Access Control Security
Access control security can mean different things to many people. It could be talking about a key lock, electronic card readers, biometric systems where you use your hands, fingerprints or iris scanners, cipher locks, or entry portals that are staffed and require that someone lets you into an area. Regardless of the type of access control security system your organization utilizes, it all comes down to controlling access.
Electronic Access Control Security Benefits
In many cases the benefits of an electronic access control system is that it will often save on manpower such as staffing a security officer or other employee at an entrance to let someone in or out, or even issuing keys to employees.
Electronic access control systems will also make it easier to assign access rights to staff members or others and can normally be set to restrict the times, days, and places where the card can be utilized. The system administrator can also set expiration dates for individual and group accounts, as well as many other administrative features, some of which are often underutilized.
Access Control Security Vulnerabilities
When properly managed an access control security system can be administered so that there are few or no security vulnerabilities, and therefore provide for a very high level of security. However, in some cases very little effort is put into the planning, setup and ongoing management of access control security systems.
So how is your system setup? When was the last time you audited your system’s access rights assigned to staff in your organization? You might be surprised to hear that in many cases once a system is installed there is often very little ongoing management.
Case-in-point, an organization performed a Request for Proposal for an access control system for a multi-campus system. They received several proposals and after a review period they assigned the project to a national known security integrator who installed and programmed it. However, it was found that the installer set up access to all staff to have the same access rights, even though there should have been different access rights based on job responsibilities and security clearances.
In this case the end-user was not aware of the access issues for some time, and when they discovered this issue and discussed with the integrator they were told that they always use the “keep it simple” process. Really, is that the best security planning and programming for all clients regardless of security needs? Certainly it is not, yet an unknown number of systems were setup this way without the owner’s knowledge.
Another example is where a reliable access control system was in place and was programmed and managed in what only could be considered a “Best Practice.” However, when a vendor performed a systems update they assigned their personnel “ALL” access to the client’s sites without the end users knowledge or permission. This was caught when the client performed an audit of their system, of which they did monthly. As a side note, the level of access self-granted to the vendor’s staff violated federal restrictions and could have compromised their client’s property and intellectual materials and files.
Key Control
As most security professionals will tell you, the issuing of keys can increase your risks because keys can be lost, stolen, and in many cases copied. The fact of the matter is that employees may not disclose lost keys because many organizations have policies in place that require that key replacements are paid for by the staff person that lost the key.
In many organizations, especially those that have security sensitive areas, every time that a key is lost, stolen, or not accounted for, they require an immediate re-keying of all locks that that key fits. In one case a complete set of keys (including master keys) were lost by a staff person and the organization re-keyed dozens of locks with a cost exceeding $5,000. The same organization had the same issue a month later, but this time no one reported it to security in order to avoid the costs of re-keying.
For those that believe that stamping a key with Do Not Duplicate will eliminate all possibly of someone making a copy of a key, we would caution you to not use that as your security risk mitigation strategy. With the exceptions of some high-security keys, you can get a copy made of keys with the Do Not Duplicate stamp on them if you know what you are doing.
Cipher Locks (keypad locks)
This type of lock can be your weakest link in your access control security system if they are in use on your property. First there are issues with the codes not being changed often enough. The list of risks and problems for these types of locks is long, but we have included some of the most often noted security risks below:
- Codes can be passed to others that have no need to enter the restricted area.
- Often times the master codes installed by the factory have not been changed or removed.
- In many cases you can locate the doors access code on the door frames, doors, or nearby areas.
Reduce Electronic Access Control Security Risks
There are steps that security administrators can take in order to insure that their system is properly setup and managed, and below we have listed some of those steps:
First, it is important to state that the initial setup of an access control security system is the most crucial part of insuring a well managed system. This initial process will require extra time in the beginning, but if done correctly it will make your ongoing management and auditing less time consuming long-term.
If the system is an existing program and you did not set it up initially, it is highly recommended that you conduct a full audit of all users, issued cards, access rights, alarm settings and numerous other aspects of the access control security system.
Restrict the number of staff that has access to the system’s software. In most cases this would mean that only the system administrator and manager have access rights to assign access, disable a card, and clear an alarm and issue new or replacement cards.
If you issue cards to vendors or contracted staff you should consider setting expiration dates to the cards and require that the vendor notify you whenever an employee leaves their organization. It is not recommended to allow a vendor or other contracted service to just pass an access control card to a new employee; your organization needs to know who has an access card.
A comprehensive audit of the system should be performed on a regular basis, monthly is preferred, and immediately after any software updates are completed, or after an outside vendor has worked on your system.