Centralizing Card Control
Networked access control card systems provide many benefits, but setting up the system can be a challenge. The experience of one distribution and transportation company that moved from a decentralized to a centralized access control approach for its headquarters and more than 40 branches offers lessons for any business thinking about integrating access control operations.
The upgrade, which began in July 2004, will take approximately one year to complete. It involves several steps, including selecting a technology, configuring the system, and determining a company standard for employee information and badges. The following overview looks at what that process entailed and the benefits that resulted.
Selecting a technology. Once management approved the project and allocated funding, an advisory team led by the author was created to determine specifics such as the type of hardware and software to be used. The company’s IT department acted as consultants and provided recommendations on the type of server needed to house the employee information and other technology requirements such as local area network (LAN) patches, which are used to facilitate communication between the different offices and the server, located in the Chicago office.
All company facilities with existing card access systems used Bosch ReadyKey hardware, which included controllers, card access panels, proximity card readers, and key cards. It made sense to work with and build on the systems already in place. The software powering the independent systems, however, did not support the enterprise solution, and a network enterprise software product from Blick (now Stanley Security Services) was purchased.
Blick software is designed specifically for ReadyKey products and forms the backbone of the enterprisewide solution. Blick was also involved with the database conversion, which incorporated employee data, such as access level and employment location, from the warehouse facilities and the company headquarters.
Configuring the system. The next step was the purchase of a server, which would house all information for the access control system. The server would be dedicated to the access control program and would have no other information stored on it.
The network administrator gave the server an IP address and connected it to the company’s LAN. Then, Blick software technicians converted a file containing the personnel information of all the company’s employees into a usable database. (More on this later.)
As the project progresses, master door controllers, connected to the LAN, will be in each of the 40 locations as well as the headquarters. Each master has four ports, meaning that four card readers can be connected. The master controller also has the ability to have up to 31 “slave” controllers connected to it. Like the master controller, the slave controllers also have the ability to house up to four card readers. This means that as many as 128 doors can be controlled by a single master-and-slave combination.
The headquarters office has 43 doors attached to 11 slave controllers, which are patched to one master. Most locations have fewer controlled doors than the headquarters building (usually six or less) and typically require only one master controller and one slave controller.
A Lantronix UDS-10 serial-to-Ethernet adapter was installed for every master controller to allow the access system to communicate across the company’s LAN. Once the UDS-10 adapter was connected, an IP address from the company’s LAN administrator was programmed into the unit using Microsoft HyperTerminal, making the communication with the network possible. The adapter was then installed inside the master controller cabinet and powered by a transformer to an electrical outlet.
The database. The headquarters location, with more than 1,200 employees, was the first site integrated into the enterprise system. As already noted, some sites already had the ReadyKey system; other sites did not have a card access system at all and relied on locks and keys to secure the facilities. However, even among those with the same system, the access control practices varied widely from location to location, and the database powering each system was inconsistent.
A standard format for the database had to be developed. The database would include the employee’s name, employee identification number, card identification number, and location of employment. In addition, specific information such as the time an employee could enter the facility and his or her access level would be included in the database.
The development of the standard format and the reinputting of all of the employee information into the new standard format was time consuming for the headquarters security staff. In fact, the work on the database was more complex than the advisory team had originally thought, and this temporarily slowed progress on the project.
Once there was a standard format, technicians from Blick converted the database from a workstation operating system to an enterprise system protocol.
The next step was to integrate the first site, headquarters, with the second site to be transitioned—the Chicago distribution center with approximately 800 employees. From start to finish, this integration took approximately one month. The number of workers at other distribution centers ranged from less than 100 to more than 400. Thus, it was less time consuming to run through this process for those other locations.
Maintenance of the database is now performed by headquarters security staff, who are charged with adding and removing employees as directed by the managers with the authority to make those personnel decisions.
The database is backed up daily, ensuring that if the data becomes corrupted, minimal damage or disruption will occur. Under the former decentralized system, local databases were backed up infrequently. Thus, the company was forced to pay thousands of dollars in information retrieval fees if the system crashed.
Cards/badges. The ReadyKey card access system was the standard for the company, as noted earlier, and it was not necessary for the company to purchase new card readers. But cards were another matter.
As a part of the enterprisewide card solution project, a standard company badge was developed. Management wanted a badge that would include the employee’s name, department, identification number, and color photo. It would also double as the access card used to activate the proximity reader.
All cards had to be replaced as each facility was brought online. As a part of the replacement process, administrators from each site took digital photos of every employee. These images were burned onto a CD and sent to the security staff at headquarters, along with the employee information needed for the database. The security staff printed each card, then enrolled each employee by entering the information into the database. Badges were generated and shipped to the distribution centers.
Contractors. The system is also set up to provide badges for contractors. These badges also double as cards that can unlock doors to restricted areas. Since the security officer can monitor the contractor’s movement using online access records, this function eliminates the need for the employee contact to remain with the contractor. The employee may return to work knowing that the card access system has a record of the contractor’s movement.
Contractor badges are formatted differently than employee badges and contain different colors. The design is intended to make it easy for security or other employees to see at a glance that someone in the building is a contractor, not a regular employee.
Visitors. The company also has a policy for visitors, which are given temporary badges, but these do not double as access cards. Each badge is printed on adhesive paper with the visitor’s name, photo, and date, plus the name of the person they are visiting.
These badges can be printed locally at each facility as the visitor arrives, using badging software, a desktop camera, and a printer. If a large group of visitors is expected, however, the badges can be printed by the headquarters staff in advance of the visit to prevent long lines at the local reception desk.
New employees. When a new employment offer is made to a candidate, a digital photo is taken. Human resources at the local site then notifies the headquarters staff that a new employee has been hired, typically three or four days before the employee arrives for his or her first day of work.
The digital photo, the data that will be printed on the badge, and the information that will be added into the access control database, including level of access and time zone information, are e-mailed to headquarters security. The information is then entered into the database, and the new user is enrolled in the access control system. In addition, the employee’s start date is entered into the system, which prevents the card from being used prior to the person’s first day. The badge is shipped overnight and is waiting for the new employee upon arrival for work.
Removing users. If an employee decides to leave the company voluntarily, such as through retirement or resignation, human resources notifies the headquarters staff and the employee’s last date is entered into the database. After the termination day, the employee’s card is deleted and his or her information is removed from the database. In addition, the access card is physically collected during the employee’s exit interview.
If an employee is terminated, however, a manager from the local site calls the headquarters manager, who then informs the security staff of the termination. The terminated employee’s card is automatically deactivated.
The employee’s information, however, remains in the system. Deactivating the card but retaining the data prevents the employee from entering, but it also allows management to monitor his or her attempts at entrance.
Benefits. Before the networked card solution was implemented, facilities with some form of readers and cards had access control administered locally by a designated employee, charged with performing all maintenance and updates to the system.
Because the systems and their administration varied widely, managers traveling from location to location couldn’t use their employee fob to access a site until it was enrolled and activated at the distribution center. Additionally, until the company’s card access badge standard was implemented, badge design varied from location to location. That made it harder for staff to see at a glance that someone had a company badge.
Another problem under the old system was that the access control designee was not exclusively involved with security. Administering the access control system was not considered that person’s primary function.
Under the new system, all of these problems have been addressed. One card gets an authorized employee into every building, badges have a consistent style across facilities, and all aspects of the access control program are performed by a designated security team centrally located at headquarters. Integrating the system in this way has had a tremendous impact on the company and has created a consistent level of security throughout each satellite office.
Productivity has increased now that access control is maintained and administered by a centralized security staff at the headquarters. That’s because employees at the distribution centers can focus on their primary duties, which often suffered because of their access control responsibilities.
Centralizing access control has also improved system maintenance. Under the old system, as noted, handling the access control system was just an add-on duty for nonsecurity personnel. These people sometimes did not bother to back up system data. Thus, if the system crashed due to, for example, a bad hard drive, the company had to pay a data recovery company thousands of dollars to retrieve the information and reconstruct the database.
The centralized system has given the company the opportunity to back up companywide information on a daily basis at one location, dramatically reducing the possibility that data will be lost and that consultants will have to be called in to handle recovery. In addition, software upgrades and security patches now are installed on the server, replacing the need for each distribution center having to download and execute the programs locally.
While the process of moving the company from localized access control to an enterprise access system has been time consuming and labor intensive, it has paid dividends in terms of employee productivity. This system has also created a benchmark, ensuring a consistent level of security throughout the company.
Thomas Frank, CPP, is the vice chairman for the ASIS International Crime and Loss Prevention Council and Co-chairman of the Workplace Violence Prevention and Response Guideline Committee. He has written several articles for Security Management. Mark Lesmeister, account manager at Integrated Security Solutions, contributed to this article.