As companies expand through financial growth, acquisitions and mergers, they often add facilities in other locations to enhance their market position. Because our business environment is expanding beyond the United States into the global market, new company locations can be farther apart and more disjointed than ever before. For these reasons, many large companies today share one common access control problem: the lack of a common employee badging system.
Without a badge that is standard in appearance and somewhat standard in access control technology, employees traveling to any of the added locations would have to carry a ridiculous number of badges to gain entry to secured areas or the buildings themselves.
A multi-site company needs a standard badge to allow access to the different domestic and international company locations. In order to ascertain the best solution, upper management should assign a team of individuals from the different business groups to investigate.
The first thing the team must do is gather data on the current state of access control and identification in each of the sites. They can do this by sending Request for Information forms to each of the sites. The forms should include at least the following questions:
- Badge technology used
- Number of badge readers
- Bit patterns in the badge technology (Protocol)
- Planned access control system upgrade in present year (Yes or No)
- Planned access control system upgrade next year (Yes or No)
- Cost per badge/card
- Manufacturer of access control system
- Badges coded/manufactured on site (Yes or No)
Take care to ask for only as much information as needed to set a direction in standardization. The more information requested, the more difficulty each site will have gathering the data.
Depending upon the manner in which the sites support their access control system, they may or may not know the answers to all these questions. For example, often a local alarm company handles a company's access control system, so the site security department knows nothing technical about protocols. To minimize the gaps in information, the Request for Information form should include a blank that requires a contact for each site. This way when the information is returned and it is not complete, the team can call the site contact directly.
Once the team receives the requested information from each site, it can organize this data into a spreadsheet covering each location by business unit. The spreadsheet should list the sites on a vertical column clumped in business units. The horizontal axis of the spreadsheet should contain the variables of interest.
Choosing the Technology and Protocol
After studying the data, the team must decide which technology the access card should use. They can take one of three approaches in making this decision. One: Look at the technology's cost as the primary factor. Two: Focus on minimizing costs. For example, if 40 percent of the badge readers across all facilities currently use the same technology, then using that technology as the standard reduces badge reader replacement by 40 percent. Three: Select a technology based upon the benefits of that technology.
One option would be a multi-technology badge that encompasses the technologies already in use across the company as well as the desired technology. This approach requires every technology to utilize a standardized protocol. It is cost effective but would create many unique problems. The transition to a single technology and protocol with this approach will take longer. The advantage is an easier transition at the site level and minimal cost at a company level.
No matter what approach the team takes, there will be cost impact. Even when the desired technology already exists at various sites, it is unlikely the badge protocols are the same. A standardized badge protocol must also be selected. The team may decide that the protocol currently most prevalent in the company should become the standard, or the company may want a proprietary protocol to be developed by the manufacturer of the chosen technology. This option provides a higher level of security.
To minimize the cost of changing to the standardized protocol, the team may opt to use multiple badge protocols on the existing access control system. The protocols may be defined in software allowing two or more badge protocols to exist at the same time. This eliminates a total conversion to a new badge for every employee at those sites. Some manufacturers of access control systems do not allow software changes that add different protocols. In these cases multiple protocols must be handled in firmware. Firmware changes require an EPROM chip to be programmed and placed in the field equipment. One potential problem with incorporating multiple protocols in the same access control system is different protocols can only be used if they have different bit lengths. For example, it is not possible to have two protocols for a 37-bit proximity badge.
Multiple protocols must be handled in the access control system. The technology in the badge is limited as far as the number of protocols. For example, Wiegand and proximity cards only hold one number. Magstripe cards can hold up to three numbers, one on each trackÃ¢â‚¬â€but the problem is, the new company standard should specify the track to be used. The readers of magnetic stripe badges must also be set to read a certain track. Smart cards could have multiple protocols, but allowing both protocols to be used at the same time would require a substantial and expensive programming effort.
Using an existing technology and a standardized protocol would minimize the transition costs for the sites that already use either the standard technology or the standard protocol. Employees at these sites who travel to other sites that have a different protocol, but utilize the same technology can gain access, assuming the system can handle multiple protocols. If they travel to sites with a different technology, they must still carry multiple badges.
The sites that already have the desired technology and will incorporate the desired protocol will experience little conversion cost impact. The badges can be replaced on some basis other than a total site rebadge. For example, the badges could be replaced when old badges no longer work or are lost. Another approach is to stagger the employees' rebadging timesÃ¢â‚¬â€changing the badge on the employee's hire date, for example. This approach would allow all badges to be replaced within a year.
At those sites that do not already utilize the desired badge technology and protocol, new badges must be manufactured, access control systems modified or changed out, and the access control database loaded with new credential numbers to accept the new badge standard. This effort requires funding and time. Employees traveling from these sites must also carry multiple badges to gain access to sites that haven't yet made the transition.
It will take quite some time to transition the company to the standardized technology and protocol unless a tremendous amount of money is spent.
Creating the Roadmap
The technology and protocol have been chosen, as well as the method to implement them. The team should now evaluate each site listed on the spreadsheet and calculate the costs to convert them to the standard. They may need outside technical support to make this calculation. Each manufacturer's system will differ in configuration. Often it is necessary to work through a dealer that sells the equipment to make any changes to the hardware or software. The dealer in turn would interface with the manufacturer to make the needed changes.
Once that information has been gathered and placed on the spreadsheet, the team can develop a roadmap that includes costs, a plan to convert every site to the new standard, a timetable to complete the conversion, and badging cost during transition. The team should present the roadmap to upper management, explaining the issues that will arise at the site level.
One issue that must be addressed to upper management is the fact that when employees have access to other sites, controls must be in place to address the level of access the visiting employee should be given. The only reasonable way to address these issues is to give each site total control of its own access control system. General access for an employee should be automatically approved for any company site. However, to gain access to restricted readers, the visiting employee must go to the badge room and the credential number in their badge must be loaded into the database. General access should be automatically given and restricted access would require a sponsor such as a local manager, in the same way a local employee would be sponsored.
After upper management promises its support, the team must present the roadmap to the business group management, and then to site management. To be successful, each group must make the adjustments necessary to bring their site into compliance. The team must continue to meet and verify the goals are being accomplished and the deadlines are being met at every site. This requires communication with the sites, travel to sites, and administrative support to keep up with the details. One way to aid the transition is by using the company-wide newsletter to keep employees informed about the progress. Seeing the conversion through to the completion requires the support of upper management as well as the employees. To gain this support requires selling the concept to everyone.
Robert Pearson, PE, is a registered professional engineer and manager of electronic security systems for Raytheon Co.