Access Control Records Maintenance Guide

By: Brian Rhodes, Published on Jan 16, 2019

Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as keeping equipment operational.

Failing to do so can be as dangerous as leaving a door wide open. Unfortunately, this often gets overlooked as busy work and sometimes to disastrous consequences. In this note, we examine:

  • Best practices for Cardholder Management
  • How to Maintain Records and System Databases
  • Benefits of Proactive Maintenance
  • Do Not Reuse Credentials

Best practices for Cardholder Management

Steps needed to keep the database trim and current are not difficult but their importance can not be understated:

  • Involve Human Resources: With Electronic Access Control, a formal line of communication between HR and Security must exist. As soon as employment status changes (ie: terminations, relocation, promotions) feedback needs to be channeled to those responsible for access control. Just as IT Departments terminate/change network access or emails, Security must respond accordingly with Access Control changes.
  • Formal Reporting Out: Similar communication initiated by Security groups should notify HR, Department Heads, and perhaps even employees / their direct supervisors when any configuration change to credentials occur. This helps close the loop of communication, but also reaffirms the importance to all why communicating these changes to Security is important.
  • Collect & Invalidate Credentials: Aside from just software configuration changes, write policy to include physically taking possession of credentials during an employee termination or transfer situation. Even if the credential cannot be reissued, ensuring it is properly disposed of will mitigate the potential for misuse.
  • Make Responsive Changes: Finally, do not delay in making configuration changes to the card holder database. Even if seemingly inconsequential (ie: inter-department transfer, shift change, name change) the opportunity to keep records up to date may be lost or create operational issues if delayed. Many times, managers do not consider the impact of employee changes on subsystems like Access Control, acting immediately on changes can reveal operational questions that can be asked before becoming an issue.

Do Not Relegate Upkeep As 'Busy Work'

The most critical management step for access records upkeep is to make it an operational priority, not an afterthought.

As central as this database is to access control, keeping it current is often considered 'paperwork' to be performed by clerks or by staff when less critical work slows down. While the nature of this upkeep is not complex, it is a mistake to consider it 'busy work', as not keeping it up to date can have negative security consequences.

Access Cardholder Maintenance

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

While specific screens vary, all access control systems include a management tool to administer user information, similar to the image below:

During normal operation, this management screen is not often used, and once a credential is provisioned it may not be looked at again. However, knowing the value of the data it contains should not be underestimated.

Automated Database Maintenance Tools

Most databases include a light maintenance application that should be periodically run to 'tidy up' data tables and repair broken elements before causing access failures. For example, the Microsoft SQL Server Agent performs the following tasks:

  1. Reorganize/rebuild scatter index or data tables
  2. Shrink data and log files by removing empty entries
  3. Backup database and transaction log
  4. Perform internal consistency checks

Maintenance applications often also perform Date/Time Syncs between applications and edge controller devices, so that congruity in logging is kept.

Access Database Maintenance Matters

The benefit of keeping records current range from Life/Safety benefits, to keeping IT systems responsive:

  • Quicker Operational Response: Understanding the actual effect of a 'lock down' situation relies on assuming the user database has impacted all potential card holders. For example, when using Access Control for mustering, each identity listed in the database must be accurate. Non-maintained databases will not be useful for that application, simply due to neglect.
  • Better Performance: From a functional standpoint, bloated databases increase the potential of error and time needed to process through them. The inefficiency built into operation from unkempt databases can range between increase 'wait' times to read a card, to undetected corruption/unauthorized duplication of card holder records.
  • Needs Change Over Time: Even if a feature or piece of data is not currently 'used' to identify users or grant access, remember that system use parameters change over time, and once a database is 'ruined' with bad or lost information, it is costly to recover. In many cases, keeping fields accurate and updated can provide a critical, defining key to handling card holder data that may result in a costly manual effort otherwise.

Do Not Reuse Credentials

Not all end users choose to personalize credentials as ID Badges, and as a cost-saving step repeatedly reissue credentials. Once cards are turned in, they are thrown into a drawer until they are again issued. In this situation, turning in a card is not enough, the credential must also be removed from the system.

It is also common to destroy or dispose of the credential at this stage too, to mitigate the risk of illicit use or uncontrolled examples to circulate for 'reverse engineering' in potential duplication.

If user accounts are not kept current, a credential may be handed out with the previous identity. Uncovering these discrepancies can be time-consuming and frustratingly costly.

Another Name for "Key Control"

Keeping this data up to date is another form of managing keys, called 'key control' by many. Auditing which keys are currently in circulation, who carries them, and which doors they can open is a critical part of determining where gaps in security exist. For more details on this, see Key Control For Access Control Tutorial.

In similar fashion, pulling a usage report quarterly or twice yearly to see which cards have been used, and which ones have not, will help identify old credentials that should be turned off or help uncover those who might be using a mechanical key to gain access instead of their authorized credential.

[Note: This guide was originally written in 2013 but substantially revised in 2019.]

1 report cite this report:

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Comments (16) : Members only. Login. or Join.

Related Reports

Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Help Security End Users Facing Coronavirus Improve Remote Access on Mar 24, 2020
Many end-users and integrators are struggling with the impact of coronavirus...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...
Facial Recognition 101 on Mar 18, 2020
Facial recognition interest, use and fear is increasing. This guide aims to...
Access Visitor Management Systems Guide on Jul 22, 2020
"Who are you, and why are you here?" Facilities that implement Visitor...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Access Control ADA and Disability Laws Tutorial on Feb 17, 2020
Safe access control is paramount, especially for those with...
Manufacturers Doing Better Than Expected Against Coronavirus on May 05, 2020
Coronavirus impacts are not hitting manufacturers as badly as they feared,...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Convergint Coronavirus Cuts on Mar 25, 2020
One of the world's largest security integrators, Convergint, has made a major...
"He Is An Idiot!" Exclaims SIA Director John Mack on Mar 23, 2020
Here is another inside look into the "leaders" of the security industry. SIA...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
Hands-Free Bathroom Doors For Coronavirus Mitigation on Apr 10, 2020
Coronavirus has increased concerns about picking up germs, especially from...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...