Subscriber Discussion

Do You Set Up Your Access Control Systems To Arm And Disarm The Intrusion System Too?

UI
Undisclosed Integrator #1
May 31, 2015

We have found this to be a convenient way to control the alarm and it eliminates the need for managing codes etc.

Are there any downsides that we may be missing from a security standpoint?

What do IPVM members usually do, or what do you recommend?

Avatar
Brian Rhodes
May 31, 2015
IPVMU Certified

I'd venture to say that this is a fairly uncommon integration, although I do think it makes sense. Lots of access platforms offer it, I'm just not sure many do it. Maybe it doesn't 'improve security', but absolutely can make use of both systems easier.

Out of curiousity, do access control alarms (ie: forced door) notify a central station when the intrusion system is armed?

(1)
Avatar
Mark McRae
May 31, 2015
Inaxsys Security Systems

Brian,

i believe that it is far more common than you think and i would guess that it is the single most-used and most common systems integration (and FAR more common than access/video integration). It's just not that common yet (although its growing) in the US where systems integration lags far behind other parts of the world.

(4)
UI
Undisclosed Integrator #2
May 31, 2015
Disarming is a lot more common than arming. It reduces false alarms when a person is issued a credential but has no training and possibly no code for the alarm. To do arming the system should know you are the "last man out" to prevent arming with others inside. Many burg panels now incorporate access control features or dual enrolled credentials to help with this. Sometimes when you try to make it easier it creates different problems. It's important to consider the scenarios of repair workers, janitorial staff and even executives who almost never enter or exit at odd hours.
(2)
UI
Undisclosed Integrator #1
May 31, 2015

Brian - The way we currently have it set up, there are only certain readers that can disarm the alarm system so all other readers are disabled while the alarm is armed. A door forced alarm would not cause the alarm to trigger but the door sensor on that door would, if the alarm was armed.

B - Last man out wouldn't be possible with most of our clients, if they arm it and trip it that is on them :-> What we prefer to do is set up a separate reader right by the alarm keypad that is used for arming purposes only.

(4)
Avatar
Mark McRae
May 31, 2015
Inaxsys Security Systems

Hi A,

Be sure that your "integration" is a tight one. Stay away of "interfacing" systems where you'll take a relay output of the access system wired into the keyswitch input of the alarm: this is simply interfacing and not integration. You need to ensure that the action of presenting your card to an arming/disarming reader is seen by the alarm portion as "user 101 armed Area 1 using reader XYZ at Door 1". In addition, the monitoring station should receive the contact ID or SIA event "area 1 armed by User 101". Otherwise, you will be running access control reports to validate who armed and disarmed the alarm from your monitoring station report.

another thing to stay away from: integrations where the access control software needs to be running (even as a service in the background) to make the link between the alarm and the access control. Imagine if your whole alarm and access control integration can be killed simply by an IT tech unplugging your link at the switch or by doing maintenance on the access control server. The best alarm and access integrations are hardware-based and do not rely on any software to make decisions.

Reader arming and disarming is an excellent way to avoid false alarms:

1. User does not need to remember codes

2. Entry and exit delays can be eliminated completely (user is outside when arming and disarming)

3. User can never forget to disarm since the action to open the door (card badging) is the same action to disarm the alarm.

4. More advanced systems will even block access to cards based on their alarm rights on the Area that is inside the door and will dynamically vary their access permissions based on the Area status inside the door.

5. More advanced systems will base the unlocking of a door not on simple schedules but also on the arming or disarming status of the Area inside or outside of the door.

In more adavaced systems, the card and the pin of a User is all part of a User's access rights and you would not have to go into 2 different interfaces (alarm and access) to program a User.

Something you should be wary of- there is a risk of having the arming/disarming using a card: your "key" to get in the door is also your "code" to disarm the alarm. To prevent this, make sure that the reader used for arming/disarming is a card/pin combo reader. Advanced integrated systems will allow for valiable door types that require "card + pin" when the Area inside the door is armed and "card only" when the Area is disarmed.

(3)
(1)
UI
Undisclosed Integrator #1
May 31, 2015

Excellent information. Can you elaborate on why it is bad to perform the relay output interface where a direct integration is not available?

U
Undisclosed #3
May 31, 2015
IPVMU Certified

Because you won't be capturing the credential of the user in the alarm system anymore, only in the access control system.

Central Station therefore will not be aware of who disarmed the system, and if you yourself would like to know, you will need to reconcile both systems by timestamp.

(1)
Avatar
Mark McRae
May 31, 2015
Inaxsys Security Systems

Perfectly well said, C.

And you can see where the alarm system would have a timestamp for Billy the Theif disarming via keyswitch input of 7:03am; the monitoring station (because a dialer/GSM communicating to the station takes at least 1 minute to get the information to the station) would have 7:04 or 7:05 as the diarming time; and the access control system can have anything as a time (and DEFINITELY won't have the exact same time as the panel or the station!). Try proving without a doubt that Billy is the one who disarmed.

In addition, it is not secure! All you need is to short out the keyswitch input and you get a reversal of the state of the alarm Area.

You cannot call this integration, it is simply interfacing 2 systems that don't speak to each other. To me, integration requires a form of communication between the systems, an exchange of information. Even better for alarm and access is Unification: where the alarm and the access control is managed by the same hardware and is not software dependant.

(2)
(1)
UI
Undisclosed Integrator #1
Jun 01, 2015

Regarding 'interfacing' vs 'integration', I'm not really sure I agree with those reasons, here is why:

1. I don't really think it is important to retrieve the information directly from the alarm panel. The EAC system we use is 20x easier to get this information from.

2. I can't think of an instance where I would goto my CS for this information versus just looking it up in the EAC.

3. My EAC system can not have 'anything' as a time, it is going to have what every other piece of security equipment on our network has via the time server.

4. I can prove who it was by looking at the cameras, which I trust more than matching time stamps.

5. 'It is not secure' - You are correct...but - if the culprit has access to short out the wire between the EAC panel and the alarm panel, wouldn't there be many other ways to disable the system at that point? I mean if they got that far, I've already failed as a security integrator :->

6. I would love nothing more than 'Unification' but in the world I live in (mostly best of breed mind you), different manufacturers can barely keep their products unified, let alone those of other manufacturers.

(4)
Avatar
Mark McRae
Jun 01, 2015
Inaxsys Security Systems

A,

To reply directly to your points:

  1. You are comparing to your current scenario where the 2 systems are separate and different. For sure, a traditional alarm system is not known for its ability to make reports and under that scenario, you are absolutely correct that the EAC system is better for running "who went where and did what" reports. That's not what I'm talking about, though. I am talking about Enterprise-class unified EAC/Alarm systems where there is NO separation between the 2. The alarm system is the EAC and vice-versa. They are not 2 separate systems: full, UL-approved burglar alarm and fire monitoring along with management of hundreds of alarm areas and advanced door/user/area functionality is simply another feature in the EAC system. So when you run a full report on an alarm, you get the events of what input was activated along with what alarm area was armed/disarmed and what user armed the system and what user(s) went through what doors in that same time period. Do you not see the advantages of this?
  2. I'm not suggesting that you would get this information from the CS. I'm suggesting that your CS should get the CORRECT information. At the moment, your CS is getting "unattended arming" or "remote arming" or some other incomplete/wrong information. Why would you or your customers be satisfied with providing incomplete information? Would it not be better if the CS received the correct information "Area 1 armed by User 101"?
  3. Your EAC can and will have a different time-stamp from the CS. They are not synchronised. In addition, there is more than a minute disparity between the moment when your User presents his card at an arming reader and the CS receives the event.
  4. You're correct, you can look at the cameras - if you have a camera looking at every single Area arming station. My experience is that cameras (because of the cost) are typically not pointed at the alarm keypad/reader but more often pointed outwards.
  5. You're correct if you use an arming and a disarming reader dedicated to this function since the dry contact is being given by the EAC panel. But what if you install using the much more common scenario: an arming button/switch is next to the front door's reader. To arm, a User will present his card and push the button to reverse the state of the alarm Area. In this case, the system can be compromised without even entering the office (by shorting out the pair of wires behind the button). OR: what if your customer has multiple areas that he wants to arm/disdarm via reader-- I would guess that the relay and keyswitch input will not alaways be behind each area's protected doors (I would guess that they would all be in a common electrical room somewhere).
  6. I absolutely agree that multiple manufacturers can have difficulty keeping up with each other. I'm suggesting that you open up to the the best-in-class unified EAC/alarm systems. This would mean a single manufacturer making it all: EAC, Alarm, door modules, software, everything. There are MANY of them on the market and the best of them are enterprise-class in everything that they do. I can give you a list if you feel like looking into them.

Unified security systems exist in the category of system you're used to installing (best-of-class) and they do MUCH more than simple interfacing. The benefits of unified alarm/access control are huge and you would fall off your chair to see how inexpensive it can be to provide a single unified alarm/access solution versus 2 separate EAC/Alarm solutions. A better solution with more features at a more competitive price = more sales and happier customers.

(1)
UI
Undisclosed Integrator #1
Jun 02, 2015

Hi Mark,

I agree with your points in #1 and #6 but I have no experience with these systems, that I know of at least. Care to give your top 3?

Avatar
Mark McRae
Jun 02, 2015
Inaxsys Security Systems

Hi A,

My company has been distributing one of these systems (ICT) for the last 11 years (accross Canada, Europe and the US (for the last couple of years)) so I'm partial and I will include ICT in the list... That being said, there are quite a few other excellent enterprise-class Unified systems and also (surprisingly!) quite a few entry-to-medium size (I define what I mean by that below) unified systems. I'll give you 3 that I like and respect in each class:

Entry/medium level (Per panel: typically less than 100 doors of access control; typically a few hundred inputs of alarm; typically 1000+ Users/cards/codes; typically 8+ alarm Areas/partitions; typically very little integration (other than the alarm and access control); typically quite advanced alarm and EAC integration where one sub-system has a direct impact on the other sub-system (they are intricately linked); typically they have nice software to manage all of this (sometimes web-based, sometimes hard-client based); typically these are quite inexpensive when seen only as EAC and dirt cheap when taken as integrated EAC/alarm systems:

1. ICT Protege WX - http://www.ict.co/

2. Verex (a division of Interlogix) - http://www.interlogix.com/intrusion/brand/verex/

3. DMP - https://dmp.com/

(other in this class worth a look: Paradox http://www.paradox.com/).

There are many other in this class also (DSC, Ademco, etc... ) but their capabilities in alarm management and EAC integration are more limited (as if they took an alarm panel and grafted a few doors of EAC to it). The 3 above have advanced alarm/access integration.

High-end (enterprise-class): everything virtually limitless in doors, Users, inputs, outputs, elevators, cameras, floor plans, etc... with multiple and varied integrations like CCTV integration, Mustering, Photo-ID, visitor management, guard tours, wireless locks, time-and-attendance, LDAP, web-based clients, huge reporting capabilities, multi-site, multi-tenant, condominium suite integration, peer-to-peer controller integration and management, building automation integration (MODBus, BACNet, others), analog data acquisition, and more.

1. ICT Protege GX http://www.ict.co/

2. Gallagher https://security.gallagher.com/

3. Inner Range http://www.innerrange.com/

There are many, many others also. I've only put a few because of their reputations and how well they are known in the Unified systems marketplace but many more could have been on this list.

One thing you will notice: most of these companies are not American and none of them are made by the mega-monster-brands Tyco/Honeywell/Bosch/etc... They are smaller-to-medium sized companies (most of them private companies) that care about security and innovation.

(1)
(2)
Avatar
John Bazyk
Jun 02, 2015
Command Corporation • IPVMU Certified

Mark love your last line, "They are smaller-to-medium sized companies (most of them private companies) that care about security and innovation." This is exactly why we started looking at ICT and currently use DMP. They seem to actually care about us, our customers and the equipment they manufacture.

Avatar
Mark McRae
Jun 02, 2015
Inaxsys Security Systems

John, you're right. All the innovation in integratd systems is coming out of smaller companies. The smaller companies can react faster to market demands and changing technologies. Try to get one of the mega-brands to add a new wiegand card format or a new alarm/access integration feature and maybe they will look at it in a few years (if ever...). In the smaller companies, you can actually speak to the product engineers and deciders (and with ICT you would probably be able to call the CEO and he would pick up the phone!) and influence the course of the product. I can name hundreds of features in the ICT product line that were directly influenced by customer requests in the last 2 years alone.

(1)
Avatar
John Bazyk
Jun 02, 2015
Command Corporation • IPVMU Certified
I know this is a little off topic. Mark, I am right with you. Not 6 months ago I was at an Executive Roundtable with DMP and we requested to have the door count increased, at ISC West they announced they were going to be increasing system capacity to 96 access control doors.
Avatar
Jay Swearingen
Jul 24, 2015
IPVMU Certified

Mark,

Which distributors carry ICT in the U.S.?

Thanks,

Jay

Avatar
Mark McRae
Jul 24, 2015
Inaxsys Security Systems

Hi Jay,

Tri-ed and SES carry ICT's WX unified system accross the US although their system knowledge will vary depending on the branch. All the branches have acess to the line, though- you just have to ask your branch rep/manager for pricing. Any sales requests/information can be answered by e-mailing sales@inaxsys.com and someone will get back to you, generally within a few hours at most. If you let me know where you're located, I can refer you to the best sales channel.

Avatar
Jay Swearingen
Jul 24, 2015
IPVMU Certified

Mark, thanks for the information. Let's go "offline" via email. I can be reached at jswearingen@vijilant.com.

Avatar
John Bazyk
Jun 02, 2015
Command Corporation • IPVMU Certified
Yes, we use DMP for our access/intrusion systems. We often receive requests to prevent employees from gaining access to the building before managers arrive, one way we do this is to restrict access to the building while the system is armed for employees and grant disarming privileges to managers only. I know this can be accomplished by using rules in most EAC systems but this is how we like to do it.
We have also found it is much easier for employees to use just one system. Swipe the card at the reader, disarm the alarm. If the customer wants to make a change to how the system works or who has access to what/when they just get on the iPad/computer and do it for both access/intrusion.
I would never recommend a customer use a key-switch on an alarm panel that is tripped via the EAC, we haven’t installed a lot of large systems over the years but we have worked on them and it seems to me that the customer is often frustrated with it disarming sometimes and not others.
(3)
Avatar
Daniel S-T
Jun 07, 2015

I have left it to customer choice. In most cases the sales team advised agaisnt it. I'm not sure if it's because they didn't understand it, or what the case was, but one sales guy did give a good reason not to integrate.

The client was getting card access as they have multiple buildings around the city and the cost of re-keying locks was getting expensive (three master keys lost in five years or something like that). I had sugested the integration of the new card access and the old alarm system, sales guy over ruled me. What he said to the customer made some sense to me

"If it's not integrated, and some one loses a card, if they manage to use it before you delete the card, at least the alarm will still go off."

Which is true. If it was integrated having a simple card swipe disable to alarm, or at least shunt the door and turn off the motions, then they would have free roam, if the user never reported their lost card, or delayed reporting it lost.

Avatar
Mark McRae
Jun 07, 2015
Inaxsys Security Systems

Daniel,

Only 1 access control door should work when the alarm is armed (in full-featured integrated systems, this is possible through simple programming). At that specific door, use a card/keypad combo reader, something like this http://www.ict.co/TSEC-Extra-Card-Reader (with a keypad built-in).

When the alarm area inside the door is armed, the door type is set to "card-and-pin", then the User must badge the card and do his code. When the alarm area is Disarmed, then the door type reverts to "card only" and you don't have to do the PIN.

this gives you high security (dual verification) to disarm while still having the flexibility and benefits of alarm/access integration

(2)
UI
Undisclosed Integrator #4
Jul 24, 2015

Using a keypad in conjunction with the card as Mark describes above should be the only way it should be done. I don't know why anybody would want to disarm the alarm system with a card only. You are taking away all the security of the alarm and putting it onto a card. If that card is misplaced or stolen then you give me the ability to disarm the system and walk right in. I discourage anybody from wanting to do this.

(1)
MM
Michael Murphy
Oct 16, 2017

This is a great discussion and many valid points. I DO keep having the same question in my mind as I read everyone's comments... Why would any customer, in their right mind, NOT have a surveillance camera at every external entrance/exit where there is a card reader? Seems this would eliminate the need to have such tight integration between the 2 systems. Example: Camera sees motion inside any entrance (that accepts card and disarms alarm system) during off-hour times and someone important SHOULD be getting an urgent text message from VMS. That user could then, via smartphone, re-lock and/or re-arm alarm.

UI
Undisclosed Integrator #2
Oct 16, 2017

I might have an answer for you.  

Either they don’t have the money or the dealer doesn’t have the desire or ability to define the need.

Companies start disabling “door propped” because it’s too much effort responding and it’s been however long they program it for before they are alerted. 

Imagine the simple benefit of an email to a special email box of every door propped alarm, the 10 second clip of who propped it. 

 

(1)
BM
Bob McCarvill
Oct 17, 2017

That would be great in an ideal world where everyone has a nice chunk of change for a security system. Unfortunately, most of the time customers that I work with just want the bare minimum.

(1)
BM
Bob McCarvill
Oct 17, 2017

Typically we do program certain access controlled doors to disarm the intrusion system. Most of the time its doors that are considered employee entry points where the panel for the security system would be anyway. Access control systems still keep a log in case of an event so it really doesn't degrade the security of the building. 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions