Some industries, such as nuclear energy and securities trading, are long accustomed to regulation, compliance, and auditing. In recent years, though, increased regulation and protections have been implemented in broad new areas including medical records and credit card transactions, among others. In such an evolving landscape for regulations, it is important for organizations to know how to navigate these changes, and what tools might be available to help them comply with confidence.
One important aspect of these evolving regulations to recognize is that although they may apply to electronic records, they often include an increased emphasis on physical security. This is because unauthorized people can gain access to sensitive data at key system access points and at the physical locations where electronic information is transmitted, processed, and stored. Only by protecting these areas, and monitoring who has access to them, and when, can organizations protect that data and demonstrate that they are doing so.
As an example, let’s look at the Payment Card Industry (PCI) Data Security Standard and what it may imply for physical security. This standard was updated most recently in April 2016, and is designed to encourage and enhance cardholder data security measures globally. It applies to all entities involved in payment card processing – not only the merchants, card issuers, and processors, but also to any and all entities involved in storing, processing, or transmitting cardholder data. Similar standards are part of regulations in many other industries (electric power, for example).
Requirement 9 of the standard is titled “Restrict physical access to cardholder data,” and it specifically calls out the need not only for entry controls to limit and monitor physical access to the electronic systems, but also for video cameras, access control systems, or both to monitor access to the systems and correlate the records with other protections. Auditors are instructed to verify the existence of these controls for each computer room, data center, and other physical area where the data is contained. Further, they are to verify that the devices are protected from tampering or disabling, and that the data from the cameras and/or access control system is reviewed and stored for reference if needed.
Audits of these systems have real consequences. First, just preparing for and conducting an audit takes time and resources. One organization shared with us their estimate that to prove compliance it took 260 hours to physically inspect every security camera to ensure that it was working and that the video feeds were being securely transmitted and recorded as intended. And second, any service provider (data center, for example) that does payment card-related business must pass such an audit to conduct that business. So, failures or outages in the video surveillance or access control systems intended to protect cardholder data can lose that business immediately.
Clearly, any tools that can automate the process of checking operation or providing audit reports would make this process much easier. Addressing these challenges is exactly what the Viakoo service offering was designed to do – automatically detecting network devices, verifying that they are working, verifying that the video streams are being recorded, and confirming that the recorded files are retained as required. By taking care of these tasks, Viakoo services let business managers focus on the key functions of their business, rather than compliance and audit-related tasks.
Organizations in many industries face an evolving set of security-related regulations. To manage the significant related business risks, these steps are highly recommended:
- Maintain an awareness of the specific regulations and standards that apply to your business or operation.
- Take note of the types of actions required, including physical security measures that may not have been part of previous standards.
- Implement appropriate security systems per the standard that meet the needs of your operation.
- Provide for ongoing confirmation that the systems are working as intended.
Feel free to contact Viakoo if we can help you with your situation, and best wishes for your next successful audit.