Determine how to integrate the right level of secure access to the people who need it.
Whether your building has successfully used the same access control system for years, you’re considering implementing a system or there’s been an event (e.g. merger, location or security incident) that warrants a change, now is the right time to evaluate your access control system and procedures. And if you don’t have any in place, consider making it a part of your security plan.
Keep your occupants, tenants and assets safe by having a plan and technology to provide secure access to the right people in the right areas of your buildings.
Understanding that access control is one part of a complete security plan is important, stresses Michael Silva, owner and independent security consultant at Silva Consultants. He notes that other parts to consider include the physical design of the building, complementary security systems and operations, and training for employees.
No matter where you are in your plan or system, there are six key things to keep in mind when looking at strengthening your building access control system.
1. Evaluate Your Access Control System Features
What do you need from your access control system, and does your current setup have that? Many facilities managers will go off how a system looks and verbal information, but don’t really delve into the specific features dealing with the day-to-day challenges they face, warns Sean Ahrens, security market group leader with Affiliated Engineers.
“Don’t just pick a system based on what it looks like, but on what features it has,” he says. When picking out an access control system, consider:
- The areas where a system is needed
- Times it will be used to gain access
- How many people will have separate access levels
- How it fits into any other components you already have in place
“Access is about convenience. More secure isn’t convenient,” Ahrens says. “We want to foster an environment to authenticate access, and let the right people in at the right times.”
2. Determine Your Access Levels
Not everyone needs access to all of your building. Before deciding who should have what access, look at the building itself to determine what areas need different levels of access.
Ahrens suggests taking a map of the building and breaking it down by making certain zones different colors based on the level of access or security that’s needed. From there, decide what level of access that will require, and whether there are any time or date restrictions to it.
“The exterior is the first line of defense to a building, so we need to identify when people can have access to the building,” Ahrens notes.
It might make the most sense for most employees to enter and exit through one main door to be able to monitor easily who’s coming and going. From there, decide which areas different employees need access to.
When setting up an access control system, you need to ensure everyone has the right level of access for his or her needs. It’s important to have a process and protocol in place.
Determining the right level of access for different parts of the building and employees is up to the facilities managers and employee supervisors.
Ahrens suggests organizations have an access form where each employee’s supervisor has to sign off on the levels and areas of access, and times and days the person is in the building. This form should be something that creates a paper trail or digital fingerprint.
“We want someone to validate that, and we want it on paper so in case something ever happens, we can go back to that [supervisor] and say, ‘You’re the person who authorized the access,’ ” he says.
He also encourages automating the process by connecting the access control system to a third-party human resource database so that when the employee quits or is terminated, access is revoked simultaneously.
3. Audit Who Has Access
Ahrens talked about a recent assessment he conducted of an organization with 150 employees that had 600 active cards. To avoid this access bloat, he says facilities managers need to either audit the system or set features to timeout the cards. This can include:
- If the card isn’t used at the building within a predetermined amount of time, access is shut off.
- Self-expire the card. After a certain period of inactivity, turn it off.
- Connect the card to the contractor or human resources databases.
For more stringent control over who’s going into and out of the building and where, Ahrens encourages having people swipe a card as they come into and leave the building to track if, when and where they are in the buildling. Also, if they don’t leave out the correct door, they can be denied access the next time they try to enter.
On topic: The Case for Smartphone Credentials
Giving vendors and third-party employees the right level of access can be difficult. Ahrens suggests creating a third-party database with an owner who enrolls people in it, otherwise there’s no way to know who requires access and who doesn’t. It’s up to the contractor to tell the database owner when they don’t need access.
If that isn’t possible, one way to handle this is assigning cards to contractors with the name “contractor” in the name field so it can be searched. Ahrens suggests about every two to three months disabling all access to contractors, and if they still need access, they can have it re-enabled.
“It can be tough, since many access databases have cards issued five or six years ago for contractors,” Ahrens says. He notes that it’s only going to become more of an issue as more organizations turn to outsourcing for different parts of the business.
For visitors, Ahrens encourages issuing badges clearly identifying them as a visitor that expire automatically at the end of the day.
4. Update Your Technology
Experts agree that 125 kilohertz technology (like proximity readers) shouldn’t be used, and strongly suggest that if you’re using that, it’s time to upgrade. 125 kHz systems can be easily compromised and the cards can be replicated. Building owners and managers need to look at installing encrypted technology instead, Ahrens says.
“Facilities managers and building owners need to keep on top of vulnerabilities,” Silva says. “The whole point of putting in access control is limiting who can get in. If you’re using older systems, it’s time to update.”
He encourages clients to budget for a system upgrade every 10 years, noting that the technology you are using can become obsolete quickly. “When people put in a new system, I suggest they start building into their budget right away for their next system,” Silva says. “Most building owners look at access control technology as a one-time investment, then they’re done, but that’s not true.”
Silva adds to stay current on software and check for updates at least yearly. He’s gone into buildings and found the software hasn’t been updated for 10 to 15 years, in some cases.
5. Perform Periodic Access Control Systems Testing
Just like you would test your smoke alarms in your house to make sure they are working when and how you need them, be sure to test your access control system. All devices should be functioning as expected.
Ahrens notes to pay special attention to the perimeter door alarms. He suggests monthly to quarterly testing, as it’s the only way to know for sure if everything is functioning.
6. Speak Up for Security
While holding the door open for someone might seem polite, it can be risky. The act known as tailgating is an important issue for building safety, and it can be hard to control. “The biggest weakness in access control is tailgating,” Silva says. “Educate people in your building not to hold the door open for people.”
Another way to cut down on tailgating is having multiple layers of security and access points.
Popular article: Implement These Security and Access Control Tips
One thing Ahrens has noticed while being in the field is that if a place has an extremely secure entry system (like a revolving door that will back you out if you don’t have clearance to enter), security is often lax once inside the building.
He finds that often people won’t ask questions or challenge someone in the building because they assume it’s so secure and difficult to get in that they don’t need to challenge the people they don’t know.
“The ID badge is a cornerstone of any facility,” Ahrens notes. “It identifies that you belong here. Without it you should challenge if someone should be there.”
Bonus: Assess Your Potential Security Risks
Look at your current security and access control levels to determine where your weak spots or areas of improvement should be. The Office of Procurement and Property Management with the USDA suggests taking a comprehensive crime prevention assessment. You should ask:
- What’s your target potential?
- What’s the prevailing attitude toward security?
- Who’s responsible for the overall security program?
- How are security policies enforced?
- When was the current emergency preparedness plan developed? (Read how to plan and what to include in “Emergency Management Planning.”)
- What resources are available locally and how rapid are the response times for fire, police and ambulance?
- What kind of physical security systems and controls are presently used?
- Do the available security resources, policies and procedures meet the potential threat?
Michael Silva, owner and independent security consultant at Silva Consultants, suggests owners and managers of existing facilities looking to implement or improve an access control plan, start with a security risk assessment. It will:
- Diagnose problems
- List types of security measures the building needs
- Determine how much you will need to spend
The assessment itself depends on the type of risk the building faces and operations going on in the building. “The hardest part is developing the right level of security to cover all the issues you might face,” Silva says. “You should develop your security plan a little above your risk level, if you need to elevate security at any time.”
If your company doesn’t have a security professional on staff, you can find an external, independent consultant through the International Association of Professional Security Consultants.
Two hand-picked articles to read next: