Have you ever been in a conversation that started with “Do you know who I am?” Typically this conversation starts when someone is denied access, or is challenged in a secured area. This was a recent case with Congresswoman Cynthia McKinney from Georgia. McKinney tried to enter a secured area in the U.S. Capitol, and was stopped when she didn’t present appropriate credentials at a checkpoint. The Capitol Police Officer on the post didn’t recognize her, and stopped her. The rest, as they say, is history.
A basic fact of access control is that in order for a system to work, two issues must be in place. First, the facility must be secured. While this seems to be a “no-brainer”, I have seen many instances in which a beautiful $300,000 access control system is running at the front doors while the back doors are propped open with a rock. Access control is as much about policies and procedures as it is about equipment.
Access list worksThe second issue: an access list must contain rules explaining what is required for access. There MUST be an agreement, and this is a management decision, as to who is allowed access and who is not allowed access. This list can be specific, listing each individual by name, or it can be categorical. A categorical list can state that “access is permitted for employees, vendors and authorized contractors,” or “anyone with a government ID.” While broad in scope, it is usually sufficient for most applications.
The access list is important because “front line” security should NOT be decision makers at an entrance. The officers should instead be in a position to ENFORCE the access decision, not MAKE an access decision. While the difference may appear minor, it is huge.
Access decisions are not made in a vacuum. Communication between security and human resources is important, and must flow quickly. Generally, it is human resources that hires and fires, while security controls access. Often there is a lag between when a person is terminated and when the notice of the termination is communicated to security.
A recent incident at a FORTUNE 500 company involved an employee being a hostile termination on a Friday afternoon. As required by the company policy, the employee’s access badge was taken, and he was escorted out. Due to the weekend termination, human resources did not notify security, and the employee was not removed from the database. The employee returned the following day, a Saturday, stated that he “forgot his badge,” was verified to be current in the database, and was allowed access. He spent over six hours on a computer in his old office. Poor policy allowed a bad situation to get worse.
One of the major, but often overlooked pieces of the total access control operation is buy-in from upper management. The lack of buy-in shows itself with the belief that wearing a badge is unnecessary, often because of “status.” I am a firm believer in “lead by example.”