes to security and utility operations in meeting rules and regulations.
     
To protect the water storage tanks of the borough of Kutztown, Pa., officials brought in IP video. The two massive tanks, located at separate remote sites, hold up to one million gallons and serve 15,000 residents. The existing surveillance system was upgraded after a group of individuals climbed one of the tanks – a prank which cost the municipality $9,000 and forced a 48-hour shutdown in order to inspect the premises and ensure the water supply was not compromised.
     
Both tanks have been equipped with wide dynamic range IP cameras (ioimage) with built-in self-sustained video analytics to monitor the top hatches and service maintenance ladders. Surveillance staff at the monitoring center is instantly alerted to unauthorized vehicles and persons entering the premises, loiterers and accidental security breaches such as an employee neglecting to lock a gate. Notifications are also sent to officials’ Blackberries and via e-mail. The project and system, partially funded by the Pennsylvania Department of Community and Economic Development and installed by LANtek Inc., worked well, according to Frank Caruso, IT director for Kutztown. “Our previous surveillance system was unreliable and prone to false alarms,” he said. “We had to search through reams of video to find what triggered an alert, which could have been anything from a deer to one of our own maintenance vehicles.”


Grid Security More Complex

When you scale up utility protection for larger electric, telecommunications and chemical operations, for example, things get decidedly tougher.
     
However, with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards, the electric power industry has taken the lead in applying government mandated physical and cyber security requirements to the country’s aging electrical grid.
     
The chemical industry followed suit with its own Chemical Facility Anti-Terrorism Standards (CFATS), designed to properly regulate high-risk chemical facilities.
     
Rob Hile, director of integrated security systems with Siemens Building Technologies, said, “Elements can include command and control, multiple technologies, business process management, branding and public relations” as well as chemical industry and CFATS compliance issues.” Hile’s firm has a CFATS white paper available on the Web.
     
Future technology approaches, according to Hile, will include geospatial sensors and artificial intelligence as well as situational awareness. On the geospatial side, such sensors and devices can include, for example, flood gauges, air pollution monitors, stress gauges on bridges, Webcams and satellite-borne earth imaging devices. In much the same way that HTML and HTTP standards enabled the exchange of any type of information on the Web, micro and macro sensor networks built on standards could one day alert and track chemical-related security needs.


Monitoring Processes

As all kinds of standards move from voluntary to mandatory, private companies are expected to invest now in order to save themselves money in the long term.  For example, private electric companies found not in compliance with the NERC-CIP standards face significant financial penalties of up to $1 million per day, per violation, depending on severity.
     
This is causing many companies to seek out solutions that simply allow for a defensible position from an audit perspective, rather than a layered defense technology deployment that would allow for the company to truly achieve the physical and cybersecurity standards originally put forth, warned Brian Ahern, president and CEO of Industrial Defender. The company has performed more than 100 security assessments on critical infrastructure facilities such as chemical plants, electric power generation plants, transmission energy control centers, water plants and oil/gas production, refining and pipeline systems, since 2002. His bottom line advice: The government and private sectors can work together in order to move compliance solutions from “defensible” to “effective.”
     
Enterprises should not base their security actions solely on avoidance of penalties, continued Ahern. There must be incentives on both the physical and logical sides. “Tax credits. The rate base. Are the citizens of the U.S. willing to pay for a secure infrastructure?” asked Ahern.
     
And, according to Ahern, there will be additional regulatory and legal concerns when it comes to the so-called smart grid. “We may be looking at a potential digital Pearl Harbor.”


Avoiding the Dangers

No matter the type of business or agency, no matter the kind of law or regulation, there are inherent dangers for enterprise security executives.
     
“You just have to make sure that you are facilitating the business,” observed Andrew Wartell, CEO, Wartell Consulting, LLC. Wartell was vice president of global security and director of special projects at Goldman Sachs, where he provided facility physical and technical security design, including the $2.1 billion Goldman Sachs headquarters building in New York City, among other security and compliance projects.
     
“For some industries facing new and emerging regulations, it will be tough for them to carve out the money for security,” he added. “But, when it comes to systems, avoid grabbing onto technology just because it is neat.” 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Bill Zalud

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+