How do you ensure you get the right security access control system for your needs.
For those with some responsibility for procuring, specifying, installing, managing or just using a physical access control system – what is currently considered good practice?
The complexity and sophistication of an access control system will depend on the type of building or space being protected. This will have its own specific, identified risks. These must be balanced against the requirement (or not) for welcoming easy access for those authorised.
A thorough and professional approach is needed to ensure the right system is put in place. Consider these areas:
- The importance of starting with an effective risk and threat assessment
- Understanding the business aims
- Integrating with other security measures and systems
- Getting the operational requirement specification right
- Choosing a provider / installer
A fundamental security function is to control who enters a building, such as an office or a datacentre, or a space, like a car park or school grounds. There may be traditional physical measures in place, like fences and gates, doors and locks. Often these will be enhanced with a physical access control system – this provides further physical and electronic measures, together with security staff to control access. Sometimes forgotten, is that as well as preventing unauthorised access, a key aim of these measures is to enable smooth authorised access.
When making sure your building or space gets the right access control system to meet its needs – both its security and its business or function – it is essential that effective risk and threat assessments are conducted. These determine the level of security the system needs to provide. In today’s world, for some organisations there are increased risks from potential attacks, perhaps terrorist or geopolitical-related threats. Additionally, there may be an increased requirement on compliance with regulations such as data protection and an auditable access control system may be essential.
Understanding the business aims
It is important to have a clear understanding of the needs of those working in or occupying the building or space. The access control system must be fit for purpose for users and their buy-in is essential once the system is operational, otherwise the system will fail. An understanding of how and when the building or space is operational is essential. What business is located here? How is this carried out? Who can have access and at what times and in what places? What other business imperatives do you need to think about? Does the location need to be welcoming, modern, sophisticated, quick and easy for visitors? Or is this a secure location that will have few visitors and needs to maintain a low profile and a high level of security?
Senior security consultant Danny Moody says: “For me, one of the most important aspects when assisting a client with an Access Control System (ACS) replacement or upgrade is fully understanding their requirement and ensuring that the system specification considers the context. For example, the specification for a local library system will differ from that of an iconic entertainment venue. The capability, scale and security requirements of the systems are going to vary and it’s important this is captured. Each organisation faces differing security threats and requires different operational capabilities from their systems.”
The important elements in an access control operational requirement specification
Using your risk and threat assessment and an understanding of the business requirements for controlling access, you will be able to decide whether you need a physical access control system. If the answer is yes, then an operational requirement document can be written using the results of this research.
The related NPSA guidance suggests this includes:
- A clear definition of the area being controlled – including a site plan and drawings of the layout of each building, showing all proposed points of entry and exit.
- An explanation of the different types of user who will access the site – for example, staff, contractor, visitors – with information on numbers for different times and days, including the peak numbers.
- How you want control restrictions to be applied – sometimes sites and buildings are divided into zones with varying restrictions on each.
The guidance also suggests that your specification lists any design constraints to be adhered to, such as:
- Aspects of the site, such as Listed Building status with the need for Heritage Planning or local authority approvals.
- Aesthetics of the building or area to be protected.
- Locations with higher security requirements, for example, IT server rooms or other areas with high value assets.
- What plans are on the horizon? For example: How long will this system be in place for?
What’s the lease on this building?
Integrating with other security measures
The specification also needs to take into account other security measures that an access control system integrates with. The overall access control system could be considered to include outdoor perimeter security – such as fences, signs, CCTV, patrolling security teams, lights, motion sensitive systems – and indoor security measures – such as turnstiles, doors and locking systems.
Some electronic access control systems will provide the means to integrate with some of these measures. For example, an intruder spotted on a CCTV system may trigger the automatic locking of a number of internal doors; a gate left open may trigger an alarm that is displayed on the access control system control panel.
Integrating an access control system with other electronic security systems can bring advantages. Danny Moody shares some examples: “Integrating with a Video Management System (VMS) can enable video verification upon alarm (VVUA) which provides additional functionality to security control room operators. VVUA will play back a set amount of CCTV footage (for instance, five seconds prior to alarm activation) from a camera covering the door generating the alarm (door forced, held open etc.) allowing the controller to accurately assess the situation prior to sending a security officer to investigate. VVUA can also be used in conjunction with panic or intruder alarms if they are integrated into the access control system.”
Another type of Integration is known as Active Directory Integration where the ACS cardholder database is populated with employees as they join the organisation. When a staff member subsequently leaves, they are prevented from logging onto the IT systems and simultaneously blocked in the ACS. Even if they retain their ACS credential/card, they cannot use it to gain entry to the building.
Security access control systems can be fully integrated with other systems across a site like lighting and elevators. These locations, sometimes known as Smart Buildings, can allow for easier management of buildings and the ability to take advantage of the information gathered. For example, an understanding of occupancy levels and daily movements helps building managers make efficiency savings in power usage.
Choosing a provider
Choosing a provider can be challenging. You need a one that understands your organisation and its security concerns.
Consider these questions for the system proposed:
- How easy is this system to install?
- How well will it integrate with our security measures?
- Can existing cabling be used?
- What departments or personnel will need to be involved?
- Once installed, how easy is it to use?
- Can the system be easily upgraded as requirements evolve?
Consider these questions about the provider:
- Do they hold any external verifications? For example:
– NSI Gold certified company – NSI certification for security and fire protection companies.
– Cyber Essentials certified company: About Cyber Essentials.
– ISO 14001 (Environmental Management) certified company.
– ISO 9001 (Quality Management System) certified company.
– ISO 45001 (Health and Safety) certified company.
– Constructionline Gold member.
- What is the after sales support provided?
- Can they provide case studies for similar projects?
Getting the right security access control system requires careful consideration, with a clear understanding of risk, the business and other systems in place. The time and effort spent in the planning stages can ensure your success.
Editor City Security magazine