Verifying identities is challenging. Here’s how partnerships can help.
Recently, tragic events have drawn attention to the challenge of truly knowing who people are, whether they belong inside a secured area, and if they’ve maintained compliance with access requirements that are designed to ensure safe and secure work environments.
As a co-founder of the Secure Worker Access Consortium (SWAC) – a community of contractors who support the construction, maintenance and operation of the World Trade Center and critical infrastructure in the New York area – I have had the honor and privilege of leading the technical development and operations of this unique public-private partnership. Our mission to understand who gains access to sensitive facilities and critical infrastructure has produced many valuable observations and lessons. This article will share some of the knowledge that we have gained as we have developed and improved the SWAC program and others like it over the past seven years.
Understanding the Insider Threat
When we ask, “Who accesses,” what does that mean? The generic answer – “employees, contractors, vendors and visitors” – is easy. Unfortunately, simply verifying that an individual was given an ID card has repeatedly proven ineffective and, in some cases, deadly.
Bad things rarely occur suddenly. Even when they do, the root cause can often be traced back to certain actions, or a lack of action. People do bad things, whether intentionally or not. It is our job as safety and security professionals to try and protect all who enter our facilities.
One threat, in particular – the “insider threat” – is a serious vulnerability that creates opportunities for highly undesirable events, including workplace violence, sabotage and theft.
The more we understand about an individual, the more effectively we can intervene before tragic events occur.
Developing a more comprehensive and effective identity profile requires a clear understanding of our current vulnerabilities. How do people hide personal information that would otherwise identify the threat they represent? Here are some of the vulnerabilities that we have identified, along with some of the risk mitigation techniques that can be employed.
Personal Misrepresentation Empowers Insider Threats
“Personal misrepresentation” refers to common ways in which people conceal attributes regarding their identity that may disqualify them from gaining access to a facility. These attributes include, for example, presentation of fraudulent identity documents or false claims to employment, academic degrees or professional certifications.
It is very difficult to validate the authenticity of government-issued identity documents. Fraudulent documents are readily available, many of which are indistinguishable from the real ones without specialized equipment. Yet, these very documents commonly serve as the baseline for measuring an individual’s identity and any related employment affiliations or educational achievements.
This places a burden on identity management program administrators to incorporate document authentication and identity verification processes in the enrollment process. Depending on the level of risk associated with a given program, different techniques can be utilized to meet this unique need. For example, at a basic level, an individual’s pedigree information (full name, date of birth, Social Security number, foreign visitor or immigration data) must be confirmed as valid, with checks against deceased individual registries and government watch lists. This is easily achievable via publicly-accessible databases at a reasonable cost.
As the risk at sensitive locations increases, so should our scrutiny of this critical identity information. If we cannot trust the personal identity verification process, how can we trust any additional screening or vetting that is conducted based on the subject’s pedigree data? We simply cannot. Failing to properly authenticate an individual’s identity presents a significant vulnerability to any security program. This vulnerability can easily be exploited to gain an inside advantage and, therefore, it must be addressed in the risk mitigation process.
Physical and Data Security
Ideally, we need to formalize how people register for participation in identity programs, using best practices for information collection, protection and authorized use. In fact, it is important to clearly understand and accept that with the collection of personal information comes the responsibility and duty to audit access to it and protect it from unauthorized exposure. This obligation begins with providing all participants with full disclosure regarding how personal data is used to verify other relevant security information. By presenting the required legal notices and collecting the relevant authorization forms at this early stage, program administrators can be assured that participants have knowingly provided consent for required investigations and have agreed to comply with the screening and vetting requirements of a given program. The ultimate goal is to find the appropriate balance between security requirements and privacy rights and expectations regarding the protection and limited use of personal information.
Document Authentication and Identity Verification
Secure locations that require individuals to present government-issued identification provide an excellent frontline opportunity to gain the trusted compliance of participating individuals and quickly validate the authenticity of identity claims. At trusted enrollment centers, documents presented can be technically analyzed for authenticity by verifying the embedded security features found in modern identity documents.
This critical step improves the integrity of any subsequent research regarding relevant personal attributes, such as verification of criminal background, employment history, certified skill sets or academic degrees. Similarly, an individual’s identity information is commonly used to track other relevant personal attributes that have an impact on compliance with safety and security best practices.
More than Validating Names
Just because I am who I claim to do not mean that I belong in a particular secured location at a given moment in time. Personal attributes such as past criminal behavior, emotional instability, civil litigation or extreme financial liabilities could all play a part in evaluating an individual’s suitability for access.
Unfortunately, there isn’t a one-size-fits-all identity profile. Security managers must evaluate their unique circumstances and implement safety and security procedures that suit the needs of broad-ranging risk profiles. For example, critical infrastructure protection programs generally rely upon the validation of an individual’s identity, potentially disqualifying criminal offenses and employment relationships with relevant organizations. Workplace safety programs may also incorporate safety or operations training in the compliance matrix. First responder and emergency management programs focus more on the various roles of emergency responders, how to ensure compliance with training requirements, and/or how to optimally deploy limited resources in response to natural disasters, hazardous incidents, and all types of domestic and international terrorism.
Complicating matters is the dynamic nature of this type of information. People’s lives change, and those changes can directly affect their ability to maintain compliance with criminal background standards, fitness evaluations, professional training and certification requirements, and employment policies. While an individual’s identity rarely changes, and once validated can generally be trusted, these personal attributes must be continually monitored in order to maintain trust over an extended period of time. Re-evaluation periods are dependent on local policies and must be adjusted accordingly.
Performance Histories Provide Valuable Intelligence
Taking a deeper dive into an individual’s performance history over time offers the opportunity to gain valuable intelligence. Given legal authorization during the enrollment process, identity management programs can facilitate the sharing of critical threat indicators among human resources, operations, and security professionals.
These indicators may result from the documentation of incidents involving violation of policies, adverse screening reports or employment reviews, or inflammatory workplace incidents. Relevant risk factors identified in incident reports may provide cause for re-evaluation, further investigation, or even revocation of an individual’s privileges. It is important to note that the value of incident reports may extend beyond a particular employment situation.
Perpetrators of undesirable events are often found to be repeat offenders, moving from one organization to another, leaving behind a recognizable and documented pattern of harmful behavior.
The challenge is to recognize those patterns and intervene early enough to prevent incidents that could result in large-scale public harm.
Monitoring of social media outlets has recently proven to be an effective tool in assessing the emotional stability and ideology of potentially threatening individuals. The right to review social media activity can be made a condition of employment and can be leveraged by appropriate ongoing screening and security initiatives.
As comprehensive identity profiles grow increasingly sensitive with the compilation of information provided by applicants, public data sources, human resources departments, employment screeners, certification authorities, and operations supervisors, it is imperative that agreed-upon privacy constraints are maintained in the aggregation, analysis, and use of personal data. Program administrators must utilize technology that audits and restricts access to information in accordance with program requirements and in support of privacy guarantees.
Programs Must Be Operational, Not Aspirational
Unfortunately, this type of critical information is almost always buried deep in back-office systems, inaccessible to operational personnel as access decisions are made. Or the input of data is so delayed that we are forced to be reactive to events, rather than proactively attempting to intervene. It is critical that we correct this underutilization of valuable and actionable intelligence.
It has become vital to our safety and security that we actively and continually assess who people are and whether or not they belong at a particular location at a specific moment in time. We have a responsibility to authenticate more than the individual.
To better protect our transportation systems, key resources, healthcare facilities, academic institutions and places of public gathering, we must:
- Positively identify people
- Confirm their employment affiliations
- Screen relevant personal history
- Enable real-time sharing of identity information to validate compliance with safety and security policies and procedures
Partnerships Enable Efficient, Effective Programs
It is unrealistic to think that any one agency or company can efficiently and effectively manage identity programs for all of the diverse groups of people that may enter its facilities. Contractors, vendors, and visitors each represent unique challenges outside of the tracking of regular employees. Further, internal tracking of employee information fails to provide valuable intelligence to other employers who may be susceptible to serial offenders.
However, it is commonplace for labor groups and contractors to provide skilled workers in support of large organizations and regional sensitive facility owners and operators. These are largely shared and transient workforces that build, maintain and operate our transportation systems, utilities, healthcare facilities, academic institutions, chemical and pharmaceutical plants and other sensitive facilities. Individual efforts to develop identity management programs can only result in a massive duplication of effort and, consequently, an unnecessarily increased risk of exposing sensitive personal data.
The creation of regional partnerships in the form of trusted communities that transcend traditional political, corporate and industry boundaries offers many benefits. Through the adoption of some basic standards and cooperative agreements, labor groups, contractors, vendors, human resources managers, certifying authorities, and security professionals can unite their efforts to ensure that the people who enter secure locations are appropriately skilled, known, and threat-free, in accordance with local requirements.
Benefits for All Participants
Individual participants will be relieved to know that paper copies of highly personal information no longer need to be stored in multiple, often unsecured, locations. Identity management technology offers the ability to securely collect individuals’ personal information, manage their compliance with program requirements, and authenticate relevant information as required without compromising privacy rights. Advanced encryption protects sensitive data at all times, and permission-based, need-to-know sharing of this information only occurs in conjunction with comprehensive auditing to guarantee user accountability. In order to maintain the trust and support of community participants, it is imperative that information sharing be restricted to only those personal attributes that are relevant to the security task at hand.
Labor groups have the opportunity to highlight their value, promoting known members’ qualifications, skill sets and performance records. Contractors can easily track the compliance of employees, knowing their efforts are in accordance with broadly accepted standards. Responding to diverse requirements at various work sites is an overwhelming burden. Labor can better meet industry needs with access to prequalified and certified workers who stand ready to support the safe and secure construction, maintenance and operation of America’s critical infrastructure and sensitive facilities.
Human resources directors can easily and efficiently verify an individual’s compliance with regulatory requirements and internal policies without the duplication of effort that is common in larger organizations that manage multiple facilities. Smaller organizations benefit from access to low-cost, hosted and managed solutions for maintaining compliance with otherwise complex and burdensome requirements.
Certifying authorities can more easily ensure that our nation’s workers are properly trained and maintain compliance with applicable continuing education requirements. In addition, the ability to selectively authorize access to training and professional certifications eliminates the administrative burden of repeatedly validating individuals’ records.
Finally, safety and security directors gain critical insight into relevant personal attributes that demonstrate compliance with local security protocols. Plus, threat indicators generated by incident reports provide valuable intelligence to security guards stationed at access points. Relieved of the burden of trying to identify and qualify access rights for people entering their facilities, attention can be directed toward other security initiatives and challenges.
What Can We Expect from Regional Programs?
The benefits only multiply as programs extend throughout large organizations, industries, and regions. But what tangible impact can we expect from operating these types of personnel assurance programs?
For starters, it is easy to accept that program participants will benefit from improved operational efficiency. Cooperative programs eliminate the burden on any single organization to invest in the development and maintenance of enrollment portals that securely collect participants’ personal information. Once an individual has been processed for employment at an organization, subsequent employers need not spend the time and money associated with repeating the enrollment process. With the proper authorization, and at no additional cost, each subsequent employer can gain access to an individual’s information, including background screening, training records, and other relevant personal attributes. Eliminating this duplication of effort among regional organizations has an immediate and positive impact on the efficiency of limited employment screening resources in each participating organization.
This efficiency contributes directly to the effectiveness of security operations. Personal data that is collected during the enrollment process, and the resulting identity profile that evolves as additional personal attributes are aggregated, deliver actionable intelligence that enhances the access control decision-making process at any single location. Extending this valuable information to otherwise disconnected entities (with proper authorization) enhances the effectiveness of local efforts to validate identity and trustworthiness prior to allowing access.
Sharing this vital security information throughout an industry or region improves the overall cooperative effort. With each participating organization contributing to the growth of a trusted community, the value of that community increases without attrition or loss. As individual members leave the employment of one entity, the value of their identity profiles extends to the next employer without additional cost. Because of the monumental task of managing identities for all employees, contractors, vendors, and visitors, the cooperation of this type is imperative for success. Further, once collaboration among organizations begins, their cooperative efforts tend to grow as valuable intelligence is exchanged and success stories are recognized.
The simple existence of trusted communities that are used to identify trusted resources and manage compliance with security procedures helps reduce the risk of unknown offenders entering sensitive locations. Published criteria and well-managed screening services tend to work in a self-cleansing manner, pushing undesirable individuals away from secured facilities toward locations without such stringent requirements. This “path of least resistance” methodology is commonly used by perpetrators to identify “soft targets.” The broader a community grows, the more risk is reduced through better coverage of regional vulnerabilities.
By working together to develop and maintain trusted communities, the overall efficiency and effectiveness of security efforts improves, with the cost of improvement distributed among participating organizations.
Competition has its place when it comes to who provides the best commercial product or service, or who has the best company softball team. But when it comes to the safety and security of our sensitive facilities and public landmarks, we absolutely must begin to work together.