Announcement

Collapse
No announcement yet.

Access Control Paradigms

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by john_harrington
    SecTrainer,

    Great topic!

    If I had to choose one of your options, I would go with a fully closed facility. It is much easier to give access to people than it is to take it away.

    However, I would prefer to start in the middle. An access control policy needs to be drafted- this may include access times, data retention, privacy, etc. After review by key stakeholders, it needs to be adopted formally by the organization.

    An access control matrix should then be developed during the design phase of the project. This is something as simple as an XY spreadsheet with a list of doors down the side and a list of clearances at the top. Clearances consist of a door or group of doors and the time(s) they can be accessed. An example would be the "All Doors_24X7" clearance- so every door would be selected in the matrix, akin to a Grand Master brass key. Another would be something like "Employee General M-F 0600-2000" where select doors like the main employee entrances would only be selected and would only be accessible from 0600 until 2000, Monday through Friday. From there special access levels are "drilled down" to individual doors such as server rooms. The physical programming is labor intensive and can be incorporated into the integrator's scope in the specification and programming schedule if the clearances are defined.

    One of the keys to success in access control programming is that the naming conventions that are used make sense to the system administrator or person who assigns individual access levels to a card. This extends to Time Codes (Day X Time ex. M-F 0800-1800), door names, door groups, events, etc. It decreases the time required to assign access and program the system, while reducing operator errors.

    John
    Thanks very much for your thoughtful reply, John. Is it your experience that access control policy and programming can be based largely on group definitions as we do with network access control, so that by identifying an individual as a member of a group the access decisions are already predetermined?

    If so, and presuming that there would then be individual ad hoc exceptions, for instance, occasional contractor visits like elevator service techs, who do you believe should have the authority to make the decision regarding access for those individuals? (Let's presume that this is a high-security facility such as a DoD contracting company, and that you don't have the manpower to individually supervise them continually while on-site.)
    "Every betrayal begins with trust." - Brian Jacques

    "I can't predict the future, but I know that it'll be very weird." - Anonymous

    "There is nothing new under the sun." - Ecclesiastes 1:9

    "History, with all its volumes vast, hath but one page." - Lord Byron

    Comment


    • #17
      Originally posted by SecTrainer
      Thanks very much for your thoughtful reply, John. Is it your experience that access control policy and programming can be based largely on group definitions as we do with network access control, so that by identifying an individual as a member of a group the access decisions are already predetermined?

      If so, and presuming that there would then be individual ad hoc exceptions, for instance, occasional contractor visits like elevator service techs, who do you believe should have the authority to make the decision regarding access for those individuals? (Let's presume that this is a high-security facility such as a DoD contracting company, and that you don't have the manpower to individually supervise them continually while on-site.)
      Normally when I installed systems, the groups were similar to the way network access was done. Then you can assign the group to the particular entrance. Groups should normally be broken down to a detail level suitable for the requirements. For example, night shift employee level 3 only has access to doors in his/her work area during shift, whereas, night shift employee level 1 may be a supervisor that has access to all doors but only during his/her shift.

      As for the occassional contractor. We would give them an access card that only works during a specific time (will only be there a few hours or a few days). And only allow access to needed areas during needed time periods. If the person needed access to a high level location then they must be escorted if not cleared. I normally did not assign them to a group because they only need access to certain areas that may only be part of a group. If they forgot to return the card, (happens all the time) the card automatically becomes useless after the access interval programmed into the system expires.

      Comment


      • #18
        Hi SecTrainer,

        I always try to use groups for access control. For example, at an airport I recommend setting access up by airline that way if jetBlue hires a new person the system admin does not have to figure out what doors to give that person- they just apply the Jet Blue clearance and the General clearance.

        Regarding special doors or clearances- security or the system administrator generally applies the general clearance but only should give access to a specific area (let's say a lab) after an authorization form is submitted by the person who controls that area to the system administrator. It can be as easy as a simple email dialog, an online form through the corporate intranet (my preference) or good old paper!

        These are the types of issues that I try to include in my client's policies and procedures.

        John
        "People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf." G. Orwell

        Comment


        • #19
          Originally posted by john_harrington
          Hi SecTrainer,

          I always try to use groups for access control. For example, at an airport I recommend setting access up by airline that way if jetBlue hires a new person the system admin does not have to figure out what doors to give that person- they just apply the Jet Blue clearance and the General clearance.

          Regarding special doors or clearances- security or the system administrator generally applies the general clearance but only should give access to a specific area (let's say a lab) after an authorization form is submitted by the person who controls that area to the system administrator. It can be as easy as a simple email dialog, an online form through the corporate intranet (my preference) or good old paper!

          These are the types of issues that I try to include in my client's policies and procedures.

          John
          Thank you, John. The wealth of your experience is very evident.
          "Every betrayal begins with trust." - Brian Jacques

          "I can't predict the future, but I know that it'll be very weird." - Anonymous

          "There is nothing new under the sun." - Ecclesiastes 1:9

          "History, with all its volumes vast, hath but one page." - Lord Byron

          Comment


          • #20
            SecTrainer,

            It is my pleasure!

            John
            "People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf." G. Orwell

            Comment

            Leaderboard

            Collapse
            Working...
            X