Expert Tips on High-Security Access Control
â€œHigh security is in the mind of the beholder â€“ that being the end user and me,â€ says Neal Marcus of Securus, Denver, Colo. â€œWhat we in Denver consider to be a relatively high security system, the guys back East may say, â€˜Youâ€™re kidding.â€™ With the end user itâ€™s the same thing.â€
SDM interviewed three companies involved in the access control business and they shared their opinions. Hereâ€™s what Alan Kruglak, senior vice president, Genesis Security Systems LLC, Germantown, Md.; Joe Ingegno, senior vice president of World Wide Security/GC Alarm, Garden City, N.Y.; and Neal Marcus, vice president of sales and marketing, Securus, Denver, Colo., told us.
SDM: When a potential client initially states that their needs are â€œhigh-security,â€ does that have special significance to your company? What elements constitute a â€œhigh-securityâ€ access control system?
KRUGLAK: As a rule, from an integratorâ€™s perspective, the level of security can be broken down into two basic categories: standard and high security. Standard security is when only a credential, such as an ID badge or an access control card, is used to allow access into an area, facility or building. The other category is high-security, when a credential in conjunction with another action is required to access an area. The other action could be defined as the use of a PIN, a biometric device, the institution of two-man rule, or any other specific action.
Higher security applications also may imply the use of a physical barrier, which physically controls the number of personnel allowed to access a specific point. This is could be a man-trap, a revolving door, an optical turnstile with a barrier, etc.
INGEGNO: High security in card access means that corporate executives can go from location to location with one access card and any employee that goes within the building or to another location can be tracked. We prefer to use access cards with the picture ID on it so you can heighten security not only internally but externally.
With high security card access systems, one of the most important things is that the end user is properly trained and knows how to update their database so they can take out on a momentâ€™s notice a card of an employee that has been terminated.
It also means the installing company is certified in the product being installed, and you do background checks on your employees because you donâ€™t want to breach the security line.
The bottom line is, a high-security system is only as good as the people operating it, because if theyâ€™re not in high security mode, it will not stay at that level. If a company does not want any of their people to be involved with their security, we will do the full administration of all the cards and maintain supervision of the card access system.
MARCUS: My definition would be the use of integrated CCTV and access control. Other things may be integrated into it as well, but those are two basic building blocks of a high-security system. Restriction of visitor movement, thatâ€™s what I would call a high-security environment. Tracking them throughout the building, when they came, when they left, who they visited, and identifying them with an electronic visitor badge.
SDM: Based on your clientâ€™s statement about needing a high-security access control system, what are some of the areas of questioning you would pose to your potential client?
KRUGLAK: To determine what the client means by â€œhigh security,â€ you would have to begin by asking, â€œWhy do you need high-security access control for this specific application or building?â€ In most cases, the client is implementing high security to comply with government regulations. For instance, Dept. of Defense contractors usually have to comply with UL2050 requirements or meet the security needs of their clients. Drug companies often have to comply with the Drug Enforcement Agencyâ€™s requirements for access to controlled substances. In most cases, the government regulations will dictate the types of security systems that can be used for these requirements.
INGEGNO: The first thing you need to know is what the future expansion of the company is projected to be. Itâ€™s important to design a system that is fully expandable, not only in card readers, but in the amount of cards that the system can handle. Also make sure that youâ€™re able to integrate it with other types of readers, for example, palm readers and retina readers, for the highest level of security.
Itâ€™s also very important to discuss using CCTV to back up vital areas that can be integrated on the same platform as the card access. If somebody is opening a facility in Washington D.C. and from New Jersey they see a particular person is in there, by jumping on the network and looking at the video, they can see if it was somebody who was supposed to go in or somebody who picked up a lost or stolen card. The most cost-effective way of backing up a high-security access system is by using a CCTV system with a quality digital recorder.
They work hand in hand. The card access system is a great way of locking down the building and you donâ€™t have to worry about unlocking the building. If an employee works odd hours, it will give full security, and the video is a backup.
MARCUS: We would ask the prospect, â€œDo you foresee using CCTV and electronic access control?â€ Do they wish to track and restrict visitor movement? Access control to me is employee movement. So when youâ€™re using CCTV and access control you are tracking and restricting employee movement. Integrated CCTV and access is ensuring that the person whose card is being used is actually being used by that person.
SDM: Once youâ€™ve determined the level of security your client needs, what are the major considerations you would apply to the design of the system?
KRUGLAK: The considerations would be determined by asking the following questions:
â€œWhat is your existing access control system?â€ This will determine if the proposed solutions can easily integrate with the existing system platform. Integration is critical for this type of requirement. For instance, if the clients needs to implement â€œtwo-manâ€ rule software for a specific area, and their current access control system doesnâ€™t offer that option, then you have to look for another solution.
â€œHow many people will access the restricted area?â€ Again, this will help in the selection of technology, solutions, and/or types of barriers (if required).
â€œAre there any fire code issues that need to be addressed?â€ For high-security applications, you almost always need to provide physical barriers to control personnel. However, they must not violate the fire code requirements or block access to a stairwell, or else the fire marshal will shut you down.
â€œIs the technical solution a standard off-the-shelf product from an established company, or is it a custom solution?â€ As a rule, it is always better to go with an off-the-shelf product due to obvious reasons. An often overlooked and ignored issue is the longevity of the original product manufacturer of the product. While new products look and sound great, if the company goes out of business next year, the solution really becomes an albatross around the integratorâ€™s neck. Any access control product used in a system should have an expected product life cycle of five to seven years.
SDM: Which particular technologies are better suited for use in a high-security access control system?
KRUGLAK: For high-security applications, the trend is no doubt toward biometrics. While smart cards are becoming more widespread (at a very competitive price), the need for smart cards with a stored biometric template is only materializing when there are large personnel populations accessing high-security areas. For smaller cardholder populations (under 1,000), many of the different biometric technologies available today store templates locally in the actual device, eliminating the need for a smart card.
Ultimately, the highest security measure is a biometric device. While the use of other card credentials or PINs can help, only a biometric can verify that you are who you claim to be.
It is important to note that for some high-security areas, biometrics alone is not sufficient. To access an area, you may need two people. This is accomplished via a software module in most access control systems called the â€œtwo-manâ€ rule. This software feature insures that there are always two persons inside a restricted area at all times.
INGEGNO: When using a biometric reader, each employee must go to have their hand or eye scanned to be learned into the system. A card can be learned remotely and sent out to the employee. But in a very high secure area, it is critical to have the person go on site and have the biometric learned on site; depending on the facility, sometimes thatâ€™s hard to do.
SDM: Please share one or two examples of unique aspects of high-security access control systems that your company has designed. How do these systems help your client maintain a high-security environment?
KRUGLAK: One of the older projects we implemented involved â€œsmartâ€ booths using biometrics and proximity card readers for a government agency. To access the secured area, the person requesting entry had to present their card to access a man-trap. Once they successfully entered the first door of the man-trap portal, the system weighed the person inside to insure that only one person was entering the facility at a time. To access the second door (and the facility), the cardholder has to present their eye to a retinal-type biometric device. If the person were the â€œcorrectâ€ person, then the second door would unlock. If the stored biometric template didnâ€™t match, both doors would lock down, and a guard would be summoned.
The second type of high-security access control application is one of the more common ones we see today. One of our clients has contracts with both government agencies and commercial entities. To meet the specific needs of a specific government agency, they use biometric fingerprint readers to allow access to SCIFs. This program is integrated into their central access control system over an intranet. Since personnel traffic is very low for these applications, there is no other physical barrier with the exception of a standard door.
INGEGNO: We have used wide-range card readers that can pick up approximately 10 to 12 feet of range, and weâ€™ve put them throughout hallways in an office building so that employees can be monitored for where they are in the building at any time of the day. For example, if one employee is only supposed to be working on the first floor of the building and they go to the second floor, when they walk down the hall, these wide-range readers will read their card and they will have a record that they were on that floor.
SDM: What pitfalls can you help your colleagues avoid by sharing your experiences in the design and installation of high-security access controls?
INGEGNO: The biggest pitfall in doing high security is not charging the proper amount of money. If youâ€™re in a bid situation and you strictly go on price, there is a good possibility that you will not be able to complete the job properly and you will lose a lot of money. We in the security business are in this to make an honest living. You properly survey the job, find out all your costs, take a second look at it, and make sure that you have the proper resources to do the job efficiently. If youâ€™re unable to do it, either partner with somebody that can or take a pass on doing the job.
MARCUS: A high-security access control system will probably go to bid. So you have the typical pitfalls that go to bid project. Your competition may leave out items when they can, and then change order the customer later. You may be dealing with many other contractors or subs on your project. The pitfalls are that you donâ€™t put in enough money for project management and the time it takes to go to meetings and project management meetings.
Too much information can be a bad thing. There are many customers that find new high-tech products on the internet that are untested or untested in an integrated environment. Sometimes the end user sees all this really cool stuff on the internet and it looks good on paper but doesnâ€™t work.
KRUGLAK: The most important thing to remember about high-security applications is not to over promise, and to be careful about using new products that do not have an established track record. As most integrators know for their own firsthand experience, manufacturers only tell you 85 percent of what you need to know in order to implement the system. It is the other 15 percent you learn in the field.
Second, be careful about selecting products from start-up manufacturers. If you buy a product today and the manufacturer goes out of business the following year, and you canâ€™t get support, the client will only blame one person â€“ you.
SidebarWhen the U.S. Department of Homeland Security (DHS) raises its Terror Alert Advisory, what exactly are businesses and government agencies to do?
10 Steps to Take When Terror Alert Rises
The Treadstone Group, a consultation and investigation firm in Denver, N.C., suggests 10 measures to consider in response to a high threat (orange) condition. Systems integrators may determine that sharing these responses with their clients may be in their best interests.
Here are 10 steps from Treadstoneâ€™s president Ross Bulla, CPP, aimed at business and government facilities.
1. Access Controls â€“ Reduce the number of facility entrances, both vehicular and pedestrian, to the absolute minimum that can be positively controlled by security personnel and physical and electronic security systems.
2. Better Screening â€“ Conduct security screening of vehicles and visitors as remotely as possible. At a minimum, visually inspect storage and passenger compartments, and limit adjacent parking to those persons having a corporate ID. Screen visitors by requiring a valid, government-issued ID, having them register as they arrive and depart, wear a visitor pass, and be escorted by their employee host. Hand-carried items and bulky clothing should be removed and inspected.
3. Physical Barriers â€“ Enforce a standoff zone of 100 to 300 feet, using bollards, barriers and barricades. Temporarily blocking potential access points with heavy equipment and large vehicles is an alternative, though they should be parked parallel to the route to resist ramming. Even minimal standoff zones will reduce the impact of an explosive device. This can sometimes be accomplished by prohibiting parking in the most adjacent spaces (curbside, front rows, street, etc.).
4. Control Visitors â€“ Schedule all deliveries in advance, providing the vendor and their drivers with a unique code word or password, which should be printed on their manifests for comparison by the customersâ€™ security or receiving personnel. Refuse all non-scheduled deliveries.
5. Have Disaster Plans â€“ Review current emergency policies and procedures and business continuity and recovery plans to ensure that they remain effective and well rehearsed. Update lists of persons requiring evacuation assistance and their work locations.
6. Practice Evacuations â€“ To expedite mass evacuations, building owners and managers should practice evacuations in darkness, using only emergency power. This will allow people to identify obstacles and choke points that impede or slow escape. Improvements that help facilitate an evacuation include additional battery-powered emergency lights; glow-in-the-dark instructional and directional signage; high visibility, light colored paint on walls;
glow-in-the-dark paint on handrails and a continuous stripe down
the middle of staircases; and the installation of a public address
system in the stairwells. Consideration should be given to the exit location of stairwells. Stairs should avoid ending in the lobby; rather, they should exit to the street or other protected structure.
7. Chart Evac Routes â€“ Identify primary and secondary evacuation routes and muster points, in the event that one or more routes become damaged, blocked or destroyed. Try to evacuate in a direction opposite of the threat, whether at your facility or another location along the evacuation route.
8. Keep Eyes Open â€“ Nearly all terrorist attacks are preceded by surveillance and dry-runs at the target, often over several weeks or months. Training security and law enforcement personnel in counter-surveillance techniques is an important part of the security envelope. Attention should be paid to persons that seemingly have an unusual interest in the facility, particularly those persons who may videotape or photograph the site.
9. Cooperate with Officials â€“ Meet with local, state and federal law enforcement agency administrators, fire and emergency medical authorities, emergency management, and other responding agencies. Pre-plan and coordinate the most effective and expeditious response to your facilities.
10. Get Outside Opinions â€“ An independent security assessment and survey should be conducted at all government and private facilities. To avoid the perception of bias, government employees (law enforcement or risk managers) or contract security vendors (guard services and systems installers) should not undertake the official analysis. Outside experts unaffiliated with security vendors should be retained to provide an objective evaluation of security policies, procedures, and practices; in turn, making recommendations to enhance the security posture. The expertise, continuing education requirements, and demonstrated competency in the areas of security solutions and best-business practices through an intensive qualification and testing program make hiring a Certified Protection Professional (CPP) obligatory.
Although a terror attack is virtually impossible to prevent, basic security practices, combined with target hardening, can significantly reduce damage, injuries, and fatalities. According to Ross Bulla at Treadstone, pre-planning emergency response and responder safety is critical to the successful management of a terrorist incident, no matter the type. Life safety is the first priority, followed by the protection of property and the preservation of evidence. These actions may not prevent a terrorist attack, but the most certainly will help to mitigate disastrous results.