April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Using information to manage risk at any level of government
Ajay Jain of
Information is power when it comes to risk management. Governments at all levels must manage risk, both as part of their long-term planning and in their day-to-day operations. Readily available and dependable information related to all aspects of an operation is a key tool to accomplish this. Rapid response is critical, so this information must be presented in an easily understood and accessible format.
Software can be an effective tool to proactively measure and manage data from multiple IT systems inside an organization and present that information in a format that is understandable and actionable. Software also coordinates and streamlines functionality of various systems to ensure that each system operation enterprise-wide contributes to lowering risk.
Information that can impact risk management can come from physical access control systems, a human resource system, building automation systems or any number of other sources. Taken together, the data from a variety of systems has much more meaning than any one data point by itself. Managing risk involves collecting what might otherwise be an overwhelming amount of data in to a unified whole, and then interpreting the sum-total of that data to assess its meaning. What appeared unmanageable now becomes manageable.
It's an approach that can positively impact any government entity's ability to manage risk. Let's look at several elements of managing risk for government facilities and how software tools can help:
Controlling access to government buildings -- Agencies are often geographically dispersed and use multiple legacy access control systems. Current physical access systems are not capable of handling digital certificates or biometric information from federally-mandated Personal Identity Verification (PIV) cards to establish a common identity for cardholder access across agencies. Software provides a one-step policy-based approach to manage and enroll PIV cardholders into various physical access systems.
This use of software to unify and manage access control enables flexible enrollment, validation and processing of individuals gaining temporary or long-term access to a given facility, along with a policy-based ability to guard against fraud without changing existing physical security infrastructure. Instead of having to rip-and-replace multiple access control systems, software unifies the various systems and accommodates each system's needs, while creating a smooth integration for the use of PIV cards to achieve compliance to Federal Information Processing Standard (FIPS) 201 interoperability requirements. Software is a tool to establish proper identity proofing and authentication mechanisms to provision and de-provision access to areas restricted to various degrees. Benefits can play out in local and state governments, as well as at the federal level.
Managing compliance -- Software can help address compliance with rigorous physical identity management requirements of high-security government buildings across a disparate infrastructure of security systems. It can enable conformance to Federal Identity Credential and Access Management (FICAM) guidelines to meet objectives of HSPD-12. Software can ensure protection of personnel, information, property and assets while complying with laws, policies and procedures in a cost-effective manner. Systems enable adherence to agency-wide security directives for physical protection, personnel security, personal identity verification, identity management of classified and unclassified foreign visitors, and foreign ownership, control or influence (FOCI).
Software systems facilitate implementation of HSPD-12 directives and administration of PIV and PIV-I credentials. Software guides deployment of federal and agency-specific ICAM processes and utilization of National Institute of Standards and Technology (NIST) guidelines such as Special Publication 800-116 for recommendation for the use of PIV credentials in physical access systems.
Integrating multiple technologies -- As a FICAM solution, software provides processes to manage the intersection of digital identities (and associated attributes), various credentials and physical identities (across access control systems, biometric systems, etc.) into a comprehensive policy-based management approach. Collecting and managing identity attributes, such as security clearance and training status, can drive access approvals and decisions. Software streamlines and consolidates disparate systems into a single FICAM-aligned, integrated and auditable system. Customized reports can be created to meet ongoing audit and compliance requirements.
Software can analyze data from hundreds, if not thousands, of endpoints, such as door readers, access points, alarms and related security personnel. Analyzing the data determines trends, weaknesses and opportunities, and provides an executive-level, graphical dashboard view of the state of a global security infrastructure. Operational data -- retrieved, aggregated and stored daily -- is processed and incorporated into Web-ready reports for high-level analysis and drill-down capabilities. Point-and-click views highlight key physical security, facility and compliance-related metrics.
Pre-built metrics cover analytics related to alarms, identity and compliance. Alarm analytics enable users to define a baseline value of an alarm and to set multiple thresholds (high, medium and low) to measure a device or site against the threshold. Identity analytics provide operational metrics to measure facility occupancy and space utilization, enabling stakeholders to optimize office space, manage unused badges, etc. Compliance analytics provide a snapshot of overall compliance and identify problematic controls (that have the highest number of violations).
An integrated physical security identity, access and event management software solution provides complete control and visibility into physical security operations. Combining the various elements enables policy-driven responses to physical security incidents and situations in the most expedient manner -- and minimizes risk.