Developing Key Management Standards

There are important company keys that should be assigned to the individual but are not as the key blanks are readily available to hardware stores and public key shops. These keys need to be readily available for issuance to persons having clearance but accounting for these keys on a personal level is not necessary. If issuance is recorded, it should be for the purpose of limiting persons from obtaining more than one copy of a certain key.

Examples of these keys might be keys that access groups of locks that are keyed alike. Some examples are: fire extinguisher cabinets, chain-link fences; company vehicles; fork-lifts; electrical switches; locker locks; etc.

Samples of these keys are kept in key cabinets and origination instructions are readily available as to speed up the issuance process.

Other types of keys are not assigned to individuals and require little or no clearance to have made. These types of keys are those readily available at hardware stores and public key shops.

Typical examples of these keys are those that secure office furniture that is often keyed-different, such as desks; lockers and file cabinets. It is difficult to predict what these types of keys might be, so keeping samples readily available is impractical. These types of keys are usually duplicated. If a key needs to be originated by code, standardized codebooks can be used.

There is a group of keys that can be produced (by the company locksmith) but policy dictates that keys in this group are never issued. Examples of these keys are: those that are marked “Do Not Duplicate” and have nothing to do with locks belonging to the company; private keys belonging to the requesting employee but have nothing to do with company business; keys established by management as “not to be issued.” A typical “not to be issued” key might be a padlock dedicated to “lock-out” a high-voltage switch. These padlocks are never master-keyed and once a key is issued, it is never duplicated.

Some keys may be assigned but cannot be produced. These might be high-security keys that can be procured by the locksmith from the lock manufacturer for issuance to other departments. The locks these keys operate are deliberately secured so that even the locksmiths cannot gain access. Examples of locks that feature these types of keys are: revenue vaults; fare-boxes; vending machines and certain safety interlocks.

Establish policies, procedures and forms

The company should establish clear policy regarding all aspects of key issuance and usage. The policy describes the types of keys that can be obtained, who may obtain them, and who can authorize the key issuance. The policy details how the employee is to treat the keys and when, if ever, to lend keys out. Guidelines govern how keys are to be distributed to non-employees doing company business and when a recipient needs to turn keys in. There should be expressed instructions to the locksmith regarding all aspects of key accountability.

Procedural details should spell out how to obtain a key and find the proper signature authority. Forms need to be standardized regarding key issuance, key transfer, key loss, and key return and readily available to all employees. Whenever possible, forms should be kept in a common network directory. Locksmiths who have access to E-mail should have the ability to E-mail forms to requestors.

A good effort when issuing a key can be wasted if there is no means to guarantee a key is returned when no longer needed. A means to do this is to attach a “bounty” on the key at the time of issuance. A small contract can be expressed on the key request. When signed, it binds the recipient to return keys or be charged a dollar amount. This is usually the best assurance available that the recipient will take care of the key and return it when done. Make sure the company cashier collects the “bounty.”

Locksmiths are not the key police

Many times, the “in-house” locksmiths are the only persons at their company who care about the integrity of the keys. Those companies rely on their in-house locksmiths to be the “keeper of the keys”.

This is flawed policy for many different reasons:

1. It often places the locksmith is an “us-and-them” type scenario where the locksmith is dictating terms to the management of other departments. What manager wants a subordinate telling him what to do?