SecTrainer a few things come to mind:

The proper use of "fail safe" and "fail security" designs. Nothing like getting into a secure space when the fire alarm is activated.

Site selection may require ferrite beads or RFI gaskets to disapate static electricity and radio frequency problems.
Remember the Navy's experience when special stores bunkers opened when a ship running active radar ran up the channel?

Opening mechanics of grounding to activate as opposed to positive current release.

Unshielded low voltage conductors too close to AC conductors upon which an AC voltage is injected.
Nothing like the protected spaces looking down the throat of a microwave tower bounced around by side-lobe propagation.
Hope this is helpful,
Bill

Bill - thanks VERY much for those analogies/examples.

I'm not familiar with your reference to the ship radar incident(s), however. Would you mind elaborating?

Thanks!

SecTrainer in 1975 a destroyer was sailing up the channel to its berth. Passing along were locked magazines whose doors were opened by the radar's signal strength. The large sign before entering the channel told the craft's operator entering to turn off active radar.
This caught all government agencies, the private sector and device manufacturers off balance. After they figured it all out, device makers made required changes to their hardware for the user community at large for specific clients modifications were sent with the gear. Retrofiting for already installed gear really jumped into high gear. The military and other governmental laboratories put forth maximum effort to solve this and like interference problems.
You see problems like this when visiting places where security screening is employed.
PM will name the exact location.
Bill

Got it, thanks.

Makes you wonder if these days they couldn't use some sort of low-power coded/encrypted digital radio beacon, and retrofit the ship with a simple switch-receiver that would decode and authenticate the signal, and then automatically switch off the radar, perhaps with some sort of warning and override capability?

SecTrainer EMI/RFI conductive coupling and radiation remain the bane of the security industry.
I wouldn't float your suggestion anywhere within the beltway, defense contractors and their minion would be out to tar and feather and otherwise molest your body. Look at what is happening to Dragon Skin!
Bill

Okay - let's see if I can save my skin. How about pulsed laser or something "non-EMI"?

SecTrainer,

In response to your original question.

"Closed to open" normally results in tighter security because of the following:

1. As security measures are laxed to allow persons in, the level of the security has been initially high enough to disuade circumvention. Persons that were allowed at the higher levels have been deemed to be "low risk".

2. As the security levels are relaxed the facility has greater control on how far to relax them. If a security issue arises it is much easier to find the level of intrusion and set the standards to a level beyond.

"Open to closed" can result in future breaches of security because of the following:

1. As the security level is at the lowest level, people have more opportunity to evaluate a way around tighter controls.

2. Since all access was allowed at the beginning the personnel were not screened for access. As the level of access is tighter the personnel have a better chance to pass thier level forward onto others.

As for the access control system itself. The "closed - open" scenario would be harder to breach then the other way around. In the "open to closed" scenario the access system itself would probably need to be changed due to the openness of the method of operation.

I'm looking forward to read others comments on this thread. Great question.

(Being in the industry that Bill said would tar and feather will refrain me from the emi scenario) lol

Rooney, some of the beltway crowd are a fickle bunch and don't like to have their rice bowls cracked. The remark I made was not really tongue in cheek, damn shame really.
Your musings are on target.
Enjoy the day,
Bill

Thanks, Rooney - very insightful commentary, and obviously based on experience.

I know what you mean. In a "dog eat dog" world any outside criticism is frowned upon. If you can't handle criticism, you shouldn't be in the "beltway" anyway. I still have the tar and feathers though (havent used in a long time).

Trouble is there are many wonderful security contractors who are not part of the beltway crowd, in other words have not hired their fair share of retired high ranking officers a star or better, former DOD civilian employees, members of congress who have either retired or were defeated and finally deep pocket contributors. Two examples are the folks who have developed a superior assault rifle that puts the M-4 to shame or Pinnacle the folks who have developed "Dragon Skin" body armor. The makers of near counterfeit proof ID cards who are not part of the establishment stand little chance of getting anyone to look at their product. It hurts the entire security community and well as the public they wish to serve.
SecTrainer ideas border on brilliant but he has to approach the marketplace with care with a strategic plan to get it to the right people if he wants a fighting chance.
Enjoy the day,
Bill

Being a DOD contractor and a small business, we had a VERY hard time getting our products out to the people that need them. I understand your statement and agree COMPLETELY. A well thought out strategic plan is a must to get people to know about your product or service. Taking a product to market that you know is better than what is out there does not guarantee anything. There are more and more very smart people out there that make products or have services that will make our lives easier. The discipline needed to press forward when times get tough is great. You have to have an all or nothing attitude and stick it out. Without that is defeat.

SecTrainer,

Great topic!

If I had to choose one of your options, I would go with a fully closed facility. It is much easier to give access to people than it is to take it away.

However, I would prefer to start in the middle. An access control policy needs to be drafted- this may include access times, data retention, privacy, etc. After review by key stakeholders, it needs to be adopted formally by the organization.

An access control matrix should then be developed during the design phase of the project. This is something as simple as an XY spreadsheet with a list of doors down the side and a list of clearances at the top. Clearances consist of a door or group of doors and the time(s) they can be accessed. An example would be the "All Doors_24X7" clearance- so every door would be selected in the matrix, akin to a Grand Master brass key. Another would be something like "Employee General M-F 0600-2000" where select doors like the main employee entrances would only be selected and would only be accessible from 0600 until 2000, Monday through Friday. From there special access levels are "drilled down" to individual doors such as server rooms. The physical programming is labor intensive and can be incorporated into the integrator's scope in the specification and programming schedule if the clearances are defined.

One of the keys to success in access control programming is that the naming conventions that are used make sense to the system administrator or person who assigns individual access levels to a card. This extends to Time Codes (Day X Time ex. M-F 0800-1800), door names, door groups, events, etc. It decreases the time required to assign access and program the system, while reducing operator errors.

John

John, this is masterful. SecTrainer, really neat material to add to your proposal.
Enjoy the day,
Bill