Benefits of Master Planning
CREIGHTON UNIVERSITY, a private Jesuit Catholic college founded in 1878, sits on 108 acres in downtown Omaha, Nebraska, adjacent to the business district. In 2005, Creighton began a major expansion project. Several new educational facilities, along with two parking garages, went up over the course of two years. While determining what security technology would be used in these facilities, school officials realized that the university needed a master security plan to pull all of its disparate security functions together.
The university community of about 6,200 students and 2,500 faculty and staff had long ago been moved from a multicard environment to a single ID and access card for faculty and students. Brenda Hovden, who joined the university as director of card services in 1997 and who had become system administrator for physical security in 2005, was in charge of ensuring that the existing cards would be sufficient in light of the new expansion. She found that an upgrade of the card technology was necessary to meet greater memory requirements and ensure interoperability with the systems in the new buildings.
Fitting all of these new elements into the existing security environment proved difficult. “We found that security resources, especially information on policies and procedures, were not available to everyone who needed them,” says Hovden. That’s when the need for a comprehensive plan became obvious. “We needed a security master plan to pull everything together.”
The plan would provide a foundation for the university’s security program. Further, the plan would set out the procedures for future equipment purchases so that all those involved could have a say. Hovden called together a team of stakeholders and established a meeting schedule.
Six major stakeholders contributed to the security master plan. They were: IT security; physical security, which included public safety, card services, and facilities management; compliance; privacy; health sciences; and general counsel. “It was critical to have all of these departments on board,” says Hovden. “Without the work of any one of them, the project would have failed.”
The team charged with developing the master plan met once each month, communicating between meetings via electronic mailing list using LISTSERV technology and a dedicated shared drive. Once the project was complete, the team continued to have regular meetings to assess progress. Now the group gets together once a quarter to ensure that everything stays on track.
“The most difficult part of the project was getting the team excited and making it a high priority,” says Hovden. The frequent meetings and reports were designed to help keep the team focused. Giving members only a short time between tasks helped emphasize the importance of the project.
Also, team members were required to delegate some of the work. “The nonglamorous grunt work had to happen, so we chopped the work into small bits,” says Hovden. “And we made sure that all the work did not go to the same person.”
Other department members were pulled in to help put up PDFs detailing enrollment procedures. In one instance, team members were required to provide detailed instructions on the steps they took to provide physical security access to students. For example, persons working in the radioactive labs needed to provide certain certifications that were not required of a student needing access to an animal laboratory. So one department member wrote out step-by-step instructions on how to enroll a student in a radioactive lab and another wrote out how to give access to someone using an animal lab. Other people detailed registering a guest lecturer or giving access to a contractor. This process helped make the work more manageable while also uncovering lapses in procedures.
To help motivate the team, the college frequently acknowledged the work that members did. For example, the university president thanked the team during his annual convocation.
One goal of the master plan was to help integrate security into the daily business of the university. In addition to addressing how future purchases would fit into the overall building architecture, the plan set out the policies and procedures related to security on campus including monitoring and the special requirements for security in the residence halls.
Monitoring. Access control, fire alarms, CCTV, and various temperature and humidity sensors located in the laboratories are all monitored around the clock from one central location on campus by a team of private security officers. The alarms being monitored are integrated so that security can better control potentially dangerous situations. Fire alarms are integrated with door access. This means that if a fire alarm is triggered, dispatchers can ensure that all doors are unlocked and that relevant CCTV cameras are activated.
The master plan includes specifications for existing alarms and surveillance systems so that future equipment can be evaluated appropriately. Scalability has proven to be a major factor and has been set out as a priority in the master plan. The 55 new surveillance cameras to be added over the next year will bring the total number of cameras up to 140.
Residence halls. Residence hall security occupies a special section of the master plan because the halls serve different purposes at various times of the year.
The residence halls have two layers of security, with only the second active during the day. The main doors of the residence halls, which represent the first layer of security, are open during the week from 7:00 a.m. to 7:00 p.m., allowing access to the public part of the dorm. After hours, the doors stay closed and locked so that only residents can enter. They must swipe a magnetic stripe card to gain entrance. An internal magnetic stripe reader provides access to the sleeping areas. These internal doors are always locked. Individual rooms are protected by a standard lock and key.
When devising the master plan, the team determined that it would retain the magnetic stripe and key system for reasons of practicality and cost. Some of the residence halls become conference centers and hotels during the summer. The expense of switching to multipurpose cards made it cost-prohibitive to use them for temporary residents.
The team decided that everyone who authorized access should share their policies and procedures with others involved in security through a dedicated Web site. This sharing would meet the twin needs of access and security. For example, health sciences wanted to make sure that only certified personnel were allowed into the labs for compliance reasons. Security wanted to restrict lab access to those who needed to be there and to track movement in and out of the labs. The master plan needed to include instructions on how to meet both needs simultaneously.
The group also wanted to reduce redundancy by centralizing all the information. For example, under the existing arrangement at the university, the facilities department would work with labs to ensure compliance with access control protocols. Students would go through training with facilities so that they could work in the labs. Then, after completing the training, the student had to go to security to get access to the lab. Facilities didn’t have any way to tell security directly that the student had undergone training. The same situation applied if someone’s certification had expired or if there were requirements that specific students needed to meet.
According to Hovden, departments were holding on to data rather than sharing it with colleagues. There were no instructions on how security could set up access privileges to buildings or change existing access rights.
To address this problem, the group established a password-protected Web site where this sort of knowledge could be stored and shared. Now, when various departments need to know whether a student is authorized to do certain lab work, they can check the Web site, which is updated constantly. “We needed communications between labs—to give health sciences lab personnel the ability to extend experiment dates, for example, and give people access when they need it,” says Hovden.
The Web site also includes instructions from each department on its access control requirements along with any necessary forms and instructions. These are updated quarterly.
Territorial issues surfaced as a major obstacle early in the process. Because some tasks had two masters, these had to be divided equally. For example, facilities management and physical security often clashed because one department purchased security equipment, while the other was charged with maintaining it.
To deal with this issue, the team developed a design guide for purchasing new security equipment. The guide, which is included in the master plan as a generic document, is used as a starting point for each new security project.
All of the faculty and staff involved in a new project meet to determine what equipment will be purchased, thus ensuring that everyone has a say. The guide serves as a way to move the discussion along, because the various factors that must be considered are all set out and can be dealt with one by one. It also provides a common language, making it easier for those with different backgrounds to understand each other and to state their request in precise and accurate terms for architects and vendors.
The team used this design guide to determine the necessary features of the new access control cards. The university’s existing access control, a standalone Lenel On-Guard system needed to be replaced. “The system was so old that we had run out of space,” notes Hovden. “I couldn’t use it until the server was upgraded.”
The group was tasked with deciding what sort of access control and ID card to purchase. The group decided to upgrade the access control system with a new Lenel integrated system along with an upgraded server from Lenel and a backup server. This was not surprising as the existing Lenel system, which they liked, was the basis of the criteria that had been codified as basic system requirements in the design guide. The team researched other systems but found none that better met the criteria.
When the new system went online, the university was able to immediately add 86 new card readers, bringing the total up to 287 across the campus. Another 100 will be brought on board within the year as the university opens a new learning center. Three more facilities are currently under construction, and two additional buildings are in the planning stage.
The group decided to purchase HID iCLASS access control cards for use with the new system. The card has two technologies, a magnetic stripe and a proximity feature, in one card. The new card needed to have a proximity feature for the parking garage as well as to maintain the magnetic stripe for several other applications such as the wellness center, library, and for time and attendance at campus events. The card also serves as a photo ID. The university currently has more than 10,000 iCLASS cards on file.
In terms of card technology, the iCLASS technology is deemed sufficient for the foreseeable future, says Hovden. The university purchased cards with 16 KB memory chips. Almost all of that space is still available for future applications. “We may not need it right now, but we have the technology in place in case we use biometrics in the future, for example,” says Hovden.
To ensure that the master plan is complete and to locate any information gaps, Hovden has commissioned an internal audit and legal review of the security system. “We need to know if something isn’t working and also how to move forward,” she says. “We hope the audit helps further define issues such as when to purge transactions and records and what sort of archive we need to maintain.”
The system upgrade project, which took two years, required the dedication of all campus departments. The master plan helped to ensure their involvement and to keep everyone focused on the final objective, which has now been achieved.
Teresa Anderson is a senior editor at Security Management.