No announcement yet.

What is the criterion for electronic access control technology?

  • Filter
  • Time
  • Show
Clear All
new posts

  • What is the criterion for electronic access control technology?

    In the pharmaceutical industry we have various areas where restricted access in necessary. We also have various functions (R&D, IT, Legal, Marketing, Finance Etc... ) and unfortunately management does not have any concept as to why we install electronic access systems to a particular space.

    We make an effort to lock down the building & various offices using an electronic access control system & your conventional lock & key issuance. But, what are some of the guidelines you use when a manager from another department requests access control technology?

    I'm interested in reading your input.....


  • #2
    Access Control

    There is no set criterion. With that said, there are some best practices that can be used to design an effective electronic access control (EAC) system.

    One of the first things to look at is their budget. How much do they want to spend? It is real easy to over design a system and those with large budgets will often to that to the detriment of the business unit affected by the system. Too much access control can be a burdon and arriving at a balanced approach is a challenge, but we as security professioanls should strive to do exactly that.

    All to often, companies will hire an outside firm to design and install their access control systems. This occurs mainly with companies that do not have their own in-house security staff with the requsite physical security experience and knowledge of the technologies that are available to accomplish what it is they want accomplished. A security vendor worth their salt will not over design a system for the purspose of driving up their bottom line. In-house security personnel need to know what it is they want first before even calling a vendor in and letting them tell you what you need. Atleast have an idea of what it is you need before proceeding.

    This leads me to my next point. Identify the customer's needs. In your case you say that there are areas within your company that are deemed restricted and you must lock those areas down. I understand that point and I assume that management understands why certain areas need to have the EAC devices installed. As for the other managers, they want access control installed for the mere convenience of having it. In my company, the customer bears the cost of having such devices installed. It's their money. If they want to spend the thousands of dollars to have prox card readers, conduit, door strikes and in some cases, gates, trenching, installed then they can have at it. I think you may be able to make a case against it once they see how much money installing such a system can be. Esspecially if they are expected to pay for it out of their own budgets. Locks and keys and an effective key control policy may be just as effective for the majority of access control needs.

    Secondly, your facilities services manager may have an issue with having too much electronic access control installed throughout their buildings. You must work hand in hand with them to garner their support in limiting EAC just to those areas deemed truly worthy. Securing your perimeter should be your first concern. Your main entrances/exits, etc. Then move to the interior of the building. In a company such as your's, I can see a need for having the areas you outlined locked down with EAC. I have experience where we install systems just for the purpose of convenience and there becomes this appearance of security, but the system is not there for that reason. You will find doors left ajar; employees forget their badge and borrow someone elses to move about, the list goes on.

    I understand your concerns too. Once you open up pandora's box, everyone will want there own little EAC and who has to manage the system; you do. Who has to maintain the system, you do. Who gets called by a manager when they want to use the EAC like it was an employee time clock to track their employees whereabouts because they are to busy or lazy to manage their own employees, you do.

    I think you are on the right track. You main challenge will be learning to say no to those mangers that insist on having EAC and if they persist; make them pay for it! Good luck.


    • #3
      We add security control to the Manager (Director) of the area. If someone needs access to an area, permission is gained from that department Manager first by the requesting employee. Either that Manager will walk them through or send a request to Security for an addition to the access list.
      Quote me as saying I was mis-quoted.
      Groucho Marx


      • #4
        At our facilites, we're using electronic access control via key cards. Everything is controlled by a central server which is about 2 feet away from me at this very moment. Keep in mind, this is nationwide, so we control the cards in New York from here in Chicago.

        For areas that are semi-secured, a supervisor is needed to make the request for us to allow access to a certain person. Some departments, such as HR, the HR manager must grant that clearance.

        Now, if I'm reading your question correctly, your asking if a particular department WANTS access control that currently doesn't have it? They better make a pretty strong case for needing it, considering it's pretty expensive to install.


        • #5
          EAC criteria..

          Appreciate the feedback,

          MDB: You pretty much covered the global issues concerning EAC in the corporate environment. But, I for one would like to make an effort to change this approach.

          In the past, if a function (department) contacted me requesting electronic access, I would simply schedule my vendor to supply me with a proposal and basically pass on the costs to the requestiing manager. The theory is, you pay for it... You get it.

          Consequently, as you alluded too:

          "Once you open up pandora's box, everyone will want there own little EAC and who has to manage the system; you do. Who has to maintain the system, you do. Who gets called by a manager when they want to use the EAC like it was an employee time clock to track their employees whereabouts because they are to busy or lazy to manage their own employees, you do".

          Bottom-line, I began pushing back... My mission is to maintain the integrity of our system. Not just, hand-over an invoice. I want to know Why? I want to understand the security risks, the objective, expectations & concerns etc...

          At times, I'm just bewildered.


          • #6
            In our facility we the security department make employees electronic access badges, HR lets us know what access points each employee gets, gates, computer rooms etc. We also can control access times (ex. 7 a.m. to 4 p.m.) should an employee need access to another area (tool cribs, supply rooms), we document it in an incident report fully detailing the case. In some instances department managers will be called to verify, a lot is common sense also.


            • #7
              Also, "access control" is not only, or even always best, accomplished by means of electronic systems. Policies, procedures and employee vigilance training also have a role to play, as do simple doors with locks!

              I know of a facility, for instance, that uses color-coded badges for both employees and visitors, that correspond to the areas where they are allowed to be. One color is also coded for universal access. Everyone in the company is trained to notice anyone who is in the area without the requisite colored badge and to politely find out what they're doing (might be a new employee who's lost) or report to security if they have no business in the area. It sounds low-tech and "unsexy" when I describe it, but it has been amazingly effective, and not a single wire was pulled or system installed (except the badge system) to implement it. The company also uses an escort system whereby a visitor will wait in the lobby until someone from the department where they are going comes to get them...again, nothing electronic, but effective.

              Obviously, some situations do require the capabilities of electronic systems. When such is the case, one of the parameters that must be specified is what will be the acceptable rate of system errors, meaning false-positives (bad credentials accepted) and false-negatives (good credentials rejected). Such errors are inherent in all systems, but some more so than others. And, you will then need to formulate a way to recognize and respond to such system errors when they do occur.
              Last edited by SecTrainer; 11-26-2006, 11:43 AM.
              "Every betrayal begins with trust." - Brian Jacques

              "I can't predict the future, but I know that it'll be very weird." - Anonymous

              "There is nothing new under the sun." - Ecclesiastes 1:9

              "History, with all its volumes vast, hath but one page." - Lord Byron


              • #8
                Well said SecTrainer, electronic systems are force multipliers not force eliminators. A well rounded security education and motivation training program as part and parcel of the company's security plan is essential. Everyone from the most senior person in the company to the person who sweeps the floor has a part to play in the security of the company and its assets. Visitors, vendors and utility personnel should be briefed on what is expected of them in the maintenance of a good security atmosphere.
                When thinking about retrofitting a facility for installation of an electronic system compatability studies must be made. What portions of the physical plant must be upgraded to support the proposed system. Few security managers have a true grasp of the magnitude of this endeavor. Sadly, even fewer in senior leadership have a true grasp.
                When a systems engineer tells leadership the system is the answer to a maiden's prayer and will work in any environment out of the box, no preparation necessary, run for your life as you are preparing to buy the "horse" you really don't want to ride.
                Enjoy the day,