SecTrainer,

Great topic!

If I had to choose one of your options, I would go with a fully closed facility. It is much easier to give access to people than it is to take it away.

However, I would prefer to start in the middle. An access control policy needs to be drafted- this may include access times, data retention, privacy, etc. After review by key stakeholders, it needs to be adopted formally by the organization.

An access control matrix should then be developed during the design phase of the project. This is something as simple as an XY spreadsheet with a list of doors down the side and a list of clearances at the top. Clearances consist of a door or group of doors and the time(s) they can be accessed. An example would be the "All Doors_24X7" clearance- so every door would be selected in the matrix, akin to a Grand Master brass key. Another would be something like "Employee General M-F 0600-2000" where select doors like the main employee entrances would only be selected and would only be accessible from 0600 until 2000, Monday through Friday. From there special access levels are "drilled down" to individual doors such as server rooms. The physical programming is labor intensive and can be incorporated into the integrator's scope in the specification and programming schedule if the clearances are defined.

One of the keys to success in access control programming is that the naming conventions that are used make sense to the system administrator or person who assigns individual access levels to a card. This extends to Time Codes (Day X Time ex. M-F 0800-1800), door names, door groups, events, etc. It decreases the time required to assign access and program the system, while reducing operator errors.

John

Thanks very much for your thoughtful reply, John. Is it your experience that access control policy and programming can be based largely on group definitions as we do with network access control, so that by identifying an individual as a member of a group the access decisions are already predetermined?

If so, and presuming that there would then be individual ad hoc exceptions, for instance, occasional contractor visits like elevator service techs, who do you believe should have the authority to make the decision regarding access for those individuals? (Let's presume that this is a high-security facility such as a DoD contracting company, and that you don't have the manpower to individually supervise them continually while on-site.)

Hi SecTrainer,

I always try to use groups for access control. For example, at an airport I recommend setting access up by airline that way if jetBlue hires a new person the system admin does not have to figure out what doors to give that person- they just apply the Jet Blue clearance and the General clearance.

Regarding special doors or clearances- security or the system administrator generally applies the general clearance but only should give access to a specific area (let's say a lab) after an authorization form is submitted by the person who controls that area to the system administrator. It can be as easy as a simple email dialog, an online form through the corporate intranet (my preference) or good old paper!

These are the types of issues that I try to include in my client's policies and procedures.

John