Common sense
As Voltaire once quipped, “Common sense is not so common.” Access controls should allow an organization to consciously control access to their facilities, which, simply put, means all ways of accessing the facility should be controlled. Most firms tend to do a good job at the obvious places where high volumes of people enter the facility, such as the front door, etc. However, much more attention needs to be given to that door that is propped open in the middle of the day or late at night to let some air in the facility. It is not only employees who know that this is an easy way into the facility.
How vulnerable?
A standard part of any site vulnerability or risk assessment is to come to the facility unannounced. In 10 years of doing assessments this author is still surprised by the high number of facilities that we are able to get into. My favorite one is to come around 10:00 p.m., when the janitorial crew is cleaning up. We often find a door propped open with no one in sight. Easy pickings.The point here is that security personnel need to regularly conduct risk assessments by showing up unannounced and finding what we find – a lot of violations of their security procedures or practices that are contrary to effective access control.
Security and access control need to be aligned with the organization’s business strategy. For example, any public entity must have public access to its facility, whereas a top secret skunk works operation must carefully scrutinize every person’s entry through several layers of security.
Organizational culture
Security professionals too often focus on creating draconian policies and procedures to direct people’s behavior; but a much more powerful way to control behavior is through the creation of an overarching set of principles that are embedded in the culture to create self and peer control. Lou Gerstner, former CEO of IBM, put it best when he said, “I have learned…the importance of articulating a set of principles that drive people’s behavior and actions. And that’s a much more powerful leadership tool than a bunch of procedures and guidelines.”An area where this is directly applicable is the concept of creating a security-conscious work environment, where every employee becomes an extension of the security department because they understand the nature of the issues the firm faces and the impact that their behavior can have. A company will never achieve this level of commitment and behavior by simply creating more and/or better policies.
Not that policies should be forgotten; far from it. But once a company has completed the creation of a masterful set of access control policies and procedures its work is not finished. Warning – if the policies are not integrated and in alignment with safety, human resource and of course, legal requirements those policies will amount to nothing more than a waste of time.
Companies should make sure to work closely with the training folks to bring its policies to the masses in a way that they not only learn what the correct procedures and guidelines are, but more importantly in a way that they will be remembered or easily accessed as a reminder. For a policy to be effective, it must be communicated, understood and followed. It is security’s job to make sure this happens.
There is no shortage of technological tools to choose from in today’s security conscious environment. The key is to match the technology to the organization’s needs and to remember that “form follows function.” First, be very clear on the function and outcome trying to be achieved, and then choose technological solutions that fit this. Don’t be fooled into believing that the technology can drive the business where it needs to go and eventually the business will catch up, as this rarely works.
In the end, an effective access control program is one that is well thought-out based on the business realities of the organization – a program that appropriately aligns with the overall business strategy of creating a safe and secure work environment.
