At some point in a security operation, an assessment needs to be made of your access control needs.  Unfortunately, this review generally occurs after an event (“event” is a polite word for “problem”).  While post-event review is important, it’s also important to review the operations on a periodic or regular basis.  Generally speaking, a review of your system will occur for one of three reasons:  after an event, on a regular, periodic basis, and whenever a significant change in operations or property occurs.

This column will address WHAT to look for when reviewing your access system.  The questions are geared toward a building.  Each building is addressed separately, with multiple buildings comprising a facility.  These basic questions will provide a good overview of your operation.

The first two questions address policy and procedure.

How is employee access to their building controlled during normal business hours?  Is it keys?  Access cards? ID badges?  Security officers?  Is it a combination of everything, or is the access open, with no controls?

The same questions go for access after normal business hours - Is it keys?  Access cards? ID badges?  Security officers?  Is there a combination of everything, or is the access open, with no controls?

Reality Vs. Perception

An important issue here is to see if there is a difference in what is supposed to be done as opposed to what is actually being done.  I was recently at a facility in which the access policy was excellent, especially for after-hours access.  The only issue was that the policies simply were not followed.  Policy required that loading dock doors be secured unless the dock bay was “active” -  a good policy.

Reality was that the doors were often left open to allow for ventilation.  Even the best policy is useless if it isn’t followed.

The threat level of the facility will help to determine the methods used to provide access control.  Keys are a basic access tool, but are easily lost, stolen and compromised.  Access cards and/or ID badges are more secure, but are also more costly and difficult to operate.  The threat (or lack of threat) may dictate that no access system is necessary at all.  Match the system to the need.

The next questions address the access control system.

The most basic question is: Is there an access control system in place?  Tied to that question is: Do you really need an access control system?

Understanding your true access needs is important to meeting them.  If there is an existing access control system, does it support different access levels and does it support time zones?  Dividing access into different levels greatly increases security by restricting access to only areas where access is required.

In other words, all employees can gain access to the building, but only those who need access to the 22nd floor get access to the 22nd floor.  Time zones restrict access to specific times of the day.  Time zones can be very general, but still very effective -- for example, students in a school are allowed access from 7am to 4pm, while employees (teachers, staff) have 24-hour access.  The night cleaning crew only has access from 4pm to midnight.  Time zones keep people from wandering around a facility when they have no business there.

ID Card, Badge Concerns

Identification badges will always be an issue.

Are badges issued to all employees?  Is the wearing of badges required, and even more importantly, is the requirement enforced?  The wearing of badges can be a difficult issue.  There is a tendency in upper management to feel that they are “too important” to need to wear a badge.  This is a dangerous precedent.  No one is too important to wear a badge. In fact, the best security management practice is to have everyone, especially the security staff, to “lead by example” and wear badges.  Badges cannot be a partial program; either badges are required for everyone or the program is not effective.  Management buy in is essential to making a badge program successful. 

If badges are required, what is the process to allow access to someone who has forgotten a badge, and what is the process for someone who has lost their badge?  Some facilities will not allow temporary badges to be issued.  If a badge is required, you must have your badge to gain access.  If you forget your badge, you go home and get it.

While this is not a “customer friendly” policy – people generally only forget their badge once.  The issuance of temporary badges brings with it the chance of a security issue.  Essential to the issuance of security badges is a strong policy commitment to timelines.

Where Is It?

The loss of a badge is a problem.  Recently an airport advised me that a $200 fee is required to replace a badge.  This is both good and bad. The extreme fee causes people to take care of the badge, and they are less likely to lose it, yet the extreme fee also makes people hesitant to report a lost badge. 

Take a critical look at your access system and practices.  Ask these quick questions on a regular basis to see if your access procedures are effective.