Compliance has evolved. While compliance is still about meeting government and agency regulations, many organizations are now looking at achieving compliance as just the tip of a safety and security iceberg.
In a recent webinar with Ident Solutions, we spoke about what compliance actually means to security and safety professionals, and why compliance should be a priority for organizations. Those reasons included avoiding fines, potential liabilities, and certification loss, as well as possible loss to your organization's reputation.
We spoke with McKay Johnson, Vice President of Sales with Ident Solutions, whose product FedCheck, is a screening system that goes beyond compliance and regulations. Instead, it’s about security, and achieving compliance is just a part of what an in-depth screening process is. Watch the webinar and see how compliance is evolving, and how FedCheck and Sign In Enterprise are partnering to take visitor screening beyond compliance to really be part of your safety and risk management plans and policies.
This webinar was all about compliance - other than satisfying these regulations, what other things should be considered when addressing safety?
Compliance screening is absolutely necessary for organizations that are required to meet those certain compliance obligations. And those are compliance obligations that the government has for organizations that are doing certain types of business. From a risk standpoint, for organizations that are engaging in trade or other types of businesses that require these certain types of compliance checks, the risks are significant fines and other penalties if they don't meet those obligations.
In reality, compliance screening itself does very little for overall safety and security for an organization. If we think about organizations that are concerned about safety that have safety teams, every security team has one main goal and that's to secure their people, their property, and their other assets. And so they deploy various different layers of security or security measures in their organization to accomplish this.
But within those very security measures, we've identified a clear gap in nearly everybody’s process and that's that they know nothing about their visitor. So when we talked about the question, ‘are there other things that should be considered', yes, absolutely. We should be asking ourselves, what do I know about this visitor that I'm about to give access to our facility, to our people? Do they pose a potential risk? Should I be letting them in in the first place? Those are the types of things that should be considered beyond just; do they show up on some type of watchlists that the government has out there?
It's one of the things that's interesting to consider, that no company would hire somebody without doing a background check or criminal history check on an individual. That’s because the risk and exposure would be too great. But organizations will allow hundreds, sometimes even thousands of people through their facilities every day or every year, and they don't know anything about them.
How is FedCheck different from traditional compliance screening?
When we query a name, we're hitting about 2,400 different databases that exist out there. Some of those are compliance databases and we hit databases related to trade.gov. A lot of individuals are familiar with Interpol and other watchlists and compliance lists that exist out there.
But by far the majority of the data set that we're querying is related to criminal history. And this is where we feel the true value of the system really comes into play. Yes, we can meet those compliance requirements. But what we do is make sure that this person coming in doesn't pose a risk from a security standpoint. We give this individual more of an identity, so we know how to engage with this individual and what kind of access to give.
What data do you collect through Sign In Enterprise and FedCheck and how does it work?
In the process with Sign In Enterprise, it's actually really smooth. When a visitor comes in and they check into the Sign In Enterprise platform, whether it be scanning an ID or through the various other methods that Sign In Enterprise has, what we need is a name and a date of birth. And that's the information from the visitor that we're collecting to make this query.
And then in the background, instantly Fedcheck goes out into the various databases and brings back a result. These queries are hitting the restricted party screening list and those compliance lists. But beyond that, we're talking about state and local law enforcement records, correctional data, court records - anything that really has to do with a criminal history and arrest records. We're searching that instantaneously in a single query.
Is this legal for organizations to make these kinds of checks?
This is the question we hear most often and the answer is, yes, absolutely you can. Yes, it is legal and businesses are within their rights to establish their own rules for admitting or denying people into their facilities. It's very similar to putting somebody through other safety protocols or other safety measures, such as a metal detector, or a bag check. It's important to note that all the information that's queried is publicly accessible data. And there are no federal laws preventing access to this type of information. Again, it's been used for years as a security tool. We just automated that process.
So even if you're not trying to do this for your compliance, you can still collect this data because it's part of your Security. Just as long as it's not used to make an employment decision. So in this case, we are talking about non-employees coming into a facility, visitors, contractors, volunteers, temporary workers, whoever that might be.
What do organizations do if they get a hit on someone’s name?
Let's say a visitor comes in and Fedcheck does a query and returns some criminal history information. What do organizations do now? It really depends on the organization, what their safety goals are, and other safety requirements. There are some organizations that we work with, especially in critical manufacturing, that say I can't have somebody in here that has previous assault charges or previous weapons charges. That would be a hard ‘no’ for them.
But it really depends on the information that's coming back and what their policies are. We would encourage organizations to establish some type of policy when it comes to the process of screening their visitors.
It is important to know that there is no expectation or requirement regarding actions towards a visitor that comes through. Just because you've made this query and you found that this person has a history of something, you are not required to take any kind of action. You simply can deploy whatever policies you think are best for your organization.
This may be that you deny access to an individual. It also may be that this person is now provided escorted access only. Or it could even be that this information is just simply used for situational awareness. Maybe all visitors are permitted access. But from a safety and security standpoint, we want to know what our exposure is and we want to have some awareness of who this individual is so we can act appropriately.
From FedCheck’s standpoint, we don't want to dictate any policy or anything regarding this. We just simply provide the data and we give the data to security people. It would be important for security to make sure they allow some space for recourse. So if an individual was to challenge the results, security should provide some space for them to be able to do so. The great thing is we do provide the who, what, when, and where of anything that may have been pulled up, so appropriate recourse could be taken if needed.
How dangerous is ‘human error’ and how seriously should organizations be with it?
The more you can do to automate and standardize your process; it's just going to reduce risk. So as you eliminate those possibilities of human error, such as writing people's names down on a sheet or writing down ID numbers, the more you can eliminate the possibility of human error. And that means you eliminate more holes within the security process.
Where things can fall through the cracks, and specifically when it pertains to what we do at FedCheck is, as you automate that process and eliminate any kind of human errors, the accuracy of those results is going to be better. We are going to do exact matches with names and dates of birth. And as far as the partnership with Sign In Enterprise is concerned, it becomes a seamless process for the visitor. The visitor continues to have a good visitor experience and also offers very little change management from a security standpoint. That’s Because FedCheck is operating in the background, seamlessly and instantaneously.
McKay Johnson is the VP of Sales at Ident Solutions. With over 10 years in professional tech sales, he has a passion for identifying customer’s needs to effectively provide solutions that add value. McKay is helping lead Ident Solutions’ strategy to ensure all organizations are safe and secure.