Bringing Unbreachable Access Control to the Small Business World

Access control and security are pressing concerns for virtually all small and medium enterprises in the UK. No matter the industry in which a company is involved, the same security issues arise and, for most organizations, the same problems of finding robust solutions that protect premises from unwanted trespassers exist.

Currently external and internal access control to most buildings is by use of keys, keypads and swipe cards. All of these methods have obvious drawbacks as keys and swipe cards can be stolen or copied in order to gain illicit access to a premise whilst keypads rely on a user’s memory and integrity to maintain a trouble-free access control system for any organization.

By contrast a biometric access control system only allows authorized individuals entry to an area by inspecting an array of human physical characteristics that are unique to each and every individual on the planet.

Systems developed in the last five years can authenticate a person’s identity with total accuracy by comparing fingerprint patterns, iris structures and even facial features against a database that contains those same details and measurements of individuals allowed access to a particular building.

The obvious advantages of biometric access control systems based on unique human physical attributes are that it is impossible for an unwanted intruder to gain access by theft - there is nothing that can be stolen or replicated - and neither does a biometric system rely on the honesty and memory of an employee in the way that a keypad system does.

In simple terms a biometric access control system is extremely secure because it relies on unique human physical attributes that cannot be stolen or replicated. The system is unbreakable by any unauthorized personnel or unwanted visitors. It is an ultimate and incorruptible key.

Many people are aware of biometrics because we see the media stories about the technology now being integrated into passports so that more accurate citizen identifications can be made at airports by passport control officials. News stories such as these give a misleading impression that biometric access control is very expensive to install and is the preserve of governments, multinational corporations and extremely well-heeled celebrities.

In actual fact, top quality biometric systems are now being designed and sold with the needs and resources of small and medium sized businesses specifically in mind. Normally utilizing fingerprint pads located outside entrances, the retail systems now available have impeccable pedigree as they use the same technology that has been rigorously and repeatedly security tested by governments and multinational corporations keen to protect their own interests at almost any costs. Such systems can now be commonly installed and operated by smaller businesses with no upfront costs and a low monthly service charge.

At first glance the types of businesses that can benefit from the added security of biometric access control are self-evident: leisure centres; retail outlets; industrial unit tenants; serviced office blocks and so on. Almost all companies operating in sectors such as these can improve their security and access control arrangements by installing biometric fingerprint pads at both external entrance points and at restricted areas within buildings.

But biometric access control systems should not just be thought of in the context of upgraded preventative security measures. For many companies, the installation of an unbreachable access control system is a real business positive! As well as entitling many organizations to lower commercial insurance rates, the presence of a biometric system can actively bring in valuable extra customer business.

Owners of businesses that protect and store securely the property of others can use biometric access control as a value-added selling point. Bonded warehouse, self-storage operators and private safe deposit box companies are all examples of enterprises that can gain extra income from the installation of biometric access control.

More important than the protection of goods to many businesses is the protection of people. Nurseries, retirement homes and hospices are all businesses that can offer added peace of mind to existing and potential customers by installing biometric access control systems.

At the moment the potential for the use of biometric access control within small and medium sized enterprises has scarcely been touched by those who sell systems. This will change dramatically as business proprietors become aware of the advantages of biometric systems over conventional access and security measures employed currently.

And given that robust proven systems are already available at low cost outlay, it is actually very probable that the inevitable move towards biometrics is more likely to become a stampede among small and medium sized business proprietors over the next couple of years.

Peter Dickson is a marketing specialist currently employed by Easydentic, a pan-European biometric security company. They can be found online at http://www.easydentic.com

Access Control - Who Has Access To Registrant Data?

As a busy event planner – in seemingly endless contact with venues, catering companies, and the oh-so-demanding event sponsor – can you afford to spend time developing registration spreadsheets, keeping track of each registrant’s information, recording travel and hotel details, and taking and processing credit card info? For most event planners, the answer is a resounding no. The process of registration is often the straw that breaks the camel’s back, causing an event planner’s stress level to rise to supreme heights. Keeping track of all the technicalities of registration is a full time job that many planners are still attempting to juggle along with planning the event itself.

So, with the vast reach and simplicity of the internet, why are so many event planners hesitant to switch to an online registration company that will take care of all these technicalities for them? The answer is simple: they either don’t know about it, or they are worried that such companies could in fact complicate their lives. How can I know that information being put out on the internet will be safe? What if my registrants’ information is compromised? Will the online registration company use or sell my registrants’ information after they have it in their System?

With the right company, all of these questions can be avoided because registrants’ information will be secure and held safe for the sole use of the event planner. Even more importantly, with the right registration company, credit card information will be encrypted to the highest degree allowed by law, guaranteed by a SSL (Secure Socket Layer) encryption testing company, such as Thawte. Once you have chosen a company that you know to be secure, you will enjoy features such as an event website with its own URL for registration, custom reports, and the ability to export reports to a wide variety of formats. Using a safe and secure online registration system can simplify the event planning process while increasing registration! And you can be sure that registrants’ personal and financial information will be protected at the highest possible levels.

Registrant and event planner information that is protected to the highest degree possible offers you a guarantee that the information will be stored exclusively for the event planner’s use and will only be stored as long as is necessary. Holding to such standards, ensures that the event registration system is highly resistant to any breach, but if a breach does, in fact, occur, the system will have been monitored so effectively that it can be traced a remedied with accuracy and speed. A vulnerability recovery plan like this one is an essential part of upholding a strong security system to ensure that the system will not be breached. Your registrants will know that their information is safe.

Manually collecting registrations has long been one of the most tedious jobs involved in the event planning process, but it is no longer necessary for event coordinators if they choose a company that will offer the highest possible level of security so that they can enjoy the ease of use of such a comprehensive online registration system. With no need to worry whether or not their information will be hacker-safe, registrants will flock to your event because registering online is truly a far easier process than completing registration be old-fashioned snail-mail. Although giving up control over such a vital piece of the event planning process can be a frightening concept, doing your research to find a company that offers the strongest security for your registrants’ data, will save you time to deal with all of the other details of planning your next fantastic event.

Ryan is a member of the marketing team for RegOnline, a producer of easy-to-use conference registration software, and a company dedicated to making event planners' lives easier.

Two Factor Authentication - A Secure Method of Access Control

The corporate network infrastructure can withhold a huge amount of data relevant to the company. It is imperative that this data has restricted access, and can not be viewed by unauthorised personnel. There are many ways of implementing an ‘Access Control’ solution which generally utilise a username/ password scenario or possibly having an agent on the end user point that verifies its authenticity. However, for increased protection to highly sensitive networks it is strongly advisable to consider a more secure approach. ‘Two Factor Authentication’ provides a solution to this scenario which is trusted and utilised in the most security conscious of environments including banks and finance sectors.

So why is the old username/ password system considered inappropriate by many top establishments? Firstly the username is generally easy to guess. In normal circumstances it will be based on a very simple formula which revolves around the employees name, which is the same formula used for all employees. So the first step in the process is already relatively insecure. Secondly, the username is combined with a password that goes hand in hand with the username. Passwords are generally easier to guess than people acknowledge and can vary around birthdays, mothers’ maiden names, and are probably very similar to passwords they use for a variety of other accounts. This is generally because so many accounts require passwords; users try to make them as simple as possible so they won’t forget them themselves. To make matters worse, many companies have the policy that passwords expire on a regular basis and force their employees to constantly change them. How does this make matters worse? Well it actually makes the password harder to remember for the operator, who is generally the weakest link in your company’s security. If the operator finds it hard to remember then they are likely to leave a reminder somewhere so they don’t forget themselves. This can be a post it note on the monitor or scraps of paper around the desk either under the keyboard, in the top drawer or in the nearby vicinity.

So what does ‘Two Factor Authentication’ offer? Using this method the user will require an additional piece of information in conjunction with their username/ password to gain access to the network. There are various vendors out there providing different versions of this solution, though the common approach is for a ‘token’ to be issued. The token is a small device which will comfortably fit into your pocket and is quite often able to attach onto your key ring. At any one time the token will display a numerical value. This value will provide an authorisation code unique to the individual employee that when combined with the username/ password will grant access to the network. How is this secure? Well the numerical value on the token changes every 60 seconds. The network infrastructure will be aware of the number that is expected and will verify it against the number being produced. If they match, then the connection will be successful otherwise they are not allowed to connect. This provides huge advances for the security of the network as this token won’t be found next to the computer when the user is away and due to the sheer complexity of the algorithms used to generate the values, the code has never been cracked. Even if someone was given the formula, they couldn’t process the figures quick enough to calculate the next number in anywhere near under a minute. In fact competitions are held regularly where some of the top mathematical minds are allowed months to attempt it, and it is still safe. Also, each number can only be used once, so if a number is compromised after the users fingers are seen typing the digits in, and a hacker tries to repeat that code within the 60 second window, it will already be void.

It also provides a solution for commuting staff that are looking to obtain remote access. They can use this process across a remote access solution, and are able to verify themselves in a very safe and secure manner. No agents will be required to be uploaded to the end user point so staff are not necessarily restricted to what computer they can access the infrastructure on.

This is a brief introduction to ‘Two Factor Authentication’ and provides a very strong and trusted solution for Network Managers.

‘Secure in the Knowledge’

Dean Grimshawe is Head of Marketing at Toranet Ltd - The Network Security Specialists. Toranet work closely with businesses to provide an intricate balance between access and security. By optimising this relationship companies are able to secure their infrastructure while still experiencing efficiency. This scenario produces the greatest return on investment for the client. For further information visit http://www.toranet.net

Burglar & Intruder Alarms-Protecting Home & Family-Business Access Control

Not too long ago our burglar alarm was a dog and very good neighbours. Today we have very sophisticated systems that few occupiers really understand.

No matter whether your intruder alarm is a basic DIY system, wireless burglar alarm or complex state-of-the-art integrated access control and security system, the principle is very much the same.

Let's take a look at how Circuit Alarms, Basic Motion Detectors, and more Advanced Motion Sensors work.

Circuit alarms come in two types: closed circuit and open circuit.

The concept is identical: electricity travels through the circuit protecting a door or window. With an open circuit, the current is not completed until the door or window is open, this triggers the alarm. The downside to this intruder alarm system is that all the burglar needs to do is cut the wires; this prevents the circuit from being completed.

Whereas a closed circuit intruder alarm, the current is broken when the door or window is opened, thus triggering the alarm.

All intruder alarms have a control panel and vary in complexity. They either have a keypad or traditional key to arm and disarm the burglar alarm. It is likely to have 'zones'; each zone represents a protected area. When the intruder alarm is activated, the control panel will sound internally as well as repeater sounding much louder through an external box, which may also flash. The control panel and external box will keep sounding until it is reset with a predetermined code or key.

The control panel should be sited in a place where the burglar cannot easily find and interfere with it.

Closed circuit burglar alarms are generally used as perimeter protection but be mindful that although the circuit goes around the door or window frame, if a panel is remove from the door, a window is removed without breaking the circuit, the intruder alarm will not be activated.

A motion detector offers an excellent back up. You may see these called PIR detectors and are located high up in corners, flashing each time they detect motion, even when the burglar alarm is off.

You can surround your home with a closed circuit alarm system that will sound the alarm when an intruder breaks the circuit. But once the criminal is inside, you need a whole different approach to how burglar alarms work. Motion detectors can assist in opening automatic doors and gate by detecting people approach. They can switch lights on too.

More advanced are passive infrared (PIR) motion sensors that see the heat given off by a person's body. The PIR measures the average room temperature and triggers the alarm when the energy rises rapidly, particularly when a human, whose average body temperature is 98.6 degrees, enters a room with an average of say 80-degrees

Don't worry about setting the alarm off when you enter a room, generally there is delay of a few seconds enabling you to reach the control box and disengage the alarm before setting it off.

If you have pets, don't forget to inform your security consult so that special PIR units can be sited in such a way that allows pets to roam without activating the system. . There are more advanced motion sensors, photo-sensor motion detectors for example. A beam of light is shone across an area in your property. When someone walks through the beam, it is broken and the sensor triggers the alarm.

A good intruder alarm system would combine both circuit and motion sensor alarms, thus providing you with two lines of protection against burglars

Digby Farquart is a UK security consultant and crime prevention advisor He writes articles for top sites such as UK Security Directory and Crime Prevention

Access Control Security Systems

An access control system provides a high level of security in your homes and offices. An access control system keeps restricted areas protected from intruders and permits access only to authorized personnel. An access control system even records the entrance time of employees. It protects and secures the people, documents and equipment of a certain facility. An access control system is very functional in buildings with multiple entry points. Entries and exits through these doors are controlled by the access control system using different types of security devices. The most common is the control panel which features numbered buttons or a touch sensitive screen that is connected to the lock and release system of the door. A specific pin code is entered by the employee and validated by the access control system.

The second device employed by the access control system is the Magstripe Reader which is also called the Swipe Card reader. The employee is issued an encoded card which he or she will swipe to disable the door’s locking system. Oftentimes, the encoded card also serves as his employee ID. Access control systems also use Proximity Readers and Long Range Readers. These sensors can detect an encoded card without the need for swiping. The former detects the card at a short distance of about 100 millimeters while the latter can sense a card from a distance of about 1 meter. As quick and non-contact methods of entry, these were designed to comply with the Disability Discrimination Act.

The Smartcard Reader enables the access control system to process additional information for other company services. Time-ins and outs, for example, are recorded. The access control system can also be interfaced with the company’s payroll system, parking system, catering and vending services.

Finally, access control systems that features the Biometric Fingerprint Reader use specific characteristics like finger prints and eye scans to identify personnel that can access a specific room. This system is highly accurate and avoids problems such as stolen or lost cards. Identifying visitors or non-employees with the access control system is possible through three methods - a door bell system that alerts the staff, an audio intercom system which allows the visitor to converse with the staff and an audio intercom system equipped with camera that allows the staff to view and identify the visitor. If access permitted, the entrance door is remotely unlocked and an escort is provided to welcome and guide the visitor. Cards or tags are also issued for proper identification.

In designing and installing a highly effective access control system, evaluate carefully the number of entry and exit points of the building, their locations, the level of security you need, traffic flow of people in the building, its operations and processes and future development plans. An additional feature you can consider is the integration of your access control system with the fire alarm of the building. Finally, purchase necessary equipment only from organizations approved by NSI (NACOSS).

The Wonders of Access Control Security Systems

Do you feel secured on your own home? Well, if you do not feel secured, then it is time for you to review and assess your security options. There should be no reasons why you should feel unsafe with your family in your own home. In this matter, all comes with the security and location.

Of course, one of your main concerns when searching a place and a house is the crime rate. You want to make sure you find and live in a safe neighborhood or community. Secondly, you would want to secure your house in the right and according to your fashion.

When it comes to security measures, you should give everything what is right for your safety. Your priority and effort should benefit you and your family. Now, its time for you find and choose the right security system. Whether, it is alarm sirens, surveillance cameras, heavy duty dead bolts, and access control security systems. These options are available to provide you the security you may want.

Access control security systems can offer security in your home. It restricts access outsiders and is perfect for those evil minds that may want to get into your house. One feature when it comes to access control security system is the thumb print door lock. No one can unlock your door even with any lock pick set that are mostly used by criminals. Only your thumbprint can gain access to your door.

In addition to the thumbprint door lock security access, surveillance cameras are exceptional devices that you may want to add. This will help you keep an open eye on your property 24 hours a day. You can even installed a built in picture catcher that will take shots every 5 seconds. This will take shots virtually to everyone that approaches or get inside within your vicinity. It is always good to know who are dropping by.

You can even go all out by installing an infrared security camera that designed purposely to see through the darkness of night. There are just so many options to choose from for an ideal access control security system for your home. As a homeowner, always think that installing a security system is one of the most efficient deterrents available.

Many criminals out there are opportunity offenders. Do not give them any chances of possibly getting their way to penetrate to your home. Most likely, a burglar won't find it easy having an installed access control security system. Take the necessity of having these efficient devices that will certainly provide the security you want.

Home security is one issue to which you should need to give considerable thought and priority. The access control security system is a proven device that can provide protection. You may shop in the internet for sites that offers high quality and cheaper gadgets that you may want to have in your home. Always remember that security in your home is very important nowadays because of the growing number of cases burglaries.

Dave Poon is an accomplished writer who specializes in the latest in Alarm Security Systems. For more information regarding Access Control Security System please drop by at http://www.alarmsystemworld.com/.

Electronic Medical Billing Software, HIPAA Compliance, and Role Based Access Control

HIPAA compliance requires special focus and effort as failure to comply carries significant risk of damage and penalties. A practice with multiple separate systems for patient scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. This article presents an integrated approach to HIPAA compliance and outlines key HIPAA terminology, principles, and requirements to help the practice owner to ensure HIPAA compliance by medical billing service and software vendors.

The last decade of the previous century witnessed accelerating proliferation of digital technology in health care, which, along with reduced costs and greater service quality, introduced new and greater risks for accidental disclosure of personal health information.

The Health insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health data. The Privacy Rule, written by the US Department of Health and Human Services took effect on April 14, 2003.

Failure to comply with HIPAA risks accreditation and reputation damage, lawsuits by federal government, financial penalties, ranging from $100 to $250,000, and imprisonment, ranging from one year to ten years.

Protected Health Information (PHI)

The key term of HIPAA is Protected Health Information (PHI), which includes anything that can be used to identify an individual and any information shared with other health care providers or clearinghouses in any media (digital, verbal, recorded voice, faxed, printed, or written). Information that can be used to identify an individual includes:

1. Name
2. Dates (except year)
3. Zip code of more than 3 digits, telephone and fax numbers, email
4. Social security numbers
5. Medical record numbers
6. Health plan numbers
7. License numbers
8. Photographs

    

    

 

Information shared with other healthcare providers or clearinghouses

1. Nursing and physician notes
2. Billing and other treatment records

    

    

 

Principles of HIPAA

HIPAA intends to allow smooth flow of PHI for healthcare operations subject to patient's consent but prohibit any flow of unauthorized PHI for any other purposes. Healthcare operations include treatment, payment, care quality assessment, competence review training, accreditation, insurance rating, auditing, and legal procedures.

HIPAA promotes fair information practices and requires those with access to PHI to safeguard it. Fair information practices means that a subject must be allowed

1. Access to PHI,
2. Correction for errors and completeness, and
3. Knowledge of others who use PHI

    

    

 

Safeguarding of PHI means that the persons that hold PHI must

1. Be accountable for own use and disclosure
2. Have a legal recourse to combat violations

    

    

 

HIPAA Implementation Process

HIPAA implementation begins upon making assumptions about PHI disclosure threat model. The implementation includes both pre-emptive and retroactive controls and involves process, technology, and personnel aspects.

A threat model helps understanding the purpose of HIPAA implementation process. It includes assumptions about

1. Threat nature (Accidental disclosure by insiders? Access for profit? ),
2. Source of threat (outsider or insider?),
3. Means of potential threat (break in, physical intrusion, computer hack, virus?),
4. Specific kind of data at risk (patient identification, financials, medical?), and
5. Scale (how many patient records threatened?).

    

    

 

HIPAA process must include clearly stated policy, educational materials and events, clear enforcement means, a schedule for testing of HIPAA compliance, and means for continued transparency about HIPAA compliance. Stated policy typically includes a statement of least privilege data access to complete the job, definition of PHI and incident monitoring and reporting procedures. Educational materials may include case studies, control questions, and a schedule of review seminars for personnel.

Technology Requirements for HIPAA Compliance

Technology implementation of HIPAA proceeds in stages from logical data definition to physical data center to network.

 

 

 

1. To assure physical data center security, the manager must
   1. Lock data center
   2. Manage access list
   3. Track data center access with closed circuit TV cameras to monitor both internal and external building activities
   4. Protect access to data center with 24 x 7 onsite security
   5. Protect backup data
   6. Test recovery procedure

    

    

2. For network security, the data center must have special facilities for
   1. Secure networking - firewall protection, encrypted data transfer only
   2. Network access monitoring and report auditing

    

    

3. For data security, the manager must have
   1. Individual authentication - individual logins and passwords
   2. Role Based Access Control (see below)
   3. Audit trails - all access to all data fields tracked and recorded
   4. Data discipline - Limited ability to download data

    

    

 

Role Based Access Control (RBAC)

RBAC improves convenience and flexibility of systems management. Greater convenience helps reducing the errors of commission and omission in granting access privileges to users. Greater flexibility helps implement the policy of least privilege, where the users are granted only as much privileges as required for completing their job.

RBAC promotes economies of scale, because the frequency of changes of role definition for a single user is higher than the frequency of changes of role definitions across entire organization. Thus, to make a massive change of privileges for a large number of users with same set of privileges, the administrator only makes changes to the role definition.

Hierarchical RBAC further promotes economies of scale and reduces the likelihood of errors. It allows redefining roles by inheriting privileges assigned to roles in the higher hierarchical level.

RBAC is based on establishing a set of user profiles or roles according to responsibilities. Each role has a predefined set of privileges. The user acquires privileges by receiving membership in the role or assignment of a profile by the administrator.

Every time when the definition of the role changes along with the set of privileges that is required to complete the job associated with the role, the administrator needs only to redefine the privileges of the role. The privileges of all of the users that have this role get redefined automatically.

Similarly, if the role of a single user is changed, the only operation that needs to be performed is the reassignment of the user profile, which will redefine user's access privileges automatically according to the new profile.

Summary

HIPAA compliance requires special practice management attention. A practice with multiple separate systems for scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. An integrated system reduces the complexity of HIPAA implementation. By outsourcing technology to a HIPAA-compliant vendor of vericle-like technology solution on an ASP or SaaS basis, HIPAA management overhead can be eliminated (see companion papers on ASP and SaaS for medical billing).

Yuval Lirov, PhD, author of Practicing Profitability - Network Effect for Revenue Cycle Control in Healthcare Clinic and Chiropractic Office: Scheduling, SOAP Notes, Care Plans, Coding, Billing, Collections, and Audit Risk (Affinity Billing) and Mission Critical Systems Management (Prentice Hall), inventor of patents in Artificial Intelligence and Computer Security, and CEO of Vericle.net - Distributed Billing and Practice Management Technologies. Yuval invites you to register to the next webinar on audit risk at BillingPrecision.com

Access Control and Security for Self-Storage Facilities

What is access control and security for self storage and why do I need it? The
quick answer is that access control allows you to control who enters your property
and its various sectors. There are many different ways to control access to your
property such as fences and security gates, doorways, lifts, etc. Any of these can
be controlled with an access control device. In the storage industry, the most popular
is a keypad or reader with customer-specific PIN numbers. Others are proximity cards
for customers to carry, or fingerprint readers, a form of a biometric device. Access
control also allows you to specify the time that a customer can enter the facility.
Some tenants could access during the day alone and others might be granted 24-hour
access, an attractive option for many commercial accoubts.

Access control systems can be integrated with the management software, sometimes
referred to as accounting software. This integration allows for a single point of
entry for customer information. When you “move in” the customer in the management
software, the information is automatically transmitted to the access control system,
setting the customer code and allowing access to the facility. If the customer becomes
delinquent or past due, the management software automatically notifies the access
control program and the guilty tenants are automatically locked out. This feature
increases your opportunity to collect the past due rent, helping to prevent customer
move-outs, especially after the office has closed.

To ensure tighter security, individual door alarms can also be employed. An alarm
device mounts in or outside of each unit. One unique approach to alarming each door
includes the use of a Latch Switch. It mounts on the door rail and detects the latch
as it passes through the switch. This offers a higher degree of security, is an
easier and quicker installation than standard track mounts, and it eliminates many
false alarm conditions that can occur with other methods. When a customer uses the
keypad to enter the facility, their specific alarm is turned off or disarmed. When
they exit the facility, their individual alarm is turned on or re-armed. This allows
the detection of unauthorized entry to specific units.

For example, individual door alarms protect a facility from the “inside job.”
This would be in a case of a person renting a storage space to gain access to the
facility. They then take their time cutting locks on random units and moving the
selected items to their rented space. Since individual door alarms track the unauthorized
entry and the opening and closing of units, this type of crime is very easy to detect.

Why use access control and security? There are many answers to this question
including more control of your property and more time for managers to rent storage
space, maintain your property, etc. But perhaps the biggest reason is that many
self-storage customers want better security. They’re voting with their feet by choosing
more modern facilities. Because of this, more owners are discovering that security
features provide a valuable differentiation that brings more marketing power and
more profit, a sufficient incentive for any owner.

Steve Cooper is a member of the marketing team of Digitech International Inc.,
which has provided self-storage security solutions for more than two decades. For
information, call 800.523.9504; visit
http://www.digitech-intl.com

Access Control - What Is Access Control?

Access control, is a term taken from the linguistic world of security. It means,
in general - the execution of constrictions and limitations on whoever tries to
invade a certain protected property. These restrictions, or it you'd like - the
access control elements, manifest physically in locks, keys, electronic and digital
means. Ofcouse, a person guarding an entrance, is also practicing access control.

What are the common most types of access control?

I would take a very obvious guess and suggest that the reader of this article
has several types of access control around him or her - let us take a quick survey
around them. Starting off with the computer in front you. Large percentage of computer
users have an antivirus running on their computer, a firewall, a pop-up blocker
and other programs all with access control functions. All of these guard us from
intruders of sorts. They inspect everything that sits on the computer or trying
to enter it and smartly enough let it in or leave it out. Since computers have sophisticated
access control capabilities - they can ask for authentication, look for digital
signatures, encryption methods and so much.

Now, if you would leave your comfortable computer chair for a moment and go out
the room - you would probably pass through a door. This door much like the windows
close to it - is the most popular access control method in any basic home security.
Taking it from the basic to the more complicated - take a look at the door's handle.
You have to twist or pull the handle in order to open the door, don't you? This
is access control at it's very core. Without this handle and it's inner mechanism,
it would be swinging, and won't stop anyone - not even a domestic kitten. Below
the handle, we may find a lock of sorts (most probably a cylinder lock) and a keyhole.
This lock will, hopefully stop anyone trying to get through the door - but hasn't
got the key. In the 21st Century we see more and more keypads, or if you'd like
keyless entry
systems. These will replace one day our ordinary set of keys.

In today's world, these locks and keys are beginning to look differently. As
technology progresses, the locks of today got smarter - they can recognize patterns
of your physical features, your voice,
fingerprint
locks read your fingerprints. Access control has a fascinating ever progressing
evolution, it's a rapidly growing market - and in the near future may manifest it
self in ways we cannot even imagine.

Recognize and be Able to Differentiate and Explain the Following Access Control Models

· MAC (Mandatory Access Control)

· DAC (Discretionary Access Control)

· RBAC (Role Based Access Control)

To understand MAC, DAC and RBAC you must first understand Access Control.

Access Control is the control of user and process control access to network and
operating system resources. For example, many spyware and adware applications not
only download themselves on to your computer without your permission, but they also
help themselves to your systems CPU, hard drive and memory. What happens to most
of us is that we get hit with 10 or 15 of these applications by accessing the Internet
without protection. Imagine 10 to 15 badly written memory hogs using your CPU and
memory to access your cached references to your web surfing habits (or worse credit
card, ssn) and send that potentially valuable information to some server in Nigeria
or Russia.

Mandatory Access Control (MAC)

Mandatory Access Control is military grade security. Like DAC, it has been around
since the 60’s. With MAC, the security on all resources are strictly policy controlled.
All processes and users (or subjects) must specifically given permission to access
a resource (or object).

Subjects are given a number indicating their level of access. Subjects can access
any object with a lower number. With modern military and national security systems
this permissions matrix is supplemented with a classification level.

Discrestionary Access Control (DAC)

Discretionary Access Control is where a subject has control over an object. In
this case a “subject” could be a home user. And lets say the home user has admin
privileges because he wants to download applications like Kazaa Lite ++. The “object”
or resource is Money Quick, a financial application that creates important bank
account spreadsheets.

The home user is no fool so he locks the Money Quick application down so that
only the administrator has permissions to the file. She is the only administrator
on the computer so there is no problem right? Wrong. With DAC any application that
runs while the current user is logged on has the same permissions.

So, the home user finds Kazaa Lite ++ on Internet and downloads it. The shareware
app is of course loaded with all kinds of spyware, adware, Trojan filth that goes
directly for her Money Quick software.

Is very popular and has been in use primarily in the commercial and academic
worlds since the ’60’s.

Role Based Access Control (RBAC)

Role Based Access Control is fairly new and is considered the evolution of the
DAC & MAC. With RBAC, each subject is assigned a role. Users without roles can be
put into groups that pertain to a certain department or job such as sales or management.
Objects only allow subjects on a permission basis. Modern operating systems such
as Solaris, Linux and Window 2k/XP/03 are perfect example of how Role Based Access
Control works.

The RBAC started in the 1990s and fully materialized in the RBAC96. There is
currently a lot of research being done on the RBAC.

Rob Elam has authors the eLamb ★ Computer security blog at
http://elamb.org. He has been doing
security for the Department of the Defence for 10 years and is currently a System
Security Engineer in Colorado.

Do You Apply Access Control to Your Home?

Sure you do, whenever you lock your entrance door before leaving, even if you
may not have heard this name before.

Access Control is the term used generally to indicate all the provisions that
can be deployed to deny free admittance to a building, to an apartment, or to the
content of a safe.

The purpose is to make sure that only people having the right or the clearance
required for getting through can in fact cross the threshold.

Essentially the same procedure, however simplified, takes place when you open
the entrance door of your home with one or more keys. You don’t leave it unlocked,
even when you are at home, do you?

Unfortunately not always a locked door is a guarantee against burglary and theft.
Burglars need not look for the right key. They may use other means to force and
destroy the door without bothering with the lock.

Why a sturdy door with a solid lock should however be in place? Mainly for deterrence.
One should always convey the notion that it will take burglars too long to crush
the door down, longer than what they may be willing to spend in the task.

When the arms are full of parcels it maybe a nuisance to open a door with keys.
In the dark it may be hard to locate the keyhole, unless you use a key ring with
a small light included. Furthermore keys can get lost or stolen and copied, and
then locks have to be changed.

Therefore, to limit the bother and to save on workforce, new means were devised,
especially for institutions where employees have frequent need to go through controlled
entrances but where keys would be a burden.

The most used means are plastic cards, possibly with a name, a photo and a magnetic
strip to be inserted in the controller slot. A code to be typed on the keypad may
or may not be requested.

Voice recognition systems are operated hands free, a feature that may be welcomed
sometimes. They are smart enough not be cheated by recorded voice.

The ultimate devices for individual recognition are biometric identification
units. Every person has individual traits different from those of anyone else. Those
most used are fingerprints and iris scans (the colored ring of the eye). A catalog
of prerecorded data, relative to all authorized persons, permits to screen rapidly
crowds of people even in busy airports.

In order to anticipate emergencies when large numbers of people must evacuate
a place for safety in a hurry, emergency exits with one way locks have to be prepared,
to be easily opened from the inside.

In conclusion one should know enough of Access Control to be able to select practical
and proven provisions for the security of every place one is responsible for.

Elia Levi is a retired engineer.

He built a website to assist with a step-by-step Guide to understand, design, select
and set up, all by yourself the best and least expensive Surveillance System for
your Home Security. Read more on the subject of this article at

http://www.1st-diy-home-surveillance-guide.com/Access-control.html

Access Control in the 21st Century

Ever since mankind first took shelter in the branches of a tree of the darkness of a cave there has existed a basic human need to keep insiders secure and outsiders excluded; a need for access control. Countless strategies have evolved since those ancient days to best effect this goal. Guards relying on their senses to detect and their fighting ability to repulse intruders were perhaps the earliest and simplest solution but we have come a long way since then: the door served as a useful screen to privacy but required the locking bar to serve as protection and, much later, the key to serve as a selective barrier.

Drawbridges, portcullises, gates, all these and many more were but places along the road to modern access control. The challenge has always been to design an efficient means of entrance and / or egress while not allowing that point to become a critical weakness in a structure's defenses. For the modern individual, access control to one's home, business, vehicle etc. is thankfully no longer a need only to be met by a fallible human sentinel or crude, easily-bypassed mechanical means such as a key. The inherent weakness of the key is that it may be easily duplicated, misplaced or pilfered by those to whom access is disallowed. Further, the lock itself is unavoidably a point of vulnerability, susceptible as it is intended to be to physical manipulation. The lock and key system is rendered obsolete by keyless entry systems such as biometrics.

Biometrics, from the Greek words "bios," life and "metron," measurement, is the science of ascertaining a person's identity by analyzing their distinct physical and behavioral traits. Employed as a means of access control, biometric systems take the forms of such as fingerprint-readers and, though such devices may seem like the stuff of science fiction to many, voice and retina-recognition systems. A huge advantage biometric technologies enjoy over other modern forms of keyless entry such as PIN or Personal Identification Numbers is that such systems are once again reliant on fallible human agencies, in this case memory or on stored data which, like the humble key, can be copied, lost or stolen. Biometrics however, depend on nothing other than the unique, in-alterable characteristics of the individual to whom access has been authorized. As an example, it is very improbable for the person, to whom access to a particular area is granted, to lose their hand or have it stolen. Duplication of an individuals hand to the degree necessary to fool a sophisticated biometric access control system such as a fingerprint-reader is, assuming it is even possible at all, certainly a more challenging prospect than say, that of duplicating a keycard. Thus it can be seen by this limited illustration just how far access control has come and what an outstanding level of security and convenience modern systems can provide.

Rob Hargreaves - An American Locksmith

Smart Cards and Access Control - A Look Into the Not Too Distant Future

Highly popular in Europe and Asia, smart cards are making a strong impact in America.

Originally requiring contact with the reader in order to transfer information, manufacturers have begun building proximity, non-contact type cards that transfer bi-directional data utilizing RFID technology.

By encoding the cards and the readers with 64-bit encrypted "keys", manufacturers are able to provide highly secure credentials for access and simultaneously open up a whole new world of possible applications for proximity cards.

The data chips on smart cards can be segregated into separate application areas. Some manufactures provide as many as 16-different application areas. Each application area can be provided with its own unique 64-bit "key" so that only specific readers can access the information in that area.

In other words, you can have a reader in the library that has the 64-bit key to application area # 4 where the card stores all of your library information including which books you have checked out and not returned. A reader in the cafeteria has the 64-bit key to application area # 6 which debits money from your account for food purchases. The reader on the student housing building has the 64-bit key to application area # 1 where your card access level information is stored which grants you access into the dormitory.

With the advances in smart card technology, manufacturers are working on stand alone readers and locksets that are essentially "off-line" but they will still be able to integrate with P.C. based electronic access control systems.

The stand alone ?smart? locks will incorporate smart card readers with the ability to write the transaction back to the smart card. A person could visit hundreds of the "off-line" readers and when he reads his card at an "on-line" reader, the stored transactions would be downloaded to the database. If a person is fired, or taken out of the database for any reason, the "on-line" system can write the necessary information deleting the card, to each card that it reads. In this way, the information is transferred to the "off-line" readers telling them to delete the access privileges of the card.

Theoretically, this will allow large users of access control systems to customize their solutions and provide a mix of on-line and off-line readers that can be centrally managed while taking advantage of their existing communication infrastructure.

Another popular feature of smart cards is the ability to store biometric access control templates which allows faster response from biometric authentication readers. This innovative approach to biometric technology allows you to carry around your biometric template with you, rather than having it stored on the computer or the reader itself.

Because the template comparison becomes a one to one versus a one to many, it frees up valuable processor time and hard drive storage space, which allows the new bread of biometric readers to work very quickly.

Very soon, when you use your credit card at a point of sale, you might have to present your finger to a biometric reader to verify your identity. Not long after that, even internet transactions will be authenticated using some form of smart cards and biometric identification.

Get ready America, as all of these transactions are sure to use some type of Smart Card Technology!

Roy Stephenson is a Security Consultant with over 21 Years Experience Designing and Installing High End Integrated Security Systems. He is currently the VP of Marketing at http://www.Security-Kits.Com

Electronic Access Control Systems - The Key to Crime Prevention

In my role as a Security Consultant, I have been on countless appointments at companies that do not have a comprehensive key management plan in place. It?s not really that uncommon of a problem and it can quickly get out of control.

Almost every home and office is secured with a lock and a key. Most people have a key chain to help them keep track of these important symbols of modern society. House keys, office keys, garage keys and several car keys usually rattle around in most people?s pockets or purses.

Even though lock and key mechanisms incorporate many modern security features they are still susceptible to being lost, stolen or copied. Another inherent weakness in lock and keys is that anyone with a key can enter your building any time they want.

Each year, companies spend hundreds of thousands of dollars re-keying buildings because someone lost a set of keys or an employee was fired who did not return a set of building keys?

Do you know how many grand master keys have been issued in your building? Can you reasonably say with confidence that none of your keys have been copied by less than ethical employees? Do you have employee?s entering your office at odd hours? Has your building ever been left unlocked?

If you have experienced any of the preceding issues, perhaps and Electronic Access Control System is the ?key?. An Electronic Access Control System can provide you with an effective solution to your key management nightmare while providing a very potent tool in your overall security management plan.

Take back those keys! A properly deployed electronic access control system will allow you to secure your facility and deter crimes by limiting access to authorized personnel and separating public from private areas.

The capabilities of electronic access control systems vary greatly. They range from single door stand alone systems that you program through a keypad, to medium sized computer based systems, to the top of the line "enterprise" systems that have the ability to communicate control thousands of card readers on multiple continents.

Electronic Access Control Systems have some very basic things in common. Each of them will allow you to control who goes where and when in your facility by requiring the presentation of a unique credential at a Card Reader or a PIN pad and they can be set up to provide you with a report of who has entered your building.

There are several manufacturers that provide 1 to 4 door solutions that are programmed through a keypad or a remote software package. Some of the higher end burglar alarm systems can also control access on up to 4 doors.

These smaller systems provide fully controlled access to individuals based on the door, the date and the time. Some of them allow you to hook up a form feed dot matrix printer directly to the controller in order to get reports. Most of these systems are limited to less than 4 doors and a couple of hundred users/credentials.

Many people who use the 1-4 door systems will usually program cards to work 24 hours a day because it can be difficult and time consuming to manage multiple time groups or limit an individual?s access.

That?s not to say that you cannot provide full date and time limited access control with a 1-4 door system, but if your application requires periodic updates and multiple users, you may want to consider a more sophisticated solution. A good application for a 1-4 door system would be a remotely managed multi-tenant building without an on site manager.

Lower to mid range P.C. based solutions can be provided that control access on 1 to 32 doors of access. Systems in this range can provide controlled access to several thousand users. They are a good choice if your intention is to allow keyless entry on a limited number of doors at a single site and run some limited reports.

Most electronic access systems in the low to mid range are Windows based software applications that use MSDE or other off the shelf database software; therefore the reporting features are fairly limited.

In addition, the low to mid range systems have limited abilities to monitor alarms, provide video badging, integrate with 3rd party databases or interface with other systems such as CCTV or Burglar Alarms.

There are literally dozens of manufacturers flooding the small to mid range market and their offerings vary greatly. You would be wise to perform some due diligence and ask for local references from any vendor that you may be considering.

Enterprise Level Access Control Systems occupy the top tier of entry control systems. There are only a handful of manufacturers that can truly call themselves an "Enterprise Level" solution. These highly sophisticated systems are true security management systems that can easily and effectively handle thousands of card readers, hundreds of thousands of cards, and a multitude of workstations spread all across the globe.

An Enterprise Level Solution has integrated single point of entry video badging, seamless integration to CCTV systems and Digital Video Recorders, true real time alarm handling with live on line graphics pages and full blown database solutions like SQL Server or Oracle.

Enterprise Level Access Control systems utilize door processing units or access control panels that can communicate via RS422/485 and TCP/IP Protocol. Enterprise Level Systems are only sold through factory trained and authorized systems integrators who have a proven track record and fully staffed service departments.

If you need an Enterprise Level Access Control System, I highly recommend that you perform your due diligence on both the manufacturer and the security companies that you are considering. Make sure that you choose a reputable Security Company or a Systems Integrator that has a strong computer networking background to perform and support the installation. Ask for several references of projects of a similar size and scope from both the manufacturer and the Systems Integrator. Interview each reference thoroughly before you make a purchasing decision.

You will thank me later!

Roy Stephenson is a Security Consultant with over 21 Years Experience Designing and Installing High End Integrated Security Systems. He is currently the VP of Marketing at http://www.Security-Kits.Com and http://www.EZWatchstore.com

Medical Billing, HIPAA Compliance, and Role Based Access Control

HIPAA compliance requires special focus and effort as failure to comply carries significant risk of damage and penalties. A practice with multiple separate systems for patient scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. This article presents an integrated approach to HIPAA compliance and outlines key HIPAA terminology, principles, and requirements to help the practice owner to ensure HIPAA compliance by medical billing service and software vendors.

The last decade of the previous century witnessed accelerating proliferation of digital technology in health care, which, along with reduced costs and greater service quality, introduced new and greater risks for accidental disclosure of personal health information.

The Health insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health data. The Privacy Rule, written by the US Department of Health and Human Services took effect on April 14, 2003.

Failure to comply with HIPAA risks accreditation and reputation damage, lawsuits by federal government, financial penalties, ranging from $100 to $250,000, and imprisonment, ranging from one year to ten years.

Protected Health Information (PHI)

The key term of HIPAA is Protected Health Information (PHI), which includes anything that can be used to identify an individual and any information shared with other health care providers or clearinghouses in any media (digital, verbal, recorded voice, faxed, printed, or written). Information that can be used to identify an individual includes:

1. Name
2. Dates (except year)
3. Zip code of more than 3 digits, telephone and fax numbers, email
4. Social security numbers
5. Medical record numbers
6. Health plan numbers
7. License numbers
8. Photographs

Information shared with other healthcare providers or clearinghouses

1. Nursing and physician notes
2. Billing and other treatment records

Principles of HIPAA

HIPAA intends to allow smooth flow of PHI for healthcare operations subject to patient's consent but prohibit any flow of unauthorized PHI for any other purposes. Healthcare operations include treatment, payment, care quality assessment, competence review training, accreditation, insurance rating, auditing, and legal procedures.

HIPAA promotes fair information practices and requires those with access to PHI to safeguard it. Fair information practices means that a subject must be allowed

1. Access to PHI,
2. Correction for errors and completeness, and
3. Knowledge of others who use PHI

Safeguarding of PHI means that the persons that hold PHI must

1. Be accountable for own use and disclosure
2. Have a legal recourse to combat violations

HIPAA Implementation Process

HIPAA implementation begins upon making assumptions about PHI disclosure threat model. The implementation includes both pre-emptive and retroactive controls and involves process, technology, and personnel aspects.

A threat model helps understanding the purpose of HIPAA implementation process. It includes assumptions about

1. Threat nature (Accidental disclosure by insiders? Access for profit? ),
2. Source of threat (outsider or insider?),
3. Means of potential threat (break in, physical intrusion, computer hack, virus?),
4. Specific kind of data at risk (patient identification, financials, medical?), and
5. Scale (how many patient records threatened?).

HIPAA process must include clearly stated policy, educational materials and events, clear enforcement means, a schedule for testing of HIPAA compliance, and means for continued transparency about HIPAA compliance. Stated policy typically includes a statement of least privilege data access to complete the job, definition of PHI and incident monitoring and reporting procedures. Educational materials may include case studies, control questions, and a schedule of review seminars for personnel.

Technology Requirements for HIPAA Compliance

Technology implementation of HIPAA proceeds in stages from logical data definition to physical data center to network.

1. To assure physical data center security, the manager must
   1. Lock data center
   2. Manage access list
   3. Track data center access with closed circuit TV cameras to monitor both internal and external building activities
   4. Protect access to data center with 24 x 7 onsite security
   5. Protect backup data
   6. Test recovery procedure

2. For network security, the data center must have special facilities for
   1. Secure networking - firewall protection, encrypted data transfer only
   2. Network access monitoring and report auditing

3. For data security, the manager must have
   1. Individual authentication - individual logins and passwords
   2. Role Based Access Control (see below)
   3. Audit trails - all access to all data fields tracked and recorded
   4. Data discipline - Limited ability to download data

Role Based Access Control (RBAC)

RBAC improves convenience and flexibility of systems management. Greater convenience helps reducing the errors of commission and omission in granting access privileges to users. Greater flexibility helps implement the policy of least privilege, where the users are granted only as much privileges as required for completing their job.

RBAC promotes economies of scale, because the frequency of changes of role definition for a single user is higher than the frequency of changes of role definitions across entire organization. Thus, to make a massive change of privileges for a large number of users with same set of privileges, the administrator only makes changes to the role definition.

Hierarchical RBAC further promotes economies of scale and reduces the likelihood of errors. It allows redefining roles by inheriting privileges assigned to roles in the higher hierarchical level.

RBAC is based on establishing a set of user profiles or roles according to responsibilities. Each role has a predefined set of privileges. The user acquires privileges by receiving membership in the role or assignment of a profile by the administrator.

Every time when the definition of the role changes along with the set of privileges that is required to complete the job associated with the role, the administrator needs only to redefine the privileges of the role. The privileges of all of the users that have this role get redefined automatically.

Similarly, if the role of a single user is changed, the only operation that needs to be performed is the reassignment of the user profile, which will redefine user's access privileges automatically according to the new profile.

Summary

HIPAA compliance requires special practice management attention. A practice with multiple separate systems for scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. An integrated system reduces the complexity of HIPAA implementation. By outsourcing technology to a HIPAA-compliant vendor of vericle-like technology solution on an ASP or SaaS basis, HIPAA management overhead can be eliminated (see companion papers on ASP and SaaS for medical billing).

Yuval Lirov, PhD, author of "Mission Critical Systems Management" (Prentice Hall) , inventor of multiple patents in artificial intelligence and computer security, and CEO of Vericle.com Billing Technologies. Vericle delivers comprehensive practice workflow engine that integrates patient scheduling, electronic medical records (EMR), billing, transcription, and compliance management. By consolidating technology for hundreds of separate billing services, Vericle? tracks payer performance from a single point of control, shares compliance rules globally, and creates massive economies of scale. Yuval invites you to share your knowledge of medical billing and compliance at BillingWiki.com and register to the next webinar on audit risk at ChiroAudit.com.

Biometric Access Control - Your Finger is the Key to Crime Prevention

Biometric Identification has been around for many years. In the beginning, it was extremely expensive and cost prohibitive and would only be found in the highest security applications. Since 9/11, biometric readers have become increasingly popular and subsequently more cost effective.

Current Biometric Readers include Hand Geometry, Fingerprint, Iris Scan, Passive Facial Recognition, Active Infrared Facial Recognition, Voice Pattern Recognition and blood vessel authentication.

Biometric readers can be stand alone, networked or part of a large P.C. based solution, but no matter which technology is being utilized, each biometric reader will require that a baseline template be provided for comparison purposes. This means a couple of things.

* Each and every person must enroll in the system to create a baseline template
* Every template needs to be stored for comparison either in the computer software or at the reader

The first biometric readers were standalone controllers that stored all of the templates at the reader itself. When a person presented their "credential", whether it was a finger, hand or iris, it needed to be compared to the "template" as stored in the reader. In the case of multiple users, this became a ?one to many? comparison and the reader had to search through its library of templates until it found one that matched. In larger systems with multiple users, this could take several seconds before a match was confirmed.

To speed up the process, manufacturers started storing the biometric templates on central computers that could sort through the templates faster and provide a quicker match.

Eventually, someone came up with the brilliant idea that a ?one to one? comparison would be much quicker than a ?one to many? comparison and require less processing time. Keypads were added to the readers and users were issued Personal Identification Numbers (PIN?s) that essentially called up their template for an immediate ?one to one? comparison.

This simple innovation made biometric readers capable of much faster throughput times and therefore more widely accepted. No longer were there lines at the reader waiting to get in.

Off course, we live in America, and people are very concerned with their personal privacy. An employer storing your biometric information is dangerous, right...Not to mention that storing individual biometric templates on a computer takes up a lot of room on a server.

Security Equipment Manufacturers have solved this dilemma with the advent of smart card technology. Highly popular in Europe and Asia, smart cards are making a strong impact in America. Manufacturers have begun building proximity non-contact type cards that transfer bi-directional data utilizing radio frequency identification (RFID) technology.

Smart cards are in essence read/writable data chips that are used to store and transfer information. Some of them are capable of holding up to 16-kilobits of data that can only be accessed by readers through the use of a 64-bit encrypted "key". This recent innovation provides highly secure credentials for access control systems without the need to store and transfer biometric templates for each person enrolled into the system.

You now enroll and carry your identification templates around with you on your own RFID Proximity Smart Card. The readers download the template from your card and compare it to your fingerprint, Iris, or whatever credential you are using for verification.

If they match, and you have access to the door, it unlocks. You see, your finger really can be the key?.

Roy Stephenson is a Security Consultant with over 21 Years Experience Designing and Installing High End Integrated Security Systems. He is currently the VP of Marketing at http://www.Security-Kits.Com