Access Control Best Practices

Aug. 24, 2012
Six ways to avoid mistakes when deploying your new system

Whether your electronic access control system project is a first-time installation or an upgrade, there are some common mistakes that can be avoided with proper planning.

While this article focuses on first-time installations — because there are more potential pitfalls — an upgrade will share many of the same challenges.

It is natural for a security manager to have a great deal of excitement about a project — after all, a new access control system has great potential to improve facility security and day-to-day operations. But, it is important to lay the groundwork for a new project — use this list of best practices to guide you through the process, while carefully contemplating any potential problems that could surface during each stage.

Best Practice: Document Functional Requirements
The elimination of mistakes when installing a new access control system must start with the initial design stage, where the system scope is outlined and documented through functional requirements — statements that reflect how the equipment will provide a needed protection for a security function. This statement does not specify any electronic equipment — it simply says in plain English what must be accomplished.

This is a stage that is often overlooked and will result in additional cost when you realize the system does not address all the important security issues you wanted it to. These requirements should be developed and reviewed with all organizational stakeholders, including upper management, security management, security personnel, Facilities, IT and others. The functional requirements of the system should be listed by priority, and they should address the organization’s key business security concerns and risks.

An example of a typical access control functional requirement is that physical and electronic access to the company data center must be controlled and all entries and log-ins documented at all times.

Not all functional requirements should be resolved with electronics. There are many ways to meet a functional requirement, such as Crime Prevention Through Environmental Design (CPTED) or through administrative processes. An example of a CPTED solution in a lobby might include a partial wall or planters that force pedestrian traffic past a receptionist before reaching the elevators or doorways into a more secure part of the building. CPTED and administrative solutions would not be obvious without functional requirements; in fact, the initial tendency is to start placing card readers and security cameras, alarms, etc., on a building plan and calling it a security design.

Best Practice: Share and Review Everything Up and Down the Ladder
As the design process proceeds, it is important to review the plan with all stakeholders at each level of design (10%, 30%, 60%, 90%, etc.). This includes all levels of security personnel, from officers to management — you need buy-in from the people operating, responding and maintaining the system, and they need to understand the plan to address the various functional requirements.

Understanding how the system operates and design acceptance is important for all stakeholders. Management needs to be kept informed to be sure they understand the costs and benefits of the system and how it will solve the functional requirements.

This will minimize changes to the design in the final stages, thus saving potential extra expenditures during the design and installation phases.

Best Practice: How to Choose and Plan Cards or Badges
Just because a particular technology has a ton of bells and whistles does not mean you should be more or less compelled to choose it. A small installation, for example, may not need every state-of-the-art feature available on the access control market. Mistakes made in the selection of the electronic access control technology itself will obviously not produce the desired result.

Most card technology is based on either proximity or contactless smart cards — one thing to remember is that these technologies are not interchangeable unless a dual-technology card or reader is used. It is important to consider both how the access control system will function now and in the future when making this choice, or you could be stuck having to make an upgrade sooner than you wish. Many times, the IT department has already selected an enterprise-wide smart card, so be sure they are included in the discussion.

Most card manufacturers are pushing the smart cards. There is nothing wrong with this technology, but it should be decided early on how much memory is needed on the card — which also means considering any possible non-security uses of the card, such as for payments, etc. Be sure to allocate the card memory for the various user groups before detailed design is started. These user groups should be defined up front and agreed to by all stakeholders.

Once the groups are defined, there must be a plan in pace outlining which group or groups can load data onto the card and what memory locations can be used. It is usually a mistake to allow just any user group to load data into the enterprise electronic access control system. This same approach can be used with a proximity card, but the actual data is the same for all users with this technology, because there is only one unique card ID number.

Other card/badge issues that must be solved include the amount, type, font size, location, etc., of data that will appear on the card. If a picture of the employee will be used, the size, background, colors, card orientation, setting for any access card printers and picture location on the badge must be defined.

If added security, such as a hologram, is to be incorporated on the access card, it should be decided early in the process. Any aspect of the production, distribution, allocation and storage of the card/badge must be defined and documented, as well as which facility or facilities the card will be used in. If other groups of people, such as contractors, will be given an access card, the same issues must be addressed, and the card/badge itself should look somehow different (colors, orientation, etc.) than an employee card/badge.

Best Practice: Get Management and Employees Involved and Trained
Management and employees must be involved in the card/badge process. If the card has a picture and other data, management needs to approve the layout, colors and design, and the information that appears on the card.

Employees need to be involved to ensure acceptance of the card’s appearance and end-functionality. With a proximity or contactless smart card, the distance the card can be properly read by the reader will vary by the antenna size (inside the reader itself) and surrounding interference, such as steel. One way to mitigate problems is to train the employees to use a tap-and-go reader approach (The card is lightly touched to the reader). Having employees use a reader that is set up just for them to try their access card will eliminate reader operation issues and database errors.

There must be some type of feedback when an employee tries to use their card, such as a green light and/or sounder that indicates a good read.

Best Practice: Plan for Growth
Another potential pitfall with your new access control system is failing to understand the scope of the installation. Is this system designed for a single facility or multiple facilities across the country or globe? If there are multiple enterprise locations, all employees should have the same card, and that card should work at every applicable facility. This will eliminate multiple cards for access between sites and facilities.

The various site security managers should be able to allow access to more sensitive card-controlled locations, based on each employee’s specific needs. Thus, the system must be able to load and program cards across multiple enterprise sites. These concerns — along with replacing lost cards, card lifetime, employees leaving the company, etc. — should be addressed in a “card manufacturing process and distribution” document.

Be sure you have accounted for future growth of the electronic access control system. After the system is installed, you will invariably receive requests to install additional readers that may not have been anticipated.

One way to plan for additional readers is to incorporate a few spare items into the initial installation, such as extra-unused reader ports in all data-gathering/access control panels. If this is not defined in the design, the installing company will use as few data-gathering panels and/or access control input cards as possible to win the bid and enhance their profit. Additional space for card input boards and card readers could also be added to the original project scope. A spare inventory of readers and card input boards will help address immediate repair and expansion issues.

Best Practices after the Installation
Even after installation, it is critical that any issues that come up are addressed swiftly and with a system-wide solution. An electronic access control equipment failure or card reader issues must be addressed as a top priority.

There will always be some missed items in any new system — the worst thing that can happen is for the employees to become dissatisfied with the electronic access control system and complain to management.

That is why all the Security staff should be alert and report any issues to their security manager to improve the system operation and mitigate dissatisfaction.

Robert Pearson has written numerous articles and has recently published a book titled, “Electronic Security Systems.” On a day-to-day basis he oversees design, project management, and maintenance of security systems for multiple sites.