Developing Key Management Standards

March 1, 2006
Effective policies and procedures are the basis for proper key management.

There are reasons why companies employ locksmiths on a full-time basis. The primary advantage is timely response to emergency lock repairs and installations. Equally important is the opportunity to develop key management standards.

Locksmiths who are dedicated to a single customer can do a better job relating to their key management. Independent locksmith companies are disadvantaged as there is little time to concentrate on any one company’s keying systems. To profit and stay in business, locksmith companies must service hundreds of commercial accounts.

The timely response to emergencies is the order of the day while key issuance is best left to a designee assigned by the company. Usually the designee is the person calling the locksmith out. As designees are rotated, new procedures and ideas are usually instituted (by the designee) relating to the issuance of keys from the locksmith, to the designee, then to persons within the company.

This inconsistency adversely affects key management.

All effective key management programs share basic concepts:

  1. Institute a key department.
  2. Establish policies, procedures, and forms that cannot be easily changed.
  3. Designate departmental oversight.
  4. Perform routine audits to evaluate integrity and value.

Determine when keys are issued

Simply because a key can be produced isn’t reason enough to issue it. Key management is all about the appropriate issuance of keys.

Keys can be segregated into five distinct groups that will define how issuance occurs:

  1. Keys that can be assigned to individuals with proper clearance.
  2. Keys that cannot be assigned to individuals but require proper clearance to issue.
  3. A key that cannot be assigned to individuals and no clearance is necessary to issue.
  4. Keys that can be produced but are never issued.
  5. Keys may be assigned but cannot be produced.

In order for keys to be practically assigned to individuals, the key blanks need to be difficult to obtain. Many lock companies offer key blanks that are either patent-protected or distribution is strictly controlled.

It is illegal for after-market key blank manufacturers to produce patent-protected key blanks. There are no laws against after-market key blank manufacturers offering key blanks that are restricted from distribution by the original equipment manufacturer. Some lock manufacturers produce a number of key blanks that are not publicly known or in demand. These little-known key blanks can be used for specific applications providing some key control. (Figure 1)

When key blanks are patent-protected or restricted, these keys can be assigned to individuals with proper clearance.

Areas where access needs to be limited to list of known persons should be protected using locks that feature patent-protected or restricted key blanks.

This is reasonable as the only means to guarantee that only certain persons have access to an area is to guarantee that they cannot obtain an unauthorized key by having a duplicate produced at a hardware store or public key shop.

Keys that are personally assigned need to be accounted for at all times.

The issuance of these keys is carefully supervised. The recipient is cleared to receive the key, the issuance is documented, and the key is tracked until it is eventually returned or retired. These keys usually open doors, gates, and padlocks to important parts of the company’s complexes. These keys are likely to be part of large master key systems.

As a master key system ages, the key blanks used in the master key system lose their patent protection. At that time, companies whose business is offering key blanks may start offering the key blanks to hardware stores and public key shops. When this occurs, the value of accounting for keys on a personal level should be evaluated. A decision to “downgrade” the level may be made.

There are important company keys that should be assigned to the individual but are not as the key blanks are readily available to hardware stores and public key shops. These keys need to be readily available for issuance to persons having clearance but accounting for these keys on a personal level is not necessary. If issuance is recorded, it should be for the purpose of limiting persons from obtaining more than one copy of a certain key.

Examples of these keys might be keys that access groups of locks that are keyed alike. Some examples are: fire extinguisher cabinets, chain-link fences; company vehicles; fork-lifts; electrical switches; locker locks; etc.

Samples of these keys are kept in key cabinets and origination instructions are readily available as to speed up the issuance process.

Other types of keys are not assigned to individuals and require little or no clearance to have made. These types of keys are those readily available at hardware stores and public key shops.

Typical examples of these keys are those that secure office furniture that is often keyed-different, such as desks; lockers and file cabinets. It is difficult to predict what these types of keys might be, so keeping samples readily available is impractical. These types of keys are usually duplicated. If a key needs to be originated by code, standardized codebooks can be used.

There is a group of keys that can be produced (by the company locksmith) but policy dictates that keys in this group are never issued. Examples of these keys are: those that are marked “Do Not Duplicate” and have nothing to do with locks belonging to the company; private keys belonging to the requesting employee but have nothing to do with company business; keys established by management as “not to be issued.” A typical “not to be issued” key might be a padlock dedicated to “lock-out” a high-voltage switch. These padlocks are never master-keyed and once a key is issued, it is never duplicated.

Some keys may be assigned but cannot be produced. These might be high-security keys that can be procured by the locksmith from the lock manufacturer for issuance to other departments. The locks these keys operate are deliberately secured so that even the locksmiths cannot gain access. Examples of locks that feature these types of keys are: revenue vaults; fare-boxes; vending machines and certain safety interlocks.

Establish policies, procedures and forms

The company should establish clear policy regarding all aspects of key issuance and usage. The policy describes the types of keys that can be obtained, who may obtain them, and who can authorize the key issuance. The policy details how the employee is to treat the keys and when, if ever, to lend keys out. Guidelines govern how keys are to be distributed to non-employees doing company business and when a recipient needs to turn keys in. There should be expressed instructions to the locksmith regarding all aspects of key accountability.

Procedural details should spell out how to obtain a key and find the proper signature authority. Forms need to be standardized regarding key issuance, key transfer, key loss, and key return and readily available to all employees. Whenever possible, forms should be kept in a common network directory. Locksmiths who have access to E-mail should have the ability to E-mail forms to requestors.

A good effort when issuing a key can be wasted if there is no means to guarantee a key is returned when no longer needed. A means to do this is to attach a “bounty” on the key at the time of issuance. A small contract can be expressed on the key request. When signed, it binds the recipient to return keys or be charged a dollar amount. This is usually the best assurance available that the recipient will take care of the key and return it when done. Make sure the company cashier collects the “bounty.”

Locksmiths are not the key police

Many times, the “in-house” locksmiths are the only persons at their company who care about the integrity of the keys. Those companies rely on their in-house locksmiths to be the “keeper of the keys”.

This is flawed policy for many different reasons:

1. It often places the locksmith is an “us-and-them” type scenario where the locksmith is dictating terms to the management of other departments. What manager wants a subordinate telling him what to do?

2. As a locksmith accepts this role, support from direct management dwindles or does not affect specific individuals, weakening the necessary oversight that is necessary to maintain integrity.

When locksmiths become the key police, persons are too intimidated to ask questions that need answering relating to keys. Persons learn to avoid the locksmith rather than work together.

Effective policies and procedures allow the locksmith to apply the rules rather than create them.

The computer and key management

A computer can be beneficial for the locksmith keeping track of keys. The simplest application to use for key management is a spreadsheet. Learning to manage a spreadsheet does not require a great deal of time or “computerize.”

A spreadsheet allows records to be entered into a table where each row is the record and columns detail information about the record. Information can be sorted and searched on. Tables can be cut and pasted into documents or E-mails. presenting a means to report requested information.

Another more advanced application is a relational database. A database also stores the information into tables but allows information to be inputted through forms. Forms allow the input information to be analyzed before it is posted to tables. The best feature about databases is that complete and detailed reports can be generated that are easy to read and interpreted.

Sometimes the company assigns programmers to help design databases for the key shop. There are specialized programs available just for key management. Besides key management, other tables can keep track of key blank inventories and can identify where key blanks are stored or hung.

Whether it is by spreadsheet or database, it is clear that today’s in-house locksmith has to be computer savvy because a significant part of the job is working with computers.

Mark smarter

As part of the management program, keys must be intelligently marked. Too many keys are marked with arbitrary numbers and characters that confuse the process. I can’t tell you how many times I’ve seen (at different companies) keys marked “MK”, “ELEC”, “GM”, etc. This might not be so bad if you have one single all-encompassing master key system, but usually a company has many different key systems.

Markings change from time to time. I’ve seen the TMK (Top Master Key) of one system marked “RTS.” Then when a new system was put into place the TMK was marked “NEW RTS.” Ten years after that, the next TMK that replaced that was marked “RTS2.”

Control keys are also an issue. I’ve seen “CT”, “CTL”, “CONT”, and “CTL”, all used on different systems within one company.

Another problem deals with ambition. One manager sees his counterpart with a key marked “MK DEPT 33,” and he knows his keys is marked “CK 33-2.” He knows what that means and he has to have a master also.

Markings become a problem when keys are lost. A ring of keys that a janitor might drop might insinuate through markings that the keys are “a ring of master keys.” This ring is less likely to be turned in.

The answer is to always mark your keys with a “blind code.” “Blind codes” let you (the keeper of the keys) look up the code to determine what type of key, who the recipient was, and what it opens. If the same two managers have respective keys (not marked “MK DEPT 33” or “CK 33-2”) marked 34210 and 62100, then the desire to have an equally powerful key disappears. If the janitor’s set of master keys is found and the keys have all generic numbers marked on them, the keys are more likely to be turned in.

Additionally, marking keys in this fashion empowers the locksmith, as this is the only person who can determine what a key does.

In Summary

Whenever policies and procedures are made regarding keys, it is best to include the locksmith. Too many times keys are controlled at levels that cannot be supported because of the availability of unauthorized duplications.

Effective policies and procedures are the basis for proper key management.

As locksmith we need to be aware of the restricted key blanks available from lock manufacturers. These restricted keys can provide an opportunity to give your customer’s an additional level of security and key control.

To take on the challenge of key management, locksmiths need to be computer literate with an understanding of spreadsheets.