Determining and Implementing Successful Access Control Solutions

January 1, 2009
/ Print / Reprints /
/ Text Size+

Today, the key phrase in security is convergence: the convergence of physical security systems, the convergence of logical and physical security and the convergence of corporate processes to ensure compliance. CSOs in every industry have to protect massive amounts of electronic and paper information, secure virtual as well as physical infrastructures, and monitor the actions of employees, vendors and visitors for regulatory compliance.

The control of access and the authentication of identity play a key role in security convergence. However, all too often, the fundamental principles associated with access control and identification are overlooked.

These fundamental principles are not always emphasized in the design and implementation of security programs. I am reminded of this myself when I periodically guest lecture at a local college for introduction to security and security management classes. I enjoy not only the opportunity to stand up in front of a group and educate them on security practices, but teaching basic principles gives me the opportunity to reflect upon and review my own programs to ensure basic principles are adhered to.

Assess and Establish Access Control

All security practitioners should conduct a survey to determine if basic access control principles are present within their security program. These principles are important to consider because they establish a strong foundation for all other programs incorporated into the access control process. Establishing programs with a weak foundation can only lead to weak systems, which can become overly complicated and ineffective – something to strongly consider in this current economy of shrinking budgets and increasing crime.

The access control process can be broken down into four basic components: people, policy, procedure and physical security systems. Each component is important to consider in the creation of a comprehensive access control program. So, whether protecting digital information on a network or identifying visitors as they enter a facility, the management of these four elements helps to establish a solid foundation for the access control process. They will facilitate the restriction and monitoring of access, the detection of unauthorized users and the proper channeling of authenticated personnel into authorized areas.

The single most prominent principle to consider when designing or evaluating access control is the notion of “Concentric Circles,” security systems constructed in layers. Layers can be physical barriers like fences, doors, windows, walls or door locks. They can be electronic systems like card readers, intercoms or security video.

Layers can be security officers posted at an entrance, a receptionist behind an information desk or armed personnel patrolling the grounds with an attack dog. They can also be the creation of a policy statement and the implementation of a procedure. What is important to remember is no one single component can effectively control access; it is the coordination of several systems or components working together that create a controlled security infrastructure.

Development and Implementation

When developing and implementing physical access control layers, the principle of “Crime Prevention through Environmental Design” or CPTED should be utilized. CPTED looks to change the physical environment to stop or channel people in order to monitor, restrict or control their access. Utilized correctly, CPTED controls the physical environment to create barriers that can be difficult to breach. The advantage to using CPTED is that environmental manipulation provides consistent control within the parameters of the physical elements being utilized to control access.

Layered security also means policy and procedure. As part of any solid access control program, a strong policy statement along with a tested procedure adds value to the security strategy. Policies should be written to make a statement about the security philosophy and the process being instituted. A procedure should be outlined within the policy statement that details the particular elements of the process being implemented. The process should be designed to coordinate and support the physical design elements being utilized through CPTED. It is important to have alignment among process and physical security.

The most important element in the implementation of basic access control is compliance. Are the layered systems put into place working as designed? Compliance is the confirmation of processes, the verification that policy and physical security work to consistently and effectively provide the designed access control. Compliance practices should be instituted that continuously monitor access control systems to ensure they are working as specified. Ensure that your security staff consistently screens visitors as outlined within the policy, and make sure the procedure is written within the policy correctly, stating the process being carried out by the security staff.

Finally, the installation of layered security should be done with one philosophy in mind - Keep It Simple. The proliferation of layers can create a complicated and ineffective system in which end-users look to bypass security features so they can function effectively within the corporate environment. Security systems should not be in conflict with the corporate culture. The installed processes must provide security without supporting a prison like environment.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Bernard Scaglione

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive


CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+