An Independent Perspective on implementation of Access Control Systems

An Independent Perspective on implementation of Access Control Systems Access Control Systems can have a major impact on the security and daily functioning of an organization. This article outlines fundamental issues to be taken into consideration by system purchasers. There is a well-known process that most people go through on the loss of a loved one: anger, denial, bargaining, depression and finally acceptance. Similar reactions arise when a large organization embarks on installing a comprehensive access control system. However, once acceptance is reached, which often takes one to three months, a reversal of attitudes is frequently seen. Instead of the standard curse when a cardholder approaches an access control card reader operated door as seen prior to acceptance, a sense of protection is acquired. Access control systems are complex and they need to be carefully planned to ensure effective integration into the business operation. As always in large technical projects, the technical problems can be difficult to overcome, but not always the human ones. When thinking of introducing an access control system, one needs to bear in mind several key points. These card access systems can cost a lot of money and take up a large amount of company time, and 95% of access control systems are not security systems per Se, they only restrict access to persons exhibiting normal acceptable social behaviour. If you are looking for security you need to think of full-time monitoring and effective responses to system alerts. This means labour, in-house or contract, which if it is not already present in some form or another can cost more than the system. The hardware is only part of any solution, with large installations the purchaser needs to input a lot of man-hours during the installation to set up the system in a way that best suits his or her organization. There is also the production and issue of keys/identity cards/tokens/pin numbers and the on-going operational maintenance to provide for. Access control systems can provide many benefits apart from the obvious, good installations have been shown to produce significant changes to the working culture in the work place, as they tend to make (or force) employees to be more accountable and protective of their employer's property. The Right Approach There is typically a choice of three routes to installing an access control system. You could approach several suppliers for proposals or use an in-house engineer or consultant. However, consideration should also be given to using an experienced external access control consultant to produce the necessary advice and documentation and to guide you through the steps. As in most industries, the response to detailed professional documentation that is clear in its objectives and reduces risk for both purchaser and its suppliers is met with very competitive prices, and a strong desire to win the contract. The penalty to the purchaser for not getting the right person on-board at the start of a large installation can be high. The impact the system may have on the operation of an organization should always be fully analysed and understood. The right approach involves consideration and acquisition of the following: - appointment of an in-house project manager/ co-ordinator, - appointment of an external independent access control consultant, - a risk assessment, (There is no point controlling the front door if a back door route is open.) - asking for strategy proposals with detailed - recommendations and budget estimates, - board approval, - designs, specifications, contract conditions, tender - lists and documentation, and job descriptions, - tender appraisal (short term & long term) - negotiations and award of contract, - regular project meetings and site supervision, - ensuring the factory and on - site acceptance tests and tests at the end of the defects liability period are thorough, - negotiating a fair and reasonable maintenance contract. During the tender appraisal stage of a contract for a new integrated system, it is worthwhile visiting other organisations who have had similar access systems installed whenever possible. In one case, an installation presumably considered as a show site by one of the favoured tenderers, was visited by the potential client organization. After the visit it was reported that, technically, the installation looked really professional, but that for all the money spent on it, the access control system was only being used at night when there was nobody about. Was the above system planned thoroughly in advance of the installation and was it introduced correctly to meet the organisation's objectives? Without the proper operational support, such access systems are often switched off for good after a few weeks! Security Management Systems Access control systems are often part of an integrated system. Integrated systems can reduce the diversity and complexity of a possible multitude of different building functions down into a single manageable system. Where there are building critical functions, auditing becomes very important. If this is structured correctly in an integrated system, management functions can be greatly streamlined. Secure auditing of key building services' alarms can be great added value to facility managers. Built into the software of many of the systems available include features that allow the printout of lists of people within an area or building at a particular time. This can be important during emergency evacuations. Some software packages have fully developed roster or mustering features. Guard tours packages are also common allowing guards to be tracked while patrolling a pre-arranged route. Reports should always be readily available. From the mass of system activity, data managers should be able to request reports on just about anything they want, in many cases that may be reports on just exception incidents. Large integrated systems are therefore management systems first and foremost and are therefore often referred to as security management systems. A well-planned system will not only monitor and control inputs from various systems; it will also monitor the performance and activities of the operators or guards. This introduces the key issue of "accountability" which is of course essential to high security installations. Purchasers should be advised not to show-off their contractual purchasing power by demanding unrealistic timescales from suppliers, as it will cost more in the end - possibly a lot more. To get your Total Cost of Ownership (TCO) over a number of years your budget should include not only the tender price for the equipment installation, but civil works (especially for inter-building ducting, turnstiles and car parking units), electrics, alterations to rooms (e.g. control rooms), doors, gates etc., security consultancy costs, in-house project team, training and operational costs, increased number of contract operators and on-going maintenance costs. Control Rooms and the System Interface If an organization introduces 24-hour manned guarding or security monitoring where the guards are expected to respond efficiently to security, fire, access and prime building function alarms, the alarms need to be presented in a manner that allows them to do so, and in an environment that encourages it. Where alarm panels are wall mounted around a tiny room and the guard bombarded with alarms in an unstructured way, he/she may miss a critical battery low alarm or worse. Discrimination against security personnel is still widespread, and security staff with low morale do not, in general, perform well under any circumstances. I have witnessed an (apparently) trained guard at the main data processing site of a large UK bank panic and fail to respond correctly with a (deliberately operated) security alarm because the circumstances were different from normal - he was being watched by visitors. Give the security personnel appropriate working conditions and effective equipment to use and they become pro-active, gain a higher profile within the organization and try to continually improve site security. Remember that the security control room is a good indicator of your security. The most important part of any access control or integrated system is the user interface. Training of users is essential, but access control security systems still have to be designed in such a manner that they more or less instruct the user what to do. Equipment and Suppliers The majority of complex access control systems software is written in North America and are supplied and installed by large or specialist security companies. Don't expect them to tell you what you need. In many cases I have found sales representatives do not really know what they are selling and what impact the system may have on the operation of an organisation. Your business is unique and the pressures applied to system sales forces these days do not give them time to fully analyse or understand your needs. Insufficient training, new products and system upgrades coming too fast are all too common problems for system integrators. Unless you insist, the supplier's personnel who most understand their company's products will not normally have much contact with the client until after the sale is made. Demand for engineering time for commissioning or rectification of badly sold or poorly specified access card control systems is high for many suppliers. Door Entry Technology There are many terms for the various types of technology used for gaining entry, these include; hands free, proximity, card swipe, card scan, biometric and keypad. The ones attracting most interest at present are biometric and smart card proximity type. Door holding/locking mechanisms come in all shapes and sizes; however, certain types can be overcome quite easily if the design is not thorough. During a security audit at one large organization, the Departmental Manager was shown just how easy it would be to come back later that evening, pass through the doors and clear out the entire department without the need of force or a valid card and without raising an alarm - and the doors had good quality electric locks fitted! Biometrics Biometrics access control is based on the verification of a person wanting access through an access portal by identification of a part or physical characteristic of the person wanting access. Biometric access control has largely been developed to overcome the problem with card reader access control systems whereby when a card is presented to a card reader, the card reader verifies that the card is the right card; it does not verify that the holder of the valid card is the valid cardholder. None of the current biometric access control systems on the market have reached their goal of achieving 100% reading accuracy. However, development has now reached a stage where practical uses for biometric reader systems are justifiable for particular applications. Fingerprint biometric identification systems are the current market leaders of biometric access control systems. The major drawback today with fingerprint biometric access control systems is the time required to verify fingerprints in large databases. This is typically dealt with by giving users an access card as well, so the biometric reader system only needs to check the fingerprint against one record. The technology currently receiving most attention in the aviation industry is facial recognition with its functionality being non-intrusive and passive. Iris recognition technology is also growing fast with good accuracy of readings. Retina recognition still suffers from people's apprehension of putting their eye up to an electronic device. Signature verification is still around. Mainly being used by governments and the military. Hand geometry biometric access control is still remaining a good seller, but appears to be losing its market position. Voice verification biometric access control still has some way to go to catch up with the other technologies, but in the future it is likely to become very important in telecommunications. Smart Cards Smart access control cards are typically plastic ISO standard cards with an embedded chip and aerial. Certain smart cards have surface contacts showing, currently preferred by banks but they are not popular for access control readers where throughput is important. System Design Many of the system structures being adopted today by system designers are following the fashionable trends of modern networks, which is not always desirable for security access card control systems with life-critical or business-critical functions that require built-in redundancy. Care also has to be taken if the system is to sit on an existing network. The requirements to ensure the integrity of the system can often fly in the face of existing IT policy. Also, if you start sending large numbers of photograph images or database restorations around a network, there are bandwidth considerations. Testing Acceptance testing should be very thorough against the requirement specification as very few (if any) integrated systems are independently tested. In-house design staff normally carries out most testing with the usual pressures for fast market returns. I'm sure most suppliers would welcome independent testing, as it would solve a lot of their installation problems. Again it's the speed at which new releases and upgrades are brought to the market that makes it difficult and expensive. Until there is user demand across the industry, it is unlikely suppliers will consider it as giving their products a commercial advantage. Standards and Legal Requirements For standards and legal requirements see - www.herrald.co.uk/acce ss Conclusion The decision to install a large access control system can have far reaching consequences and any implementation should be carried through in the same professional manner as any other major business-critical system. * Need content? You may use this article at your website, or in your newsletter. The only requirement is inclusion of the following sentence with hyperlink: Article by Gordon Herrald of www.herrald.co.uk , independent and international security engineering consultancy.