Access Control - The Bottom Line!
September 22, 2008
By Frank Faulk IV, CPP
I find myself performing Security Surveys, Physical Security Analyses, Risks Analyses and Vulnerability Reports for many new clients each year. I go through each process very methodically using my own comprehensive outlines, so I don’t miss much. After almost twenty years of writing such reports, I can honestly conclude the most common problem for the average client is poor access control.
Nothing is more important in reducing risks of theft, injury, and mitigation of liability than controlling ingress and egress at your facilities.
The security hardware vendors want you to believe that their Electronic Access Control Systems are the ultimate answers to your problem. Identification Card vendors are beating their drums for better recognition with unique card graphics, embedded electronic access data and digital pictures that make users easily identifiable. The parking management companies offer what they consider the panacea solutions to access control.
What do you need to know about access control? First, that the above items are only parts of a complete access control plan.
The first items one should study when looking at your access control system are, funny enough, people. Divide that group into executive and management employees, vendors, service company employees, shipping and receiving personnel, and customers or guests.
Next comes vehicles; again, classify these for customer or guest parking, employee parking, perhaps management parking, vendors and service companies and, once again, special provisions for people in your shipping and receiving departments.
Then review the facility itself: doors, windows, locks and key control, Closed Circuit TV (CCTV), alarm systems and electronic access control systems. Don’t forget about computer security and access, individual log-ins, tracking, enhanced authorization and encryption.
Finally, you must carefully consider each process that involves the flow of humans, vehicles, products; after that, paper flow and data flow of sensitive, proprietary information should be vigilantly reviewed to inspect for vulnerabilities and practical solutions.
In a recent survey, the client had installed a small electronic access control system on the entry doors to the facility and the data center. The employees were appropriately categorized and all of the user access levels were appropriate. The sole outstanding vulnerability to the system was the system itself; it was on a dedicated computer in a multi-user office to which any and all employees were given immediate access. Incredibly, on this so-called security system, the user name was the default and the password was the default and always logged in - - - so anyone could make changes without any tracking! That’s like building an expensive, man-proof fence around your back yard, except for the last 4 or 5 feet. And in our business, we’ve even seen that, too.
As you’re probably well aware, volumes of information are readily available on everything we’ve mentioned thus far. But all facilities, even separate buildings belonging to the same company in the same general space, are unique. That’s why the nearly intangible element of the human eye and instinct brings another level of security to your access control plan when you place that responsibility in the hands of experienced experts.
In this day and age of tough economic times, another important segment of access control analysis is to provide estimated budgetary requirements for each item listed in your report; whatever may need modification or correction, replacement or installation should be carefully budgeted as closely as possible for those approving the expenses. In doing our homework in this regard, we recommend pricing various vendors with whom we’ve already worked and bringing in additional cost estimates from other vendors offering similar components. To be on the safe side, adding a 15% to 20% cost buffer to a final report is the best assurance the client won’t be disappointed when the job is brought in and the final invoice is received.
We always present these security survey bullet point items in their order of importance to the integrity of the system, rather than the cost.
Senior Management, those who make the decisions on what to buy and what to leave behind due to expense must be able to rationally and easily evaluate the “return on investment.” Regardless of the veracity of our suggestions and no matter how certain we are that what we’ve proposed is the correct course for the “end user,” every firm has to justify these cost figures in its overall business plan. The more we show our clients every aspect of the cost-to-benefits ration, the incalculable and almost intangible savings that could result in building and maintaining safe access control, the more likely they’ll understand it is money well spent.
No matter to what extent companies go to prevent unwanted access by thieves, competitors, or hazardous intrusions of any kind, it’s important to remember that, after reviewing all the electronic marvels on the market today, probably the simplest and most cost-effective precaution one can take is to see that every employee is involved in maintaining a safe and secure work force and work area, and through Employee Awareness Training and empowerment of the work force to get involved in daily security at work, even the most skilled intruder can be stopped in his tracks.
And that’s the bottom line.
About the Author:
Frank R. Faulk, IV, CPP is board certified in Security Management; as Certified Protection Professional (CPP) by ASIS International (formerly the American Society of Industrial Security) and is a Computer Forensics Expert. As Manager of Technical Services at Diversified Risk Management, Inc. Mr. Faulk is responsible for conducting comprehensive forensic computer investigations, and performs physical security surveys. He is a longstanding member of the Security Analysis & Risk Management Association and is currently a Board member of the San Fernando Valley ASIS Chapter. Mr. Faulk can be reached at 800.810.9508 or by e-mail.