A recent report found that the Department of Homeland Security (DHS) hasn’t always terminated Personal Identity Verification cards or security clearance for ex-employees. And that many issues around access management still remain. Although the Office of Inspector General (OIG) identified these weaknesses and offered clear recommendations back in 2018, many of these issues remain unresolved; others won’t be implemented until 2024. Of further concern, due to questionable record keeping, the exact magnitude of the problem can’t be determined.
Let’s explore how the Alert Enterprise Guardian Physical Identity Access Management (PIAM) specifically addresses the six most recent OIG recommendations and can help the DHS and companies across all industries digitally transform their identity security, credentialling and access management program.
Here’s what the OIG recommends:
- Require managers to notify security officials to revoke PIV cards and withdraw security clearances within a specific timeframe after individuals separate from DHS.Guardian’s automated workflows allow managers to easily initiate the revocation process, automate notifications and track the progress of the request through to completion, ensuring compliance with the specified timeframe
-
Strengthen internal processes to ensure accountability and oversight for all PIV cards that are collected and destroyed when individuals separate from DHS. Guardian’s built-in reporting and auditing capabilities allow managers to track the collection and destruction of PIV cards, providing:
- Increased visibility and control of potential access risks
- Prove compliance quickly with automated reporting
- Reduce complexity and human error with consistent controls and policies
-
Implement additional controls to ensure PIV card revocation and card destruction are completed and recorded when individuals separate from DHS.
Guardian provides out of the box content packs that implement industry best practices and regulatory compliance automation and active enforcement with a configurable rules engine. The platform creates a complete electronic record of all PIV cards, revocations and destructions, which can be used for auditing and compliance purposes.
Guardian’s Asset Governance feature can manage the entire asset lifecycle, in real-time including PIV cards, from the moment they’re assigned to end-of-life. -
Implement controls to ensure security clearance withdrawal dates are recorded in the Integrated Security Management System when individuals separate from DHS.
Guardian’s integration framework provides easy connection with the DHS’s existing systems, allowing for controls and tracking of security clearance withdrawal dates throughout the entire identity life-cycle. Guardian also provides a running migration path from existing legacy Physical Access Control Systems (PACS) to newly selected systems without the risk of disruption or outage. -
Implement a solution to verify/validate the PIV card access termination process across the Department and a mechanism to monitor its effectiveness.
When an off-boarding event occurs, Guardian deactivates badges and building access across all physical access control systems with a single click. You can define multiple termination scenarios based on your business processes and policies. -
Implement a solution to verify/validate the security clearance withdrawal process across DHS and mechanism to monitor its effectiveness.
Guardian provides an automated, centralized process to manage security clearance revocation, ensuring that all withdrawals are valid and in compliance with the DHS’ policies.
Tying it all together
A major overhaul in their off-boarding process will certainly go a long way in creating a safety net and revoking access. However, that’s still not the be-all and end-all solution. If systems and departments operate in siloes, a major gateway to security attacks will remain. Because when systems don’t operate congruently, attacks can’t effectively be monitored or stopped in their tracks. And that’s exactly what the Cybersecurity and Infrastructure Security Agency (CISA) warned against in their recent Cybersecurity and Infrastructure Security Convergence Action Guide.
As the only true cyber-physical security SaaS provider, we offer hundreds of out-of-the-box connectors to help converge physical security with IT, OT and HR systems. Whether its workplace access, visitor management, insider threat protection or anything in-between, digital transformation and security convergence are the only ways forward—and what should be the first and foremost recommendation to the security challenges the Department of Homeland Security has been facing.