How to Control Cards
Print Issue: November 2011
A KEY FEATURE of enterprise risk management is a good access control system. When managing an access control system, security professionals must consider how the program will be set up. What will be done, for example, with regard to different levels of access, restricted areas, time zones, holiday hours, and emergency lockdown capabilities? Access control should be set up as a layered system and should be granted depending on the actual access needs of users. After the system is established, checks and balances should be built into the operation. By taking these steps, managers can get what they want from an access control system and measure the outcome to determine that goals are met. Let’s look at how this would apply to vendors and employees.
When assigning access rights to employees, managers must limit the number of cards issued and the access allowed, retrieve cards, and run reports.
Limit cards and access. Managers should issue only one card for each person. There are some organizations that have numerous cards issued out to a single person. This practice only increases the risk of abuse. The companies I have encountered that give multiple cards to a single person justify this practice by pointing out that if that person loses one card, they have a spare. This is a risky policy and should be eliminated.
Similarly, only a few key personnel need around-the-clock access to a facility. Limiting access does mean more work in setting up time zones and restrictions in the access control system, but it will be worth the effort if something goes wrong and you find yourself facing a lawsuit. If an incident occurs, the fact that the company limited access to those who truly needed it could go far in convincing a jury that the company took reasonable measures to secure the facility.
Retrieve cards. Getting a card back from someone who has left the company should be a priority. First, the security department should have an arrangement with the human resources department to be notified when someone is leaving the company. The process should ensure that the person’s card becomes inactive on the last day, without exception.
Most companies already do this, but many companies have no process for ensuring that they get the card back. Why is that a problem if the card is inactive? Simply put, the company still has a badge out there that can be used for identification. In many places that’s all a person needs to get access to a building. Even though the access rights are turned off, there is no way to stop a terminated employee from following someone else through a door while it is open. If there are no internal controls used for access, and only a visible ID badge is needed to move throughout a facility undeterred, terminated employees are free to go anywhere until they are recognized by someone who knows that they are no longer employed. I am aware of several instances where an ex-employee gained access to a former employer’s premises using these techniques.
Some organizations allow vendors and contractors to have an access card, which, in a well-controlled system, may not be a problem. To do this, companies must consider their issuing rules, conduct audits, and scrutinize security contractors.
Issuing rules. Access control cards should be issued to a person, not a company. For example, a vendor that makes daily deliveries needs access to the loading dock. Instead of issuing a card to the company, issue it to the driver, using the driver’s name and photograph. If there are multiple drivers, you must decide whether to issue a credential to each driver or to a vehicle. Another option is to issue no card but require that the vendor be escorted or let in.
Cards issued to a vehicle are harder to monitor and control than cards issued to an individual. Since no one person is responsible for keeping track of the card, it is often lost. And there’s no way to ensure the integrity of each person using the card.
All access cards should be set to automatically expire if not used within a certain time frame. For example, if security issues a card to a vendor, and that card is not used within 60 to 90 days, security should disable that card or the software should be configured to do it automatically. What you will find in some cases is that vendors that said that they needed a card really didn’t. Many companies find that if a vendor does not use a card at least weekly, there really is no need to issue one. You can develop other protocols for those vendors to get limited access as needed without assuming the risk of having additional cards in circulation.
Audit. Setting up an audit program is critical. All vendors should be contacted quarterly to verify that they still have the card and that the employee to whom the card was issued still works there. If you do not already do this, and you design a new audit program now, you will likely find that vendors have lost cards or reassigned them to someone else. It is better to do the audits monthly rather than quarterly, but this is not always feasible.
As part of the audit, companies should have a policy in place that states that any vendor that does not reply to the audit within a certain period of time will have its access rights revoked. For example, if you are conducting a quarterly audit, indicate that the company has 15 days to reply. After this time, all cards will be shut off.
Also there should be a protocol for ensuring that the vendor did not just send back a message that all staff members are active and all cards are accounted for. One option is to randomly spot check some vendor employees or track a suspect company’s card use to reveal discrepancies between what the vendor reported and the real card use.
Companies that fail to take the audit seriously should face serious consequences. For example, such a vendor could have its current cards revoked and be forced to undergo a new application process. All vendors must understand that the company is serious about its building security.
Security contractors, especially the vendor that installs or maintains the access control system, should receive extra scrutiny. Some such vendors overstep their authority and grant themselves a higher level of access than they should have. For example, one medical center found that its access control vendor had given itself complete access to every area of the facility, including the pharmacy, medical records, labor and delivery, and administration. There was no need for the vendor to have that much access, and in some instances, it exposed the hospital to regulatory violations.
For liability reasons, companies should never give up control to an outside vendor. If your organization suffers a substantial loss or incident, you will not be able to defer all liability to an outside contractor, even if its employees designed, installed, and maintained your system. To minimize liability if that function is outsourced, companies must include language in the contract limiting security vendor access and requiring that the vendor’s use and control be audited as part of the overall system audits.
By running reports daily or at least weekly on the access control system, the security department will see activity on security breaches, attempted access by terminated employees or former vendors, and access at odd hours or in odd locations. Security should look for failed access attempts, lost or stolen badges being used, and staff trying to access areas that they should not be in either at all or after normal hours.
Each problem you find on the reports gives you the opportunity to investigate what happened and take steps to respond to security issues in a timely manner. This is what the access control system was designed to do. By controlling access by vendors and employees, security managers can get the most out of their systems while minimizing enterprise risk.
John M. White, CPP, is president of Protection Management, LLC, in Chico, California. He is a member of ASIS International.