cartoon laptop

What Is PIAM? Part 4 : How PIAM Simplifies the Auditing Process

What is PIAM? Compliance Visitors + Contractors Verticals Audits

Now that we’ve covered the essentials of physical identity access management (PIAM) in this series, you know how PIAM systems control physical access with badges, biometrics and more, ensuring that only authorized personnel enter secure areas. This raises the question: How can the monitoring of these controlled areas be sustained over time to ensure that only the people who should have access to certain spaces do, and that the people who should not have access, do not? Many organizations implement policies requiring that access reviews be performed on a regular basis — annually, quarterly or another cadence.  Attestation audits can be an important part of ensuring compliance with these policies. 

What Is an Attestation Audit?

Attestation Audit is a process that helps an organization with rigorous compliance requirements — attest that they have proper policies and controls in place while demonstrating adherence to those for the purposes of facilitating and easing audits and audit reporting.

A PIAM system such as HID SAFE, streamlines and simplifies the process through its Attestation Audit feature by: 

  1. Removing access for people who at some point needed access, but no longer do
  2. Creating a record of approvals executed by managers 

There are many systems across various industries that require temporary access to certain, more restricted areas at certain times. Automating this access ensures that permanent, long-term access is not granted when only short-term access was needed.

Simplify Audits With the Attestation Tool

A lot of organizations across various sectors incorporate physical access and physical access policies into various cybersecurity, finance, and other compliance frameworks. In a typical annual audit, this detailed information needs to be shown to an auditor. The two questions an auditor will ask are:

  1. What is your organization’s policy?
  2. How does your organization enforce that policy?

As a part of the audit, you just need to be able to show who has access where, for how long and who authorized it.

The attestation audit tool works by setting up who should have access, paired with an audit date and the policies associated with revocation or renewal of access. For instance, once the audit date is reached, the manager who controls the employees’ access is notified to take an action to initiate renewal, or they can delegate the task to another individual, or should no action be taken, that task can escalate to the manager’s manager. 

When an external third-party auditor performs a review, this information will be on record. From there, the auditor can review the sequence of events and processes in place to ensure that controls are being executed against.

Benefits of PIAM for External Auditing

  • Enhanced Security: Regular audits with a strong PIAM system minimize privilege accumulation and retention 
  • Compliance: Different frameworks require different physical security controls. Some examples of frameworks in different regulations: 

    NERC/CIP CIP-006-06 Cyber Security Physical Security of BES Cyber Systems ISO 27001 Annex A 7.1 to 7.13 Physical safeguards are measures employed to ensure the security of tangible assets. These may include entry systems, guess access protocols and clear desk policies. SOC Type 2 - CC6.4 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage and other sensitive locations) to authorized personnel to meet the entity's objectives. Sarbanes-Oxley Sections 302 and 304 require management to establish, maintain and report "internal controls."
  • Improved Accountability: Knowing who accessed secure areas increases responsibility for personnel actions, i.e., who approved access, why they approved it, etc. 
  • Reduced Risk: Identifying and addressing gaps in controls that mitigate security risks. For example, a PIAM system will run ongoing and consistent, proactive area audits (access audits) eliminating the need for manual audits and the wait time associated with them. 

Industries That Use Audits

The audit process is the foundation to compliance and accountability across a variety of industries that are part of our critical infrastructure, including:

  • Energy — Ensuring regulatory compliance, including health, safety and environmental (HSE) mandates and are enforced with contractors in the field and that physical access to sensitive power generating assets is secured
  • Banking + Finance — Maintaining regulatory compliance and the reputation of the financial backbone of the modern economy and helping institutions avoid conflicts of interest through proper segmentation of financial operations
  • Aviation — Keeping nefarious actors out of aviation operations areas or operations centers
  • Technology — Monitoring access to the physical information systems that run modern society and creating a proper trail for accessing sensitive systems, helping with applicable standards and certifications, like ISO 27000, SOC2 or SOX

For these essential regulated industries, whether operating at a state or national level, higher standards are expected. The streamlined reporting and administering of audits reduces operational costs and helps demonstrate an adherence to an elevated security posture. 

Check out our Monthly Innovation Webinar >>

Stay tuned for Part 5 of the series where we’ll focus on locations!