Access control is a critical component of the safety and security of any institutional or commercial building, which makes proper implementation of an access control system crucial, since virtually everyone in the organization will interact with its components. Facility managers first must identify the root problems an organization hopes a physical access control system will solve before determining the types of systems implemented, whether installing a new system or upgrading existing apparatus.
If an incident or incidents have occurred that exceed their internal risk threshold — such as trespassing and loitering by unauthorized visitors, a regulatory agency requiring an audit of trail of all personnel entering a space, or the frustration of mechanical rekeying when failing to retrieve a master key from a separated employee — then an organization can evaluate systems that are most likely to mitigate those risks.
Once facility managers have identified the problems, the access control system should only be a part of the solution. Access control is the heart of the electronic security system, but the culture and the behaviors of an organization are crucial to the successful implementation, use and maintenance of any electronic physical security system. Employees who continuously leave doors propped open can defeat the most technologically advanced system.
Determining where to deploy access control is the second consideration when deciding on the type of access control to be implemented. Will the system be used to protect all the organization’s facilities? If so, how will the system interact with each facility? Or will it be installed at facilities that are only staffed full time?
Once managers have determined the number of physical facilities for deployment, the next step is to consider the secured perimeter for each facility. Is the secured perimeter at the main entrance doors or the entrance to the parking lot?
Managers can determine the answers by evaluating the risks at each site and prioritizing the risks that the access control system can mitigate in conjunction with additional security systems, policies and procedures.
The next consideration is the first impression for the employees and visitors, their experiences at each site in an organization’s portfolio and the way that experience aligns with the company culture. The complete journey from arrival to departure should reflect the core values of an organization and align with its safety and security principles.
The final piece of the puzzle is evaluating the access control system to determine the way it will be managed and maintained. With the convergence of physical security with IT, more cloud service options are available to organizations rather than just traditional on-premises deployment where the access control head-end equipment and software are installed and managed on site.
The software as a service (SaaS) model, commonly seen in the IT space, can be an ideal solution for organizations with limited security staff to respond to alarms, organizations with several sites but limited access control needs and global entities with numerous facilities that require all systems to be installed with the latest features, including critical security patches, where cloud platforms can push those updates efficiently without taxing the internal network infrastructure.
Traditional on-premises solutions are an attractive option when considering the SaaS model requires reoccurring subscription fees in perpetuity. An organization buys and wholly owns an on-premises system, while the annual subscription fee for a cloud-based off-premises system might exceed the capital expense within three to five years of buying the subscription service. Organizations that prefer to make larger capital expenditures and reserve operating expenditures for service and maintenance only often prefer on-premises systems.
Managers must understand the organizational workflow desired for the system and the policies and procedures built into that workflow. While a subscription service can be desirable due to its hands-off attributes, a lack of security and safety personnel or unwillingness to hire more staff can result in an unsuccessful outcome, thus not solving the initial reason the organization made the initial investment.
Enterprise on-premises deployments also require a network infrastructure to connect each building in the enterprise, along with the access control servers and databases the IT staff must maintain.
One common reason an organization upgrades its access control systems is because the existing system does not meet its changing operational needs. For example, the system and its integration with other security systems can no longer be maintained due to a lack of trained personnel and IT staff.
Another common reason to upgrade is that the existing access control system cannot support an organization’s growth as more facilities are acquired or because a significant building expansion is planned.
As an organization’s needs change, so will the system’s additional features and integrations, such as video surveillance and intrusion detection. The system also will require maintenance personnel with greater expertise and knowledge.
For any system, there will be ongoing maintenance costs. Managers need to consider the total life cycle cost of the system from the initial expenditure, including ongoing preventive maintenance costs.
A subset of an access control system’s operational workflow is the way employees and visitors interact with it and the credential technology desired to access controlled spaces. Will the credentials be proximity cards that can also be used as IDs? Or key fobs using proximity technology because the primary concern is replacing mechanical keys? Or frictionless card readers, such as mobile phone credentials because employees continuously lose or forget their cards and fobs? Or biometric technology for dual authentication?
Managers need to determine the most effective way to create, maintain and reconcile those credentials for employees, contractors and visitors. They should also consider the system’s interface with the human resource software platform to optimize efficiency for new and separated credential holders. Newer credential technologies, such as biometrics and mobile wallets, are desirable because they avoid having to issue physical credentials by using a device or feature the credential holder already has.
But implementing mobile credentials requires the use of a personal device for a company policy for which the user is not reimbursed. Regarding biometrics, employees might be uncomfortable or have privacy concerns related to storing their facial geometry or fingerprint for use on a company-managed system. So managers must continuously manage and protect the personal data of employees and visitors.
For any new access control system deployment or upgrade, managers can avoid common mistakes by engaging in-house stakeholders at the beginning of the selection process to ensure the system meets the company’s safety and security principles and adheres to the organization’s operational capabilities. For an effective system, the problems to be solved by its implementation need to be clearly defined and achievable using security systems, as well as policies and procedures.
Laura Freeny is a security technical manager at Henderson Engineers, a national building systems design firm.
