Checklist Weaknesses and the Potential for Inaccurate Conclusions
One client relied upon the "Security Vulnerability Self-Assessment Guide for Small Drinking Water Systems," one of the free self-assessment checklists. One checklist item is "Key control and accountability policy." Key control and accountability is an appropriate security expectation. The proper deployment of locks and control of keys is effective in reducing the likelihood of security incidents from insiders, contractors, former employees and, to some extent, low-level outside criminals. Having completed the checklist in a departmental meeting with in house personnel, water system personnel considered themselves performing satisfactorily in this area. However, a consultant investigation revealed:
- The client was using low-grade keys with the potential for unauthorized duplicates to be made at any local hardware store.
- The client had no tracking or accountability system to be assured of how many keys were in circulation or whether the location of all assigned keys was known.
- Employees and contractors routinely separated from the organization and keys were not recovered.
- Third-party contractors had locks on gates and the client had no idea how many had access to their sites as a result.
Without the proper facilitation and guidance, it is easy for a community water system to conclude that a key control and accountability program is adequate. Yet, in 16 years of evaluating security programs (and there have been hundreds) we have found only one company whose key control program was properly in order. The self assessment checklist question as written leaves a significant exposure to an invalid conclusion, particularly without a security professional assisting in the process. For example, in the checklist there is no mention of the utilization of a patented controlled keyway that minimizes the exposure of unauthorized duplication of keys. This should be a baseline requirement of mechanical locks on critical facilities. In fact there are at least 10 measurements that need to be evaluated when determining the adequacy of a lock and key control program - some of which include:
- Having a proper tracking system (preferably a relational database such as Best's Keystone system)
- Properly / uniquely engraving keys
- Changing locks when keys are lost or stolen
- Assigning responsibility for the management of the key control program to a properly trained individual
- Implementing a procedure for users to sign for keys on removal and return
- Implementing a procedure that ensures the distribution of keys is appropriate (particularly for master keys.) One client issued a master key to a senior employee in management who really didn't need the key and had lost the key three times without a single lock being changed!
- Securing spare keys with a level of security that is commensurate with the value of the keys.
To ensure adequacy of a key control program, one would also have to look at procedures to ensure keys are recovered when personnel separate. So while the checklist approach can be quick, easy and inexpensive to execute, it often leaves a lot to be desired in terms of thoroughness and reliability of the conclusions.