Subscriber Discussion

Where Is Electronic Access Control Cost Effective?

CE
Cynthia Ezell
Sep 23, 2016

 Does anyone have a document that states when, where and what type of physical access control should be used within an organization? I have people that think card access is the be all/end all with no regard to actual use or cost. We have applications where a keypad lock or even a brass key works fine, but I need to get that message out in the form of an access control policy.

Any help is appreciated!

(1)
(1)
Avatar
Brian Rhodes
Sep 23, 2016
IPVMU Certified

This is a good question, and I am curious to see feedback as well.

Usually electronic access is justified based on the need for more resolute permissions than a key that works anytime for anyone who is holding it or a copy of it.

If that need isn't there, then a well managed system of keys and locks is hard to beat on price.

Avatar
Michael Silva
Sep 24, 2016
Silva Consultants

I have frequently been hired by clients to help them answer this very question. There is generally no hard and fast answer, but here are some of the criteria that we established for a recent client:

Determining Which Doors to Control:

In a perfect world, every door at a facility would be card-reader controlled, but in reality, this would be cost-prohibitive. It is therefore necessary to make a determination of which doors at any given facility should be equipped with card readers to allow electronic control, and which doors should continue to be controlled using a standard lock and key.

When deciding whether or not to control a door using a card reader, the following questions should be asked. If the answer to some or all of the questions is “yes”, the door is probably a good candidate to be card reader controlled.

  1. Is this door a primary entrance to the facility used by employees?
  2. Will this door be used by more than 50 people or more than 50 times per day?
  3. Will providing a card reader on this door eliminate the need to issue keys to a large number of employees?
  4. Is there a regulatory or business requirement to provide accountability of who uses this door and when?
  5. Does this door provide access to an area that contains critical infrastructure or a high concentration of valuables?
  6. Is there a need to for security officers or managers to be alerted when this door is propped open or forced open?
  7. Is there a need to routinely lock and unlock this door according to a predetermined time schedule?
(2)
(7)
Avatar
Oleksiy Zayonchkovskyy
Sep 24, 2016
IPVMU Certified

From the cost point of view and in general any security system including Access Control should be considered to install based on risks it mitigates.

Possibility of unauthorized access to company premises creates a bunch of threats to stable company business processes.

And then we address risk management with "what if" analysis and "if ...then" consequences.

Michael Silva's questions are exact questions for risk management discussion.

If there is no risk management or even one risk manager in the company then risk management should be a group of CFO, CIO or CTO plus CSO.

Risk management group (RM) should clearly understand what are they protecting, how much does it cost and what will be if they loose particular asset in terms of money and consequences for the business. Assets can be anything valuable starting from some machinery and building itself to critical business information stored somewhere inside.

The classical rule states that any system that is protecting some asset should not be more expensive than that asset. And we now talking about not just buying costs but about Total Cost of Ownership including maintenance and other expenses.

Example:

If we have telecommunication closet with most of our servers with just brass key as a security measure we have a threat and a risk of copying a key and unmanageable unauthorized access to the room that can cause in the worst scenario the business complete stop for at least a week and about $50k direct damage with most of equipment lost or stolen. Probability is not high but the impact is catastrophic. Decision: implement security solution to mitigate the risk. How much does it cost? $5k? Ok agreed and installed.

(1)
Avatar
Kevin White
Sep 26, 2016
IPVMU Certified

I agree with Michael & Oleksiy:

one other thing to add is the type of facility (school, public building, private business, retail, etc.)

Much like the ASIS security audit (which includes Risk to Cost analysis) - we start with something we call a "needs analysis" where we meet / interview to gain input from different divisions (security, IT, facilities, site contractors/vendors, risk management, receptionist, kitchen, C-group, etc.)

The goal is to understand existing procedures, processes, use, risk and loss. Also, need to consider who will take ownership of the opening and alarm response.

Just as Oleksiy stated:

The classical rule states that any system that is protecting some asset should not be more expensive than that asset. And we now talking about not just buying costs but about Total Cost of Ownership including maintenance and other expenses.

BUT there is also - Safety, reputation and security come into play. harder to put numbers on personnel safety, but ASIS has some forms that assist with creating a risk to loss calculation.

Openings are moved into categories to create standards that can be utilized for operating procedures, new offices, changes in area functions, etc.

Here is an excerpt for categorization from a standards we created with a Corporate Headquarters:

Exterior Man Door Openings:

  1. Controlled and/or Employee entry / exit - Full access control (reader, REX, door position switch, lock)
  2. Emergency Exit only - door position switch and local sounder
  3. Roof Access doors – door position switch, sounder,
  4. Exit only door - door position switch, reader, local sounder. sounder wired into system so no local alarm with valid card read.

FYI - this is to allow personnel to exist certain doors, but to funnel them back to an entry/exit door for re-entry into the building.

  1. Public or main Entry / Exit Vestibule – Exterior Vestibule door - door position switch, lock. Controlled or time schedule opening. Interior Vestibule door - Reader / lock - Add door release to receptionist desk.

The same analysis is completed for interior doors. Some will have access, some monitoring, some keypad locksets, some with keys.

(1)
CE
Cynthia Ezell
Sep 30, 2016

Good information! Thanks, everyone!

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions