The Benefits of Trading Keys for Cards
How many key cards does it take to open a door in Hennepin County, Minnesota? Thanks to Kirk Simmons, just one.
Hennepin County’s 100-plus buildings used to have multiple access control systems, which led to a single worker needing – depending on job functions – seven or eight access control cards, plus an ID. Simmons, Security Manager for Hennepin, is working to reduce the number of badge designs from 17 to two or three, so that access cards function as ID cards, consolidating the amount of equipment at large.
Like every public administration, managing ID/access badges in municipal security comes with significant challenges. For one overarching security division, badging thousands of employees in several hundred different facilities can prove complex. According to Walter Chan, Supervisor of Corporate Security in the City of Toronto, there is no one-size fits all, cookie-cutter template to government ID/access badges.
“I oversee access control and access/ID management infrastructure in more than 1,000 city-owned and operated facilities – from daycare centers, animal shelters, long-term care homes, court services to critical infrastructures like water and wastewater facilities, a consolidated data center, Toronto’s City Hall and Civic Centres,” Chan says. And those facilities offer different types of City services, so the ID/access badges not only need to be functional, but badges should enhance and integrate the delivery of those services.
“Corporate Security works with the various City divisions to come up with badge designs that work within their operational environment, so it’s more likely that employees will actually want to use their access badge and wear it while they work.
“We work with the divisions to understand the types of people requiring access to their facilities and for how long,” he says. “For example, we have some divisions, like Toronto Water, that operate with a large contingent of contractors, while the Long-Term Care Homes have a large contingent of volunteers – while we try to streamline the access/ID management processes, the actual badge designs may differ.”
However, while Simmons is consolidating the number of card designs, he is trying to diversify the uses of that single badge.
“We’re working with IT to add time reporting, fax and printer access, and possibly even using IDs as pay-cards in the cafeterias,” he says. “We want employees to treat it like a piece of equipment, not just a badge. It might increase card costs, but it will add convenience.” He adds that while he is not 100 percent clear on what those added functions might be in the future, he wants a card that will be scalable and integrated to achieve maximum convenience value.
Convenience isn’t the only use for combined badging and access control systems in Manchester, N.H. Ronald (Red) Robidas, Security Manager for the City of Manchester, weighs the necessity of public access versus secure inner facilities for every government building in his jurisdiction. Schools, especially, can prove to be a challenge as Robidas cracks down on the number of uncontrolled keys.
Prior to installing a functioning electronic access control system with ID card keys, Robidas’ team discovered a group of adults playing basketball in a school gymnasium. A former coach gave them a key to the building five years before, and they had been playing ball there every weekend since.
So now, while most employees still have access through their IDs, badge sharing is not tolerated and not often successful. By assigning access by time schedules, user profiles and job function, it can be fairly obvious when someone is where they aren’t supposed to be, Robidas says.
Depending on the employee’s function, access is also dependent on passing certain background checks, he adds. Employees working with children – including in schools, social work or other activities – and financial information are not issued IDs until they pass background checks, a practice required even of interns and volunteers.
Simmons is also working to reduce the security department’s workload by divvying up some of the card-issuing responsibility to the departments. Each major department has a “card contact” that manages access control input, but the security department still prints the cards. Departments work as individual businesses, Simmons says. If security were to be single-handedly re-badging all of Hennepin County, he adds, the department would need several new staffers. But the decentralized program keeps costs down, increases department ownership and keeps thousands of phone calls out of the security department every year.
Reaching Beyond Federal Government Requirements: HSPD-12 and FIPS 201
By April Dalton-Noblitt, Ingersoll Rand Security Technologies, Director-Vertical Markets
State and local codes apply to all state, county and municipal government security purchases and installations, both public and private. But did you also know that federal regulations and ID standards may also apply?
Two Primary Programs Apply…HSPD-12 and FIPS 201
Homeland Security Presidential Directive 12 (HSPD-12) is fueling smart card use in the government and accelerating adoption by large enterprises. HSPD-12 seeks to establish secure and reliable identification for all federal employees and contractors.
This directive ultimately has huge significance because state and local governments, as well as first responders, will need to convert to federal government-compliant smart cards in order to follow the initiatives. Private contractors must follow.
To meet the HSPD-12 requirements, the National Institute of Standards and Technology (NIST) published a standard for secure and reliable forms of identification: Federal Information Processing Standard (FIPS) 201. Remember that cards that are solely contact or contactless cannot be considered to be compliant with the FIPS 201 Personal Identity Verification (PIV) standard. In fact, there are very specific standards required for the contact and contactless combination smart card. The card reader, though, is a different matter.
At one’s facility, the only card reader requirement is to be capable of reading the FIPS card and communicating with the access control system. Facility managers can install any brand of reader that is FIPS-compliant.
Where You Can Get into Trouble
A mixed population of old proximity credentials and new PIV II credentials often will be unavoidable when pursuing an upgrade path to FIPS 201 compliance. Most organizations want to avoid installing two different types of readers to accommodate a transition. Select multi-technology readers that are compatible with FIPS 201 PIV II credentials and popular proximity, magnetic stripe and smart card technologies. Reading multiple existing card types and PIV II cards simultaneously is a tremendous benefit for painless transitions.