Planning for a security one-card initiative is more complex than planning for earlier types of security card technologies. If you want to use your smart cards for multiple applications, as many facilities do, you’ll need to think beyond security planning and consider business planning as well. Your project time line will have to take many additional business and management factors into account.
Often high-level project time line items are not considered early enough in a one-card initiative. That’s almost to be expected, because technology implementation programs tend to have a strong focus on technology. Consequently, many of the problems that arise with such programs are not technology problems, but problems in program planning and management. Whether or not an item is considered early enough in the program can mean the difference between success and failure on some particular aspect of the initiative. This article, along with the nearby illustration, is intended to highlight items and actions you may not otherwise think of early on in the one-card process.
Name the Card and the Initiative
Naming the card and the initiative has many benefits, not the least of which is that people know exactly what you are referring to when you reference the project or card. For example, The Boeing Company dubbed their card the SecureBadge, the initiative the Boeing SecureBadge Program, and the program manager the Director of the Boeing SecureBadge Program.
Identify or Solicit a Visionary, Sponsor and Manager
Begin by finding a visionary, a sponsor and a manager for the project. It is possible but not likely that a single person would fill all three roles. As the name suggests, the visionary is the person who understands the full vision for the initiative and articulates it for the various stakeholders. The sponsor is the executive-level manager who interacts with the initiative’s core team and acts as liaison with other executives. The sponsor champions the initiative; signs off on high-level documents such as the business case and program initiation documents; obtains budgets; guides and monitors progress; and helps overcome organizational resistance. The initiative’s manager (whose actual title will vary depending upon the organization) has overall responsibility for successful planning and execution.
Define Vision and Objectives
The project vision and objectives are high-level approval items. Senior management must embrace the vision and objectives, provide approval in concept, establish the authority to continue, and commit resources to fully defining the initiative.
Determine the Applications
An organization can use smart cards in a remarkable variety of ways. Think about how your organization might use them.
Security applications include physical and logical access control—possibly with card-based biometrics—as well as encryption and digital signature for e-mail, documents and transactions. There are considerable security and financial benefits to one-step provisioning, whereby an HR system or an identity management solution pushes user roles or security privileges out to both the physical and IT security systems and revokes privileges in both when personnel are terminated. Smart card-based office automation workflow control can require printers to put a hold on confidential printing until the print job’s cardholder appears in person at the printer.
Non-security applications include cashless vending, company store, cafeteria, parking, library access and privileges, and shop floor control (tracking material and labor for manufacturing work orders). These are not minor issues. For example, studies by the Smart Card Alliance and others show that cashless vending often increases vending revenue by 15 to 20% and sometimes more.
Sometimes card applications are mandated by customer requirements, as is the case with contractors to the U.S. federal government, and so the decision is an external one that’s already made.
You must determine early on how each application will be required to perform, or you risk an unacceptable implementation. You should also include a proof-of-concept design and demonstration for all significant performance elements.
Identify Card Application Impacts
It is important to identify how the organization will be impacted by using the card applications instead of doing things the old way. Individual business units and functions will be involved in estimating the impact, as well as HR and legal. Many organizations have change management procedures in place that can help identify the organizational impacts.
Technology Issues
In “One-Card Initiatives: Technology Issues” in the September 2006 issue of ST&D (p.22), we discussed the technology decisions regarding the plastic card, the smart chip, the chip operating system, the interface for chip-to-reader communications, the reader, and finally the card management software to manage the data on the card. These issues can only be addressed once the full scope of applications has been settled upon. As always, of course, you need to make allowances for unanticipated future applications.
Technology Change Impacts & the Project Approach
The technology of the systems you already have in place will determine some of your requirements and may limit your options for the technology rollout. Will you have to rip and replace systems, or can you upgrade them to be smart card compatible? If you currently use proximity cards, will you replace all your cards and readers in one fell swoop or deploy multi-technology readers that can read your existing cards, allowing you to switch cards region by region, or in parallel with IT security’s deployment?
An even larger consideration is the scope of the IT side of the rollout. Are there a number of disparate company directories that must be standardized under a single architecture or platform? Is a single-sign-on solution a part of the IT implementation?
Some aspects of the implementation can be independent of others. In many cases, a physical security rollout of multi-technology readers can take place well in advance of an IT rollout of smart card readers. If one-step provisioning is to be implemented, can the physical security implementation be done first, followed by the IT security implementation? Or will both be piloted in parallel and then rolled out together? What is the lowest-risk approach for each group (physical and IT security) and for each application?
Planning the migration or changeover will involve pilot tests and dry runs, as live systems currently in use will be affected or replaced. Keep in mind that technology change will impact systems and systems personnel, including secondary or backup systems and backup personnel.
Identify Stakeholders
In a smart card project with multiple applications, you’ll have more stakeholders from different sectors than you’ve had in previous card projects. As always, you’ll have corporate, physical and IT security stakeholders, as well as the card users themselves. The range of smart card applications will define the remaining stakeholders. Representatives of all stakeholder groups will be involved in collaboration to a greater or lesser degree throughout the project.
Plan for Organizational Changes
Think about the people and process elements of the changes being made. You should assign organizational change planning to personnel who are not also responsible for technology aspects of the initiative.
Policy and Procedure Impact
Identify the policy impact of the intended applications; think about privacy and legal issues for global deployments. For example, some kinds of encryption cannot be exported from the United States due to government regulations. Consider how these issues will impact procedures and workflow, workflow design, planning and training.
Awareness, Education and Communication
As mentioned in the previous article in this series (“One-Card Initiatives: Cultural Issues,” October 2006, p.22), there are educational issues that must be taken into account, regarding both the applications being deployed and the rollout tasks relating to the cards and applications. Most companies with successful projects have set up both intranets for employee education and extranets for coordination with solution providers and their implementation teams. A key element of these has been the Frequently Asked Questions intranet page. Without one, your project team is destined to be swamped, answering the same questions over and over. The longer the initiative goes without one, the more misinformation is spread.
Resources
What resources will be required for the core initiative teams and from each stakeholder? Will you need to add personnel or expertise that is not currently in-house? Will you need to hire project managers experienced in these kinds of deployments? What resources will you require from your solution providers?
Financial Approach
Financial considerations will also impact the project approach. Will you want the lowest overall cost or the lowest annual cost? Will the initiative be a single huge cost and budget allocation, or will it be budgeted in independent phases? Is there benefit in the physical or IT security rollouts taking advantage of multi-year budgets, or in having the physical security rollout and financing precede the IT security rollout? If you plan the project right, each phase or stage can stand on its own both functionally and financially. That provides you and your organization with the most flexibility going forward and safeguards you against problems if the financial picture changes mid-initiative. This is a risk management factor that will be of interest to many stakeholders.
Decouple as Many Elements as Possible
It is important to eliminate as many rollout interdependencies as possible and to clearly identify the ones that remain. Eliminating interdependencies may expand the budget slightly or increase resource requirements slightly, but it should have a definite payoff in terms of reducing program risk and giving the organization the most flexibility moving forward. The earlier planning steps should be revised as appropriate.
Develop Implementation Action Plans
The development of action plans is sometimes begun before all of the prior steps have been completed. This situation can result in action plans needing revision as the project rolls forward, which is sometimes interpreted as a program execution failure instead of an appropriate response to planning shortcomings. It is often difficult to add or change resources in the late stages of a program. It’s not always obvious when you have incomplete input for execution planning, which is why it helps to identify and carry out the earlier time-line steps.
Activate Resources
Contrary to popular assumption, funds and people do not automatically become available. The larger the program, the more important this element becomes.
Execute
Execution goes much more smoothly with all of the preparation done ahead of time.
Complete
Once all of the organizational processes are in place and fully functioning, the processes can take over at somewhere less than 100% of the cardholder switchover. Thus it is important to identify the point at which the initiative, as a special program, is complete. This can even be at 75% of card issuance or earlier. Once the technology changes are complete and the organizational processes are well established, it is appropriate to phase out the program resources.
Celebrate
Personnel from successful one-card programs stress the importance of acknowledging the completion of program phases and the recognition of all the good work that has been contributed. The final celebration should be accompanied by congratulatory messages and commendations in personnel files, for example. These things require some budgeting and planning, and they should be defined as part of the program so that they are pre-approved when the time comes.
Based on the increasing success level for such programs and the amount of knowledge being shared about them, your chances are better than ever of achieving your one-card objectives.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 18 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.
