Monday, August 22, 2011

Talking to a Client Getting Access Control

I have dealt with a few clients who were getting access control and realized they did not always know the questions to ask.  Usually, I am speaking when the access control contractor is not present to answer these questions.  I thought I might comment from my point of view.  I have seen these give problems since the access control is already going in but after a bit of talk it is not clear the end user knows of the lock issues.   (Modern systems use prox or proximity readers often embedded in cards.  There are several types of credentials, but I will just call them all cards.)

Several examples of many I could find:

Do you still have a key operated way to walk from the outside of the building to the power supplies and the controllers?

Power goes out and if you can not get into the building, you can not check function or its real security.  Also, the computer which checks the credentials may shut down in a power failure or for 1000 other reasons.  In the end a few people should be able to access physical keys to get to this critical infrastructure.  Often, people think this means carry that key all the time.  Not necessarily.  I can think of one building operator who carries a key for the exterior and the office. Once in there, further keys are available.  (Advise to everybody: If you need a key once a year store it where you have access at that time.)

Who has the keys to bypass the card reader doors?
Access control systems have two great advantages. First is that only those with a valid card can go through a door. Second, you have a record of who and when opened the door and just as importantly when a card was denied.  This second part is called an audit trail and if you ever hope to use it in a legal process it has to be as solid and complete as you can make it.

Getting a valid audit trail then involves changing the keying on every door used in the access control system if anybody who now has a card formerly had a key.  (The exception would be if it is truly a high security keying systems and you can account for every key.  In this case, high security means the locks and keys are UL 437 standard rated.)  This generates only a very simple keying system for these doors since daily operation is not using the key so many can be keyed alike.  A separate master key may exist to open the path to the power and control units.  Typically after implementation of access control, a large building would have less than 10 of any of these keys.

Are you also getting cameras on critical doors?
Many organizations move to access control since they have so many staff.  Any large staff has some level of turn-over and it is cost effective to be able to disable one card at a time without affecting any other staff member. Also, you do not need to collect the key to 'kill' it.   However, most of these staff arrive at once and so many coworkers will open a door and hold for the next person.  It is polite, but may not be appropriate for your needs and a camera can show that happening.

Also, if you ever take legal action the card opened the door.  It is often helpful to say who was the person holding the card at that point when the card was used.   A camera on key points of entry can solve many of those.  (There are high security systems which enforce carding in and out rigourously.  Key points are then monitored by armed staff.)

This can also help with contractors like perhaps the photocopy technician.  You have to set up a few visitor cards with some limited access and a paper sign out process.  If a card goes missing, it can be deactivated.  A camera will tell you when that person left and if anything was moved out at the same time.  I have seen a case where my visitor card ended up opening EVERYTHING.  In the case I am thinking, I did not need into the cash office and if I had to be there should have been under escort.  So the escort would open the door.

Does key use generate a 'force entry alarm'?
If you want a full audit trail, everybody needs to be uniquely identified when they enter a door.  Since you must have key holders for emergencies, they should have a card also and use it.  When a key is used to open the door, it should register as an unusual event in the audit logs. From the wiring point of view, this is exactly the same as somebody prying the door open so it goes into the log as a 'forced entry' in most system.  A door needs an inside motion sensor to make this work so it has a way to tell if somebody is leaving.

Are blocking plates planned for every cylindrical lock set into an electric strike?
This is a cylindrical lock since it fits into a round hole in the door.  You can see the deadlatch at the end sitting beside the main latch.

There is a systemic problem with the deadlatch of a cylindrical lock falling into the keeper of an electric strike.  The installer can fine tune the spacing and get it right.  It NEVER lasts.  Well, maybe it does sometimes but I have seen it fail too often from simple door shift.  Once this happens, two problems occur.  The first is the extra pressure on the keeper acts as load on the strike and it fails to release on request.  (In the short term, pushing or pulling the door into the frame will take the load off and let you in.)  The second happens on outswing doors.  The dead latch is now out and any little screwdriver or knife or fingernail file can walk the main latch back and open the door.  Once you see scrapes on the latch, you know it is already happening.  Most doors will take off the shelf blockers which install quickly to stop this and then you can adjust the keeper to always let the full latch fall in.

Who controls the computers?
Access control moves building security partly away from building operations and over to the IT department.  Even if the hardware people assign and track the cards and can read the audit trail, the computers this lives on gets maintained and secured by IT.  Given this, it means the server to do this job should be physically isolated like a cabinet which holds master keys. Check that it is. What it takes to secure a computer in these days is beyond me. However, my reading suggests vigilance is vital -- as it is with all security concerns.


Since access control is a bit beyond my scope, I will stop asking questions now.  If you are the client, you should not do the same.  Every question you ask, may solve some security hole you have not seen yet.

--- --- --- --- ---
The contents of this post are released for non-profit or educational use in whole or in part provided this statement and the attribution below are kept attached.

Laux Myth ... Thoughts From a Locksmith
By MartinB, Found @

No comments:

Post a Comment