Regulatory compliance: how a lack of clarity around the entry leads to fines
April 13, 2018
Many organizations spend a great deal of time and financial resources in making the entrances to their buildings artistic and beautiful, with designs and materials that inspire awe. They may work with an architect, engineer, or building contractor and ensure compliance to NFPA safety and fire guidelines regarding egress, along with the desire for user convenience and an overall aesthetic design. Often, they select standard swinging doors to make it more convenient for employees, visitors and vendors to enter. For security, they employ security officers to stand guard.
Standard Swinging Doors Introduce Risk
Unfortunately, there are a number of troubling issues surrounding the strategy mentioned above. Security officers are human and subject to distractions, absenteeism, fatigue, being spread too thin or overwhelmed during busy periods. No security officer can reliably “prevent” an intrusion incident at all times and in all locations – in fact, the term “social engineering” was coined to refer to commonly used techniques for getting around security officers. That introduces risk to the enterprise.
And a standard swinging door is often the choice when organizational management is under-informed of the security implications of that selection. The decision makers may also not have any security background. Swinging doors do not, and cannot, prevent unauthorized intrusions, and thus they place an organization squarely in the chain of liability should an intruder cause harm or physical or data loss.
Failure to Meet Physical Security Regulations Results in Fines and Penalties
The lack of clarity around how an entrance is designed and secured not only increases physical and cybersecurity risks, it also places a company at risk of liability that can lead to crippling fines and penalties. Laws and regulations such as HIPAA, HITRUST, PCI Data Security Standard, NERC CIP, FERC, FISMA, ISO, FDA, TAPPA and others have maintained a cyber-heavy emphasis. However, today virtually all regulations mandate some form of physical controls that address unauthorized entry and the control of access into a facility. Non-compliant firms may be subject to significant fines and other actions. Below are a few examples:
NERC Violation
As an example, electric utilities are subject to NERC CIP 14 5-6, which works to ensure the reliability of the North American power system. One utility was recently fined $1.7 million when NERC found a number of violations, including three perimeter doors that had been altered so they didn’t lock “so people could enter without the burden of security,” among other issues.
HIPAA Violation
Healthcare businesses must comply with HIPAA regulations regarding the protection of patient health information, including limiting physical access to the data. Individuals that knowingly obtain or disclose such information face criminal penalties including jail time. Even if a firm violates HIPAA rules unknowingly, they are still subject to fines up to $50,000 per violation, up to an annual maximum of $1.5 million. Firms that are negligent in protecting their physical points of entry could be found responsible for disclosures perpetrated by intruders.
GLBA Violation
Any firm that involves financial services, from banks to mortgage lenders to car dealers, has to comply with the Gramm-Leach-Bliley Act, or GLBA, which requires firms to take steps to protect the privacy of customers’ financial data, including the development of a written security plan and “a thorough risk analysis” to protect the data. Non-compliance carries a fine of $100,000 per violation and includes potential jail time of 5 years. As is the case for HIPAA, firms that are negligent in their physical security could be found non-compliant.
Security Entrances Mitigate Risks and Liabilities
Security entrances are designed to prevent unauthorized intrusion and meet regulatory compliance. They provide for a range of assurance levels, from models designed to support guarded entrances all the way up to unstaffed entrances with very high security levels. High security entrances actually eliminate tailgating while ensuring, through biometric authorization, that the individual entering the facility is the one who is authorized – and not another person carrying their credentials. In every case, security entrances mitigate unauthorized entry while allowing for two-way traffic and emergency exit. When unauthorized entry is addressed, several risks are mitigated at once – including both the physical and cyber security threats. From a liability standpoint, blocking intruders reduces the risks to the personal safety and security of staff, visitors, and anyone else in the facility.
The entrances of your facility must be considered as part of your whole security solution, in the planning phase and then in an ongoing way. This is the best way to address and mitigate risk and avoid any potential liabilities, compliance violations, and expensive fines.
Written by Pierre Bourgeix
Pierre has over 20 years of solutions selling and consulting experience in the security industry, most recently as the owner of his own consulting company, ESICONVERGENT LLC. Pierre has an MBA in Business Administration from UCLA Anderson School of Management and resides in Cleveland, Ohio.
Company: Boon Edam Inc.
Of: Pierre Bourgeix
Tags: