Access Control: A Checklist for Selling New Systems

May 5, 2011

As a professional security integrator, it is only a matter of time before you receive the highest compliment from one of your customers when they say: “We need a completely new access control system, and we want you to design and implement it.”

Along with the vote of confidence comes a huge responsibility. It can be a daunting task, especially if the system required is substantially larger than what is already in place. But if you approach it methodically, you can reduce error and ensure that your customer gets the exact system they require.

Listen to the End-User

Questions to ask include:

  • What is you short-, mid- and long-range vision for the access control system? Is it based on open standards, like 802.11b/g or 802.3af, for the most affordable infrastructure? Is it scalable enough to support possible mergers and acquisitions?
  • What type of credential(s) will be used? How many are issued? What type of format will be used, and can it support a projected card-holder population? Is it controlled to ensure there are no duplicate IDs?
  • What investment has already been made? Is the current system upgradeable?
  • What assets does the end-user have, and what value do these assets have in relation to the operation or business? These range from physical assets like computers to patient records, employee records and client data.
  • Have the assets changed, requiring higher levels of security? Perhaps the locks and/or key system needs to be changed as well.

Observe Your Customer

Essentially, the integrator should be trying to find out about the culture at the end-user’s location. It can range from an open, accommodating environment, to one with strict and limiting access controls. There will always be a conflict between convenience and security — the challenge is to create procedures and rules that balance these disparate goals.

Did you observe the employees holding doors open for each other? If so, how are they able to verify their current employment status? Did they open the door for persons carrying large packages? If so, did they check their IDs? Did visitors sign in at the reception desk? Did they wear ID badges? Were they escorted by staff members? Did students have a habit of leaving their dorm rooms unsecure? If so, what sort of liabilities fall on school administration if a theft occurs and they knowingly allowed that practice to continue?

Conduct a Site Survey and Security Audit

Walking through a customer’s facilities can be invaluable when developing a comprehensive access control plan. Here are a few things to look for:

  • Mechanical Security: If the openings are not mechanically secure, any additional funds spent on electronic access control are wasted. The following must be addressed before moving forward on an advanced access control system:
    • Are the doors, frames, and hinges in good condition? Are they rugged enough for the application and durable enough for the traffic? Are the frames mortar-filled?
    • What key system is in use? Is it a patented, high-security type? How often are locks re-cored? How many master keys have been issued? Have any been lost? How easy is it to reproduce the keys?
    • Is there a reasonable accommodation for the handicapped to ensure compliance with the Americans with Disabilities Act (ADA)?
    • Are cross-corridor fire doors in place? Do they have magnetic door holders tied to the fire system?
  • Identify Assets and Value: Many consider assets to be tangible items that can be sold for quick cash. But assets include anything that someone might want to steal or destroy, and vary among end-users. The important thing is to put a price tag on the loss of the asset, plus the cost of lost productivity and potential liability that could result.
  • Identify the Threat: Consider the end-user’s surroundings: Have you noticed any evidence of gang activity? Have you noticed an increase in shuttered businesses? If so, perhaps an increase in perimeter security is in order, potentially including increased lighting, cameras and gated access.
  • Evaluate the Facility(s): This will help you identify product options. How old is the building? Does it have architectural or historical significance? How thick are the walls? Was asbestos used as an insulating material? If so, it may be difficult and costly to install conventional, wired access control devices. Perhaps a WiFi solution will be a good alternative.

Get the Technical Details

For each opening requiring access control, you’ll need the following details to ensure you order the right product for the given application:

  • Does the door swing in or out? Is it left- or right-handed?
  • What’s the finish of the existing hardware? What’s the lever style? Would the end-user prefer a more modern look?
  • How is each door expected to operate? Ensure that an operational narrative is written for each opening that covers the following conditions, and have the customer sign off on it. This should include: normal state; authorized/unauthorized access and egress; monitoring and signaling; and power failure, fire alarm and mechanical operation.
  • Determine where to place access control equipment. This could be Telco and IT closets, server rooms or administrators’ offices. Make sure your staff will have access for installation, and later for service and maintenance. Also, make sure there is enough space on the wall to mount access control panels, interface modules and power supplies.
  • Determine network coverage. Are IP drops where you need them? Is there sufficient WiFi coverage where you need it should you opt for WiFi locksets?

Ensure Code Compliance

Several agencies have issued codes and standards over the years to enhance life safety, improve privacy and reduce fraud. They need to be factored into an overall access control plan, and include the Americans with Disabilities Act (ADA), the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (aka SarbOx or SOX).

Building Codes and Standards include: Model Building Code (IBC) — Amendments, Occupancy; Life-Safety (NFPA 101) — Means of Egress; Fire (NFPA 80) — Retro-fitting, Sprinkler Systems; Accessibility (ANSI A117.1) — Operators, Credentials; and Electrical (NEC NFPA 70) — Installation, Wiring, Products.

Validate the Security Requirements

Different applications and clients have differing security requirements. Verify these needs with the end-user before starting the system design; otherwise, you could be in for a lot of extra work. The following considerations should be factored into an overall access control plan, as they have a direct impact on product selection and system configuration:

  • Lockdown: Is lockdown capability needed in the interior or just the exterior — or at all?
  • Real Time: Is real-time communications to the access control system a critical requirement? Perhaps it is for perimeter doors, but what about interior doors? What if you could save the end-user $1000 per door by specifying a WiFi lock instead?
  • Monitoring Requirements: How much monitoring does the end-user need? In most cases, a door position switch will suffice; however, some clients want to know that the door is both closed AND secured these are not necessarily the same thing.
  • Audit Trail Requirements: How important is it to know who and when someone entered a building or room? For code compliance, this feature is always mandatory, such as accessing computer rooms, personnel records and patient records; however, some companies use audit trail reports to validate employee activity.
  • High-Security and Classified Areas: For increased security, there are several options. Is multi-factor authentication a requirement, such as card and PIN or even a biometric verification? Should there be a two-man rule?
  • Special Considerations: Some areas, like memory treatment centers for Alzheimer’s patients, require valid access credentials from both sides of the door keeping the right people in and the wrong people out. Clearly this requirement takes a different set of hardware than a typical free-egress lock or exit device.

Determine Business Requirements

Consider the final details that will allow you to complete your system design:

  • Aesthetics: Many high-profile building owners use architectural design to make their facilities stand apart. This extends to the interior space as well. So, is a black wall reader the right choice? Or will an elegant lock with integrated card reader and designer lever be a better option?
  • Infectious Disease Control: Some locks and doors are available with an anti-microbial finish designed to inhibit the growth of bacteria.
  • Turnover: What kind of turnover does the facility experience? Heavy turnover would be difficult to manage with a PDA-programmable offline lock; however, one-card systems actually program access privileges onto the card, virtually eliminating the need to tour the doors to reprogram them. Of course, online solutions could address this as well.
  • Applications: It is inevitable that a variety of applications will converge into a single system. That’s why it is important to select an access control system that can grow by providing application support for parking access, visitor badging, integrated video and other needs as required.
  • System Management: It is important to determine who, how and where the end-user will manage the new access control system. For enterprise-class systems, it might mean multiple departments will manage their own people, while a system administrator will maintain and manage the main, centralized system.
  • Budget: You ultimately need to know your customer’s budget; however, with all the upfront research, your findings might be beyond their initial scope. This is how long-term planning comes into play so you can develop a priority list over several phases to ensure the end-user gets the access control system that fully meets their requirements.

Lester LaPierre is Director of Business Development, Electronic Access Control for ASSA ABLOY Door Security Solutions.