This is the third in a five-part series focused on How to Deploy a Key System the Right Way.
In the first article, we focused on project discovery by defining the scope of our project, identifying crucial participants (stakeholders), and setting clear expectations and well‐defined results. We created the overall project schedule and defined resources required to achieve project goals. (See January 2020, www.locksmithledger.com/21116662)
In the second article, we defined our security objectives and designed our masterkey system, including any necessary customization. We also created a detailed work plan, which included precise timelines and individuals responsible for each aspect of the project. (See February 2020, www.locksmithledger.com/21119948)
Now it’s time to develop the key-management program. This includes defining key-control policies and selecting the tools that will be used to manage the key system. It also involves outlining a comprehensive communications plan to notify stakeholders of policies and procedures and determining the best method to train them on the key-management program.
Consider a Patented-Key System
Unless the duplication of keys can be controlled tightly, any key system is vulnerable to unauthorized use. Therefore, the first step in protecting your key system should be to select a patented-key system.
Stamping “Do Not Duplicate” on keys is all well and good, but because most keys can be duplicated easily at the local hardware store, it isn’t an effective deterrent. A patent, however, takes care of that. With a utility patent in place, it’s illegal for a third party to produce a key that will work in the manufacturer’s lock. The only locksmith who has access to the patented key is under contract with the manufacturer.
A key-control agreement then is issued by the key manufacturer and signed by the locksmith, the end user and the manufacturer. The agreement enables legal recourse if the agreement were violated by any of the parties involved.
Define a Robust Key-Control Policy
With a patented-key system and a key-control agreement in place, it’s important then to create and circulate a comprehensive key-control policy. This would outline guidelines for issuing, cutting, storing, returning, auditing and accounting for keys. This document should be updated periodically to address issues that arise as the key system matures.
The policy should define those in the organization who have authority to request keys and what level of key they can request.
It should require every individual who receives a key to sign (and agree to obey) a keyholder agreement. Such an agreement would forbid the loaning of keys, instruct keyholders to report lost keys immediately and force keyholders to surrender keys upon end of employment.
The policy also should define processes around:
- The issuance of keys
- The return of keys
- The disposal of broken or miscut keys
- Key-cutting procedures
- The tracking and auditing of keys
- Key storage
- The rekeying of locks
- The ordering of key blanks.
You should be sure to get senior managers to endorse the policy officially. This is a critical step in the development process and underscores the ability of key-system administrators to enforce the procedures outlined in the policy.
One of the above steps is particularly worth expanding upon. To maintain tight control, key blanks should be shipped only to authorized individuals in the organization directly from the manufacturer. And orders for blanks always should be accompanied by a letter of authorization, either in writing or issued via a web-based tool. This step is used to verify and authenticate the identity of the authorized end user and keep key blanks out of the hands of unauthorized individuals.
Communicate the Plan
To ensure successful adoption of the new keying system, it’s important for stakeholders to understand the system’s logistics and what’s expected of them. Creating and circulating a communications plan will help to ensure that appropriate messages reach the intended target audience.
You should use multiple communications channels (email, posters, message boards, etc.) to ensure that your messages cut through the everyday clutter. A comprehensive communications plan should outline the most important messages, target audiences, planned issue dates, communication methods and calls to action. Be sure to consider target audiences beyond keyholders, such as the organization’s IT professionals or facilities personnel, who will shoulder responsibility for the proper installation of critical software or hardware to support the key system.
Messages might include reasons for installing the new keying system, but they should include how and when keys will be issued, how and when training will be delivered, relevant aspects of the key-control policy and the expectations for keyholders.
Explore Key-Management Tools
As you work to develop an effective key system, it’s important to explore options and document the processes and procedures of key management.
Where will keys be stored? Will the organization use a standalone cabinet or an enterprise system that requires access control and can be networked to allow for multiple levels of oversight? Some cabinets provide user identification through biometrics or a prox card for additional security.
Will keys be tracked using an old-school card-file system or a software package that could enable real-time tracking of key removal and returns? Many key-management software packages can keep track of such details, including the ability to:
- Track keys to a specific location or department
- Display which individuals have access to specific openings
- Issue alerts stemming from lost keys
- Define all components associated with an opening (frame/door/lock/hinges/additional hardware).
Determine Training Methods
One of the most critical factors in ensuring the successful adoption of a new key system is training — for keyholders, system installers and those responsible for ongoing system maintenance. You should determine the best method and timing to deliver training instruction. Will keyholders receive instructions when they pick up their keys, or will the organization adopt a more formal approach to training?
Although the use of keys seems obvious, problems can occur. For example, if smart keys were used in your key system, where the key communicates with the lock, keyholders should know that this process typically takes a fraction of a second. If keyholders didn’t understand this nuance, it could result in complaints of malfunction and overall skepticism of the key system’s performance. During training, users also should be reminded of other seemingly obvious facets: Don’t use a key as a box cutter, and, to avoid bending keys, never use the key to physically open a door.
Technical training for installers and maintenance staff should cover the organization’s key-system design and operation as well as how to install, maintain and adjust locks and system components.
It also is important to educate keyholders and maintenance personnel on relevant aspects of the key-control policy. Finally, you should implement a formal method for individuals to commit to abide by the tenets of the key-control policy, perhaps by having them sign a declaration that they read, understood and agreed to follow the policy.
Although developing the details of a key-management system might seem frivolous and labor-intensive at first glance, the costs associated with not having a robust system in place can be significant for the organization when one considers the potential for such things as stolen property, liability lawsuits and elevated insurance premiums, not to mention additional maintenance costs if property were damaged.
In the next article, we’ll explore Phase 4 of How to Deploy a Key System the Right Way: the Deployment phase.
Dale L. Bowman, CML, CPP, PSP, PCI, LEED BD+C, is Medeco’s Director of Business Development, OEM and International Sales.
