The control of access and the authentication of identity play a key role in security convergence. However, all too often, the fundamental principles associated with access control and identification are overlooked.
These fundamental principles are not always emphasized in the design and implementation of security programs. I am reminded of this myself when I periodically guest lecture at a local college for introduction to security and security management classes. I enjoy not only the opportunity to stand up in front of a group and educate them on security practices, but teaching basic principles gives me the opportunity to reflect upon and review my own programs to ensure basic principles are adhered to.
Assess and Establish Access ControlAll security practitioners should conduct a survey to determine if basic access control principles are present within their security program. These principles are important to consider because they establish a strong foundation for all other programs incorporated into the access control process. Establishing programs with a weak foundation can only lead to weak systems, which can become overly complicated and ineffective – something to strongly consider in this current economy of shrinking budgets and increasing crime.
The access control process can be broken down into four basic components: people, policy, procedure and physical security systems. Each component is important to consider in the creation of a comprehensive access control program. So, whether protecting digital information on a network or identifying visitors as they enter a facility, the management of these four elements helps to establish a solid foundation for the access control process. They will facilitate the restriction and monitoring of access, the detection of unauthorized users and the proper channeling of authenticated personnel into authorized areas.
The single most prominent principle to consider when designing or evaluating access control is the notion of “Concentric Circles,” security systems constructed in layers. Layers can be physical barriers like fences, doors, windows, walls or door locks. They can be electronic systems like card readers, intercoms or security video.
Layers can be security officers posted at an entrance, a receptionist behind an information desk or armed personnel patrolling the grounds with an attack dog. They can also be the creation of a policy statement and the implementation of a procedure. What is important to remember is no one single component can effectively control access; it is the coordination of several systems or components working together that create a controlled security infrastructure.
Development and ImplementationWhen developing and implementing physical access control layers, the principle of “Crime Prevention through Environmental Design” or CPTED should be utilized. CPTED looks to change the physical environment to stop or channel people in order to monitor, restrict or control their access. Utilized correctly, CPTED controls the physical environment to create barriers that can be difficult to breach. The advantage to using CPTED is that environmental manipulation provides consistent control within the parameters of the physical elements being utilized to control access.
Layered security also means policy and procedure. As part of any solid access control program, a strong policy statement along with a tested procedure adds value to the security strategy. Policies should be written to make a statement about the security philosophy and the process being instituted. A procedure should be outlined within the policy statement that details the particular elements of the process being implemented. The process should be designed to coordinate and support the physical design elements being utilized through CPTED. It is important to have alignment among process and physical security.
The most important element in the implementation of basic access control is compliance. Are the layered systems put into place working as designed? Compliance is the confirmation of processes, the verification that policy and physical security work to consistently and effectively provide the designed access control. Compliance practices should be instituted that continuously monitor access control systems to ensure they are working as specified. Ensure that your security staff consistently screens visitors as outlined within the policy, and make sure the procedure is written within the policy correctly, stating the process being carried out by the security staff.
Finally, the installation of layered security should be done with one philosophy in mind - Keep It Simple. The proliferation of layers can create a complicated and ineffective system in which end-users look to bypass security features so they can function effectively within the corporate environment. Security systems should not be in conflict with the corporate culture. The installed processes must provide security without supporting a prison like environment.