3 Steps to Key Control

June 27, 2022
Making sure that end users follow these procedures will ensure their systems and facilities remain secure.

Your shop is the front line of defense for most of your customers. Explaining a simplified key-control process can open the door to major projects (and career opportunities). Key-control expertise could be your ticket. 

Because most compromises come from inside attacks, internal key control becomes a critical issue. Effective control includes the creation, issuance and return of keys or credentials, as well as updating compromised cylinders or cores.

Although electronic access control (EAC) now is found on many high-value locations, mechanical locks still secure most assets inside a customer’s facility. Security pros understand that electronics let your client know who has been in a facility, but key control allows them to know who had access to the internal doors, cabinets or lockers.

Key control has two critical elements. The first is controlling key availability and distribution. The other half of the equation is what happens after you turn the keys over to the end user.

As a lock professional, you can show the owner or manager how to maintain the valuable key control you’ve provided. If not, their keys might be compromised before you get back to your shop. This article will explain how an owner can maintain internal control.

Keeping Control

Larger facilities often have multiple layers of security that might include exterior barriers and lighting, guards, cameras, alarms, CCTV, locked inner doors, cabinets, safes and security procedures. These layers add up to a high level of defeat resistance.

The problem occurs when insiders obtain a key to an area for which they shouldn’t have access. These areas could include supply, equipment or tool cribs, labs, server rooms, building or equipment controls or areas that contain proprietary information. The risk increases with the value of the secured assets or the cost of a compromise.

Smaller buildings that have few doors and little or no after-hours traffic often gravitate toward structural strength and resistance to manipulation and duplication through a patented or restricted key system. However, a high-security lock has zero defeat resistance against a key that’s fallen into the wrong hands. At the end of the day, a building owner requires a good balance between external defeat resistance and internal key control.

Key-control methods can include a patented or restricted key, a secure key tether, a locked key cabinet, a software management system and, particularly, a policy that includes a signed key-control agreement.

There are, generally, three causes of lost key control:

  • Keys are lost, loaned, stolen, copied or simply not returned. 
  • Staff is hired, moved, transferred, retired or discharged.
  • Facilities are built, renovated, repurposed, sold or demolished. 

Poor record keeping leads to the wrong keys being issued and uncertainty as to who actually has access to secured areas.

Fortunately, the solution actually isn’t difficult. Here are three steps to creating solid key control. 

1. Prevention

Restricted and patented keys have been popular key-control solutions for the past 30 or 40 years. These systems inhibit external duplication. Equally important, however, is the prevention of lost, loaned, stolen and unreturned keys inside the organization.

Exterior access to a facility might be by electronic access or an exterior-only master key. However, lost master keys have forever been a major problem, particularly for maintenance, housekeeping and guard staffs. In many cases, complete sets of master keys or electronic credentials have been taken from parked maintenance trucks or left sitting on some shelf or table, dropped in the snow or otherwise misplaced. Until reported, a lost or stolen key or credential can have profound consequences.

When high-value keys or credentials must be carried, effective measures, such as Tether Technologies Gravity or a securely attached key ring are extremely prudent measures.

A proven risk-mitigating measure is to have each building’s master key kept in a well-secured cabinet within a locked and possibly alarmed closet in each building. Locked key cabinets, individually secured keys and check-out and return procedures also create essential accountability for temporary key users.

2. Accountability

Accountability is the second leg of an effective key-control system, and it’s often the place where a system fails. The process has two simple but critical elements: policy and documentation. We’ve seen everything from a single paragraph to a 20-page federal regulation that governs key control.

An employee access control agreement is the cornerstone of the documentation process. Signing the agreement establishes the importance of the key-control policy.  A few thoughts to keep in mind:

Although the key-control policy doesn’t have to be complicated, employees have to know what’s expected. See “Key, Code & Credential Control Policy” for an example of a simple, easily understood policy that covers the important issues.

The key-control agreement drives user accountability. This simple method really works. When a key is issued, the recipient signs the agreement and receives a copy of the signed agreement and the policy. See “Employee Access Control Agreement” for an example. In fact, you can copy and use these as you see fit.

The key audit is another effective prevention measure. Many unauthorized keys are from innocent mistakes or keys passed on from departing employees. Some, however, aren’t so innocent.

In larger facilities, expansion, department changes, departures and reassignments require keying updates to render illegitimate keys obsolete. Interchangeable cores proliferate in larger facilities because they allow for fast and cost-effective recovery for doors that have been compromised or suspected to have been compromised.

As far as documentation goes, the basic level is a simple Excel spreadsheet of key marks, when issued, to whom, what doors are affected and when returned. Key cabinet manufacturers, such as HPC, Key Systems and Morse Watchmans, provide key tracking and issuance modules.

More-sophisticated systems, such as SimpleK by ASSA ABLOY, the BEST Keystone Web or Schlage Sitemaster 200 are designed to handle the largest systems.

Who has charge of the system is less important than how it’s handled. Entry-level computer skills and the time and temperament for updates are critical. We’ve seen large systems remain secure for 25 years with basic data maintained by a secretary.

3. Recovery

Recovery is the final element in a key-control system. Discovery, response time and cost drive the ability to recover from a potential breach of the key-control system. 

Of course, discovery depends on actually having a key-control process and records in place. Every promotion, transfer, discharge, renovation or expansion is a tripwire that warns that a key-control event has occurred.

Response time is the second important issue. Being able to rekey immediately prevents the lost, stolen or transferred key from being used for nefarious purposes. This is why quick change and low maintenance costs have made the small-format interchangeable core so dominant in large facilities.

Cost is the final issue. Excessive complexity and high-labor content tend to delay or prevent recovery from lost-key events. Keep it as simple as possible.

Prevention, documentation and recovery produce internal key control for the owner. So what does the future hold? We’ll undoubtedly see an increasing migration to smart locks that include cards, fobs, biometrics and, particularly, mobile credentials. Nevertheless, mechanical locks will continue to evolve and won’t go away soon.

Because hundreds of millions of keys will be in use for some time, a facility owner still requires effective internal key control.

Cameron Sharpe, CPP, worked 30 years in the commercial lock and electronic access control industry. He designed key-control systems for large and small facilities. [email protected]