Controlling Access System Performance
ACCESS CONTROL SYSTEMS ARE ubiquitous in business environments, large and small. Companies invest in these systems expecting that they can keep out anyone not authorized to be on the property, which should result in a return on investment (ROI) through loss reduction. If that is to occur, however, the access control systems need to function as intended technically and administratively. In addition, the various individual systems must work together to support the company’s asset protection plan. In my experience, that doesn’t always happen. Following are some of the key steps security professionals can implement to help ensure that access control systems are effective and yield the hoped-for returns.
Keys and Locks
Mechanical key-and-lock sets remain the most commonly used access control tool. The problem is that users often inadvertently breach controls by duplicating keys.
For an organization that still relies on keys, it is important to use a standardized system with patented key blanks that cannot be copied by anyone but the manufacturer—no nipping off to the local hardware-store key cutter. There must also be protocols in place such as ensuring that any key blanks kept onsite are stored securely.
Modern key systems tend to include software management database capabilities like those used in electronic access control systems. They are used to keep track of where all lockset-controlled doors, cabinets, or other access points exist and to enroll new keyholders and to remove them when their right to hold keys expires. The database also keeps track of the manager to whom each keyholder reports. But just having the database is not sufficient.
Security should conduct a review of the key inventory and the keyholder database annually. This includes sending a report to each manager asking him or her to review the list and confirm that each employee, contractor, and other authorized user still requires a key and has that key in his or her possession. The manager should then note changes and additions, sign off on the report, and return it to security, where a staff member will promptly enter changes into the database.
Throughout the year, as employees and contractors leave or are terminated, security must scrutinize the keys when they are turned in to make sure that they are not illegal duplicates. This can happen even with a patented system if the supplier’s patent has run out. Security managers should, therefore, make it a point to know when the patents expire and be aware that illegal duplicates are possible if that occurs. They can factor this information into planning for future replacements of the key-and-lock system.
Each lockset’s performance should be checked regularly—perhaps once a quarter—and records of all trouble shooting should be retained, including the specifics of who performed each task.
Within some organizations, managers are allowed to purchase standalone locks to secure aspects of the physical area they oversee. These locks can be a hybrid of traditional and modern electronic locks, sometimes requiring a punch code or the use of an access card that is not tied to the larger electronic access control system.
If these additional standalone locks are present in the organization, even though they were not installed by the security department, the company should require that security be informed of their location, make, and model.
Security can include them in general audits of access control practices and address any concerns. For example, few nonsecurity practitioners realize that the punch-code varieties of these standalone locks will open with default codes, lists of which are freely available on the Internet. Those default codes need to be cleared out of the system because they become a significant vulnerability.
The security department must be able to open any door in an emergency; thus, it must have a mechanical override key, a record of the punch codes, or an access control card that can be used for each lock.
If the standalone system has the ability to record an audit trail, security must be able to access that data and obtain historic records of use in case they are needed for investigative purposes. The onus for this flow of information must be placed on the managers who bought and installed the lockset. These managers should also be required to give security a list of those with authorized access to the secured area.
Annually, security should produce a report for each manager of what it knows: where the lockset is located, its type, who controls it, and who has been given a punch code or pass key, as well as whether the punch code has been changed in the previous year. Managers should be asked to review this information, make any needed changes, sign it, and return it to security, which can use that information to update its own master records.
Electronic Access Control
To ensure that an electronic access control system operates at peak performance, security managers must regularly review the system’s access card issuance and collection procedures, the full roster of legitimate users and active cards, the status of upgrades, and the system’s proper technical operation. But this kind of careful review often does not occur.
For example, for the sake of convenience, some organizations that hold training programs send out temporary access control cards to attendees. This means that there is no need for enrollment when the individuals arrive, saving training time and not overwhelming the security department with enrollments on the first day attendees come to the facility. These cards are supposed to be collected at the end of the event and promptly terminated with in the access control database. Unfortunately, I have seen systems that have thousands of extra active cards because of lax card control practices. It only takes one active access control card in the hands of a disgruntled employee to lead to a workplace violence incident.
New managers should be taught the importance of immediately reporting any change in employee status, but there will be cards that slip through the cracks and remain active after the cardholder should no longer have authorized access. To get these cards out of active status, the security manager should initiate a quarterly review of all active badges.
Reports should be created for the managers of each physical unit of a company (finance, executive offices, the mail room or loading dock, and other access-controlled areas), listing all known users with access rights, including any contractors, technical services providers, vendors, and temporary hires who have access rights. Also included should be the unique number of the access control card assigned to each individual.
The total number of active badges of employees, contractors, temporary hires, and others in the system must be accounted for. Managers of these areas must compare the users to the cards, strike those who no longer have access, and note any other changes.
In one case of which I am aware, a temporary hire left one unit for another in the company. His access rights to the original area were never revoked because his original manager did not tell security that he was no longer working with that unit. Later, the employee reentered the area using his still-valid access control card and caused damage to a project, setting its completion date back significantly.
Logins. A quarterly report should be run identifying all of those who have the right to log in to the access control system’s software and databases. Nonsecurity personnel who may be permitted to log in include receptionists enrolling guests, IT specialists, executives, employees at remote sites, or system integrators. The regular review of this report will lead to clearing from the system all persons who should no longer have the right to log in. Additionally, documentation should be kept on why each individual has been granted login rights.
Biometric access control eliminates the need for keys and cards but not the need to audit the system.
Biometrics also need special attention because the general population has reservations about their biometric enrollment data, such as fingerprints, being used for unintended purposes. Security can show employees that their personal templates are not being mishandled by sending regular reports to managers to verify that records match users and that former employees have their templates struck from the database.
Security should also be willing to show employees examples of what templates contain and how they are maintained and deleted. Over time, as existing employees see that the process of eliminating templates does occur as promised, they will be able to assure new hires that no abuses are occurring.
All access control hardware should be checked annually. To carry out this task, security managers and officers move from one door and access point to another, testing whatever kind of access control is in place to determine whether it locks or opens as it should and whether it correctly reports the interaction to the database. Any technology that does not function correctly should be reported for further testing and repair.
This process has the added benefit of familiarizing security officers with the components of the access control system.
Upgrades. Fewer security managers than might be expected know whether their systems have the latest software upgrades. (This also applies to the software management aspects of key-and-lock systems.) Periodic checks of the system must be made to ensure that any necessary software upgrades occur on schedule.
Security personnel should document which system has been upgraded. Additionally, all media associated with the systems that are kept onsite need to be regularly accounted for and stored in a safe and secure location.
A general review of how the access control system is administered should be conducted annually. The system’s report-writing functions should be checked, as should its audit trail, with the goal of determining not only that the function works as intended but also that its capabilities still fit the company’s needs; for example, is the storage capacity for data still sufficient?
The system maintenance agreements on all aspects of the access control system should be reviewed annually to make sure that the agreements will properly cover all services that need to be performed during the year ahead.
Throughout the year, the security manager should encourage users of the access control systems to give feedback on ways to improve system performance. One way to do this might be a quarterly e-mail encouraging user input.
These routine recordkeeping and auditing procedures won’t win security any awards. But they will help to ensure that the systems really do control access—and that’s the first step toward getting a true return on the company’s investment.
Earl E. Truncer III, CPP, is EAC consultant at Ingersoll Rand. He is a member of the ASIS International Physical Security Council.