Securing Compliance: The Intersection of Access Control, Financial Integrity, and Digital Identity Management

Show Notes

What if the integrity of your financial reports hinged on controlling physical access to your office? Discover how managing physical and digital identities is crucial for compliance in sectors like finance and aviation. We reveal why stringent processes for issuing credentials and continuous monitoring are fundamental in aviation and discuss the robust measures needed to prevent insider threats and ensure the reliability of financial reports. You can learn about the need for regular audits and the revalidation of access needs, especially for contractors, to maintain operational security and efficiency.

Have you ever wondered how to manage compliance and risk effectively across hundreds of office locations? Our episode dives into strategies that help streamline access control and the importance of robust failover processes during audits. We also address the rising concerns of digital supply chain risks and third-party vulnerabilities, particularly within hosted solutions. Hear a real-world case study about implementing stringent visitor controls that enhance operational efficiency while preventing abuse. Plus, get a sneak peek into future industry-specific compliance practices in healthcare and heavy industries.

Transcript

Speaker 1: 0:06

Powering trusted identities of the world's people, places and things. Every day, millions of people in more than 100 countries use our products and services to securely access physical and digital places. Over 2 billion things that need to be identified, verified and tracked are connected through HID Global's technology.

Speaker 2: 0:28

It has been funny is the wrong word, but eye-opening in the last few years since I've been here, the tendrils that physical space ends up having because it crops up to your point. It crops up in regulations and three and four and five letter acronyms most people probably wouldn't expect. I mean SOX, s-o-x, sarbanes-oxley is actually a really good example. There is a line in there or a section about access to physical space and controlling that and it's exactly what you said. While it is, this is not the end-all, be-all for financial audits and reporting. Ensuring who can and cannot access the spaces that information is held is crucial to the integrity of those reports, amongst a few other things like insider trading and insider threats and stuff like that.

Speaker 2: 1:32

So I've been surprised at the frequency that this is in places I wouldn't expect. You know there's ones I do expect, like when I'm walking through an airport. I would assume that there's a fairly robust set of systems there and fairly robust set of compliances and, I guess, auditing processes and all of that Rules and audits. Yeah, yeah, in fact it's kind of been interesting when I know I think it's the aviation space there's a fairly consistent cadence of voluntary and involuntary audits, right, and those are what role do you see that audit and that audit process playing for compliance for a for an organization? These days.

Speaker 3: 2:13

Um, yeah, so they have a number of of controls that they use within aviation. I mean one they use an application process for the credential itself, the credential, if you see, that secure area or sterile area credential that doesn't get issued without going through a very strict process that includes background checks and information gathering and questionnaires and so forth. And until you check all the boxes for that something like seven or eight different process steps that they go through they won't even issue the badge that has that color background or that pattern on it for the person. Even before they let that badge unlock a single door, the badge itself shows legitimacy and then they will review each of those, those pieces and facts.

Speaker 3: 3:14

The background check is now constantly revisited and and will send update information if there's a new hit after it's issued. It used to be that only recheck it once every couple of years and see if that person has any new, you know, criminal record, history or anything like that. Now it actually updates them as soon as it hits the the, the government system hits the government system, the back end system will actually pass that through and suspend the badge almost immediately when those new changes occur. So, yeah, controls around the badge itself controls around the access. And then a common thing you'll see is where they'll go back and say is this access still appropriate, does this person still fill this role or have this need, and send them back through an audit process or a recheck process to say not only is this data still up to date and accurate, but do they still have the need for the access itself?

Speaker 2: 4:23

But do they still have the need for the access itself, which is probably something every organization should do at least once.

Speaker 3: 4:31

I think you told me one time you had From time to time yeah, and it doesn't have to be as strict as aviation, but just the simple process of once a year go back to any sensitive space and have the space owners or the employee managers sometimes it's easier that from that direction but go back and ask the question do they still have the need for this area, for this, this elevated access that we gave to them? Have a process not just to give it out but to also pull it back once it's not necessary, even when access is role-based or tied to a role. People's roles change and a lot of people or a lot of systems today have the request process down, but the expiration removal process isn't done nearly as cleanly or as well in most organizations.

Speaker 2: 5:30

And I would imagine there's a lot of checks and balances that can be enabled there but also just cleaning up of systems. I mean, think of all the employees that are going to come and go over 5, 10, 20 years. I mean you actually have thrown out the example when you talk about the entirety of a workforce, so inclusive of all those extended identities. I think you've said two and three times the number of actual employees are often then involved, and so if you think about that over a decade, which some of these systems are that old, I mean you're talking about a massive amount of data for no real point. It serves no value at that point, it's just yeah, and you can actually um you.

Speaker 3: 6:14

we actually see older access control systems starting to slow down or or they're coming near their maximum capacity for for names, for identities in the system. Some of these access control systems were built decades ago and didn't think about the massive enterprises and the number of identities people might accumulate over 10 or 20 years of use. Most people have a really good handle on pulling out names from past employees. We're pretty good at knowing when an employee leaves the organization. Most of us take note HR does something. There's lots of details that will flag that ID.

Speaker 3: 6:59

It's a lot harder when you're talking about contractors and some of these extended identities we've been talking about. How long do I keep them in the system? How long do I keep them alive if they haven't visited in a while or if they're a contractor? When a contractor's coming to do work with us and that contractors the contractor we use, or for electricians or plumbers or the cleaning service or what have you within the building, as they hire new people, they're gonna add them in there. They're, in general, not nearly as good about taking them back out again and so having good processes in to either automatically expire those or to audit and revoke the access cards and credentials that are no longer being used is pretty important to keeping both security and to keeping systems running well, important to keeping both security and to keeping systems running well.

Speaker 2: 8:07

Well, and I would think also, we're probably pretty good at thinking about it from. All right, who has access to the data center? All right, there's five people. Who has access to the key room the fifth floor, like you said, where we do all the financial reporting? Or to the high-profile R&D center? Probably less likely. The high profile R&D center? Probably less likely. However, to think about some of our field offices, some of our disconnected spaces, and I would imagine the last couple of years, at least here in the States, will have exacerbated a lot of the management of this as people are shrinking their physical footprint or changing the makeup of their physical footprint. People are shrinking their physical footprint or changing the makeup of their physical footprint, so a tool that's going to let some of that be delegated out to people who may know who should access a field site or give greater control to one of your office workers or managers.

Speaker 3: 9:03

Yeah, for sure. I mean delegation for things like that are critical. So being able to set up if you are going to set up that re-attestation of who needs access at the field office yeah, it's critical. You're not trying to do that from a central headquarters position. You really have to be able to go and create that type of audit, put the right people as the responders to that and schedule it and just let them run it themselves. So, dead on, you really have to think about this, as how do I enable the fringes of the organization, the field office, the smaller location, to easily meet the rules that we have across the organization? Because, like you said, it's generally not the data center where we're struggling to do this, it's generally not the fifth floor, it is these remote locations, and I think you can evaluate them to do this. It's generally not the fifth floor, it is these remote locations.

Speaker 3: 10:11

I think you can evaluate them to a sense. If it's an office that doesn't have a lot of sensitive information. They're not in R&D, they're not in a manufacturing site that has safety, manufacturing site that has safety issues, you know, maybe it's okay to let them, you know, run it a little less formally. On the other hand, though, if you have a consistent set of tools and you can show them this is the same rules we use elsewhere and make it easy for them, then you're actually making it. You're bringing it to a level where it's not that difficult for them to keep up with.

Speaker 3: 10:47

The same process you use at the data center can be appropriate at the remote sales office. They do have sensitive records, they do have financial records and other things, and it comes back to that similar experience. You have to make it so it's just not that hard. You make that something that's fairly easy for them to do. It's set up and automated for them, and all they really are doing is saying, yes, these contractors still do need to come here, or you know, I've never heard of this guy. Let's go ahead and let him age out of the system. This year becomes a not so difficult task, yeah.

Speaker 2: 11:28

Yeah, I mean even the field locations. You know a lot of organizations. They'll have a corporate drop of a network that puts them behind the firewall if you plug in. I mean it's amazing what you could probably access with a quick five-minute Google search and unfettered access at night as a cleaner. But I digress anyway. What else is compliance-related that's top of your mind these days that you're hearing about? Because I'd be curious I've got something that's come to mind for me but anything else that you can think of kind of compliance related that you're hearing.

Speaker 3: 12:08

No, I think I touched on the ease of use piece. You know that's been the topic that I get asked about, like how do we make this simpler? How do we make this? So it is appropriate to roll out beyond those core areas. That's to me, the one that I've seen as the approach recently is people who've gone beyond the data center and they are going to hundreds of office locations and trying to make it flexible, for instance, knowing who's responsible for that area, but also having a good failover in case they run the audit right in the middle of that person's vacation for the year, which happens, which happens, and so having a good process either to delay it or have it go to the standby person to run through that becomes something that just keeps everything clicking on track.

Speaker 2: 13:12

What's yours, though, what's the one you're thinking of? So I was thinking more of the kind of the supplier risk, that digital supply chain supply chain. I don't even know that that one's been put into any sort of legislation or formal process, but I know we're seeing a lot of questions around those topics. What does our hosted solution mean to them from a risk profile standpoint? What does our tool, our processes, internally? What about the components we use? How do those factor into their compliance?

Speaker 2: 13:47

Because if you look at and you and I've discussed this one, and Bill has a similar background the head of either get rid of the ones that had social engineering A lot of them had a supply chain or similar aspect to them coming in through a third party system, a vulnerability in a third-party system and finding a way to move laterally in the organization, Not different for our customers, whether it's on the cyber side or then on that physical side. So that's one that I think has been interesting to see increasing in questions that we get on that, and I like the approach we're taking when we do respond to that, but that's the one that comes to mind. For me it's kind of this newer area.

Speaker 3: 14:50

So I've seen an interesting approach that we took with one customer on that. Their goal was they wanted to tighten down on the visitor, the pure visitor side, where they're just allowing walk-ins, and make sure that they're not allowing the same person to visit too often during a calendar year. So they set hard controls around number of visits per year and to make that well. So that doesn't sound like a great experience if you're the person who's trying to get work done and suddenly somebody hits this arbitrary number Fairly high. I think they set it to 30 days in a calendar year, but what do I do? And so what we did is we opened up a bunch of new controls for them around a vendor process, and what was great is it's self-serve. Anybody can request a new vendor or request to sponsor an existing vendor, and then there's an easy onboard process where they can add their list of people that they work with, can add their list of people that they work with, their electricians or their contractors or their, you know, in toss health care you see the people servicing the MRI machines and things like that, and as long as you and I are both working with the same vendor, everything supported and it can send us both back to say are these people still still active? If one of us drops out, the vendor stays active as long as the other one's still active, as long as you are still actively sponsoring, but if all active sponsors within the organization go away, we just suspend the vendor until we find either another person is going to use them.

Speaker 3: 16:42

And it creates a really easy way for non-IT or physical security employees to create a really simple set of controls to onboard and manage a set of people. Be very aware of that but also follow within the rules that are established for the organization and I think to me that's kind of the key, like the more you want to decentralize, the easier you have to make it. Yes, if you're pulling rights and access away from the visitor system, which for this organization, was absolutely appropriate, they were trying to get past that type of workaround abuse. They weren't asking to collect much information, but they were asking to get more than they get through the visitor process. We had to find a way to make it so simple that it ends up being very similar not much more difficult than pre-registering a user, pre-registering a user. But now I'm setting them up in a different category that we're all aware will be coming and going from our site for potentially months, if not years, if we keep working together.

Speaker 2: 18:00

Yeah, back to what's appropriate for that relationship with that entity and the space that they're accessing. Yeah, that makes total sense. Um, well, cool, all right, we have exhausted what is in my mind at the moment. Um, I think it's maybe lunchtime or snack time, maybe an espresso. We'll see.

Speaker 2: 18:21

Um, I'm sure you and I can cover more in a follow follow up. I know there's some industries that we have some interesting compliance habits in, or, you know, solution sets in healthcare and aviation. We talked a little bit on. We could probably spend time there. I know there's another podcast that I did with Eve a little while back and we talked about healthcare off and on, and I think you and I have alluded to a couple of others. I'd be interested to talk about finance, maybe even some other industries, um, that I think you and I kind of generally refer to kind of as heavy industries, some of the heavy manufacturing and energy and and long-term uh, long range logistics and stuff like that. So probably some more, some more uh meat we can cover there. But I think this is a good spot to stop um and do another one of these. This was fun. We shouldn't make it a year, though, um all right?

Speaker 3: 19:22

uh, yeah, let me know happy to come and uh chat with you again. So thanks very much for having me yeah, thanks, don.

Speaker 2: 19:28

Have a good, have a good one. And, for anyone listening, definitely check out the blogs and the podcasts we've got. If you go to our website, go to our blog section. What is PIM is a series that this is kind of a companion for, and then we have a series of podcasts that have covered everything from what Don and I talked about here to more specifics in different industries health care and aviation, getting some some love in those areas, and then more esoteric topics on occasion as well. So with that, thank you all, and we'll catch you next time. Have a good one.