Designing Success into Access Control

How to start your project off a winner

When you're planning an enterprise access control deployment over multiple locations, of course you'll have much more to think about than just the technology. You will need to approach your design from management, technological and architectural perspectives.

In this article, we'll help you consider those aspects of project design and identify both the potential successes and the pitfalls that could be encountered along the way. The management section will discuss salesmanship, coordination, and the need to identify all the potential stakeholders. The technological discussion will provide guidance on selecting the appropriate equipment and manufacturers, the communications issues and the significance of a security system. The architectural discussion will not be from the typical building approach, but will be explored in terms of your system architecture.

In preparation for this article, I interviewed a number of individuals at Aggleton & Associates and also John Moss, one of the founders of Software House and the current CEO of S2 Security Corp. Thanks to each of you for your contributions.

Management Perspective

Perhaps the greatest failures I have seen in security implementations are due to a failure to develop a sound plan and to coordinate that plan with all of the involved stakeholders. Sometimes identifying the stakeholders is the biggest challenge. Failure to include a peer manager in the process, such as the procurement manager, has caused a number of large projects to come to a screeching halt. Let's first talk about the plan development and then move to a discussion of coordination.

Developing an implementation plan for an enterprise access system deployment involves first identifying the overall goals and objectives of the project. Is the goal merely to link up existing, like systems, or is the goal to establish a common system within which existing systems represent differing technologies and software? Having been involved in both types of projects, I can say that the easier of the two is the former. When systems are varied, there is a significant challenge in gaining consensus on the appropriate solution.

For instance, after one major installation, I saw problems develop because a site manager did not feel that he had been sufficiently involved in the selection of systems; his favored system was not the one deployed. In cases like this, the overlooked stakeholder becomes the proverbial snake in the grass. If you do not coordinate and sell this individual ahead of time on the merits of the selected system, any issues that develop—and there will be issues—will escalate and create significant hurdles for a long period.

Identifying stakeholders and making them part of the planning process is a major step that is often overlooked. We all have been guilty of saying something like, “I run this department and I know what's best from a security perspective.” An attitude like that will surely lead to disaster when implementing a complex system. I suggest that you pull together a team or committee responsible for the enterprise deployment. Make sure the committee includes representatives from all departments that may be impacted by the system, such as procurement, telecommunications, networking, information technology, risk management, facilities and human resources. I understand well the old story about an elephant being a mouse designed by committee, but I have seen the alternative first hand. A project not properly coordinated can come to a complete halt, never to be resurrected, because a particular entity wasn't properly consulted.

Another issue that should be reviewed at this point is the option of a one-credential solution. In organizations that don't communicate, there is often a conflict when it comes to credentialing and access devices. That's why you frequently hear of people having to carry multiple cards for the same facility. IT implements a credential for gaining access to data processing resources and Facilities implements a credential for purchasing food at the cafeteria, while Office Services implements a manual system of accountability at copy machines. And don't forget you still have the access control card that may vary from the ID card.

This content continues onto the next page...