Operational security controls
Operational controls that maintain the security and integrity of ID system facilities, data centers, and equipment are paramount to protecting personal data. Data breaches can come from multiple internal and external sources, including employees who fail to follow security procedures, hackers who gain access to inadequately-protected databases, and thieves who steal unsecured portable devices. In order to reduce these threats, ID system operators should employ state-of-the-art measures to reasonably prevent, detect, mitigate and respond to third party attacks, unauthorized access, and malicious or fraudulent use.
There are many international standards aimed improving data center management, security, and access control, including ISO/IEC 27001 (information security management systems), ISO/IEC 22301 (business continuity management), and ISO/IEC 55000 (asset management). In particular, ISO/IEC 27001 focuses on developing an information security management system (ISMS) that provides a systematic approach to securing sensitive information by applying a risk management process to people, processes, and IT systems.
Many organizations choose to gain ISO/IEC 27001 accreditation as proof of compliance; however, it may be more useful to take the standard as a baseline for information security management, alongside any other relevant standards such as the Payment Card Industry Data Security Standard (PCI DSS).
Operational controls must address both physical and virtual security. Virtual protections include:
Access control (Identity Access Management on all work stations);
Intrusion Detection Systems (IDS).
For physical assets, any security management strategy should also seek to implement measures that address the following concerns and questions, further described in Table 23:
Building and asset security. Visitors to any physical data centers, card-personalization centers, or other ID facilities and assets should be required to gain access through a rigorous building security process and, once admitted, be restricted to specific areas, assets, or systems based on their role and purpose.
Policies and processes. Policies and processes related to access control are only effective if they well understood and regularly practiced by staff. Security training should be provided to all staff on an ongoing basis.
Staff. Security is a concern for everyone, particularly staff within ID facilities. Staff should be knowledgeable, vigilant and able to understand organizational objectives with regards to security.
Contractors. Where contractors or suppliers (e.g., engineers, cleaning staff, etc.) are regularly working within ID facilities, their credentials should be checked to ensure that the risk of a breach is mitigated.
Even with adequate safeguards or oversight, it is impossible to make a digital system completely immune from a breach. In the event that breaches do occur, breach notification laws generally require data controllers to inform individuals and/or authorities that a breach has occurred (see Table 23).
Table 23. High-level checklist for the physical security of ID systems
|Building & asset security||
|Policies & Processes||