Most businesses and institutions face accountability issues with the mechanical keys used to secure their facility. With today’s focus on digital and electronic access control, it is easy to forget about and lose accountability of the mechanical keys that continue to be the sole security point of approximately 90-95% of the doors and other applications that require lockable hardware. Even the 5-10% of the doors and applications that do have electronic access control could be susceptible to key control issues if their locks have a mechanical override.
The lack of a key control or key management program cost a company thousands of dollars a year in maintenance costs, stolen property, liability lawsuits, and higher insurance costs.
In this article, I will discuss the elements of a strong, effective key management program. You, as a security professional, can use this information to help educate your customers on the risks and costs of ineffective key management and help guide those customers into a system and program that offers protection to them and their facility.
What is Key Control, and what it is not?
Over the years of helping hundreds of businesses and institutions with their key system design, I have learned that key control means different things to different people. For some, key control simply means stamping their keys with “Do Not Duplicate.” For others, it means storing and managing their keys via a key cabinet.
However, effective key control is not that singular or simple. Keys that are simply stamped ‘Do Not Duplicate” offer nothing more than a polite request to the key holder not to have duplicate copies made. And while this request is polite, it is often ignored and even abused by the key holder.
Key cabinets are good for storing keys and providing convenient access for those that need the keys inside. But what could happen to those keys when they are outside the key cabinet? Once the keys are outside of the box, they are still at risk of unauthorized duplication.
These simple strategies alone will not produce the results your customer is looking for in a well-managed key system. Strong key control is comprised of many integrated elements that must work together to maintain integrity and accountability of a key system. Below are the elements of a strong, effective, and enforceable key control management program.
Patented Keys: A utility-patented key system design is the foundation of an effective key control management program. Without a patented key system design in place, a customer cannot achieve true key control. A utility patent for a key system is awarded to a manufacturer for new and novel attributes that make the design unique. The patent provides the manufacturer of the design the exclusive rights to manufacture and control distribution of the keys and key blanks. The patent legally prevents other manufacturers from manufacturing the keys and keeping the blanks out of the general populations’ hands.
Legally Enforceable Key Control Agreements (Contracts): When it comes to patented key control, there are certain “rules of the game” that must be followed. Those rules come in the form of a Key Control Agreement that outlines the details on how the accountability of the key blanks and the integrity of the process will be achieved. This agreement is issued by the manufacturer and is signed by all entities that will be involved in the key management process for the keyway assigned. This will include the locksmith, the end user, and the manufacturer. The agreements protect all of those involved in the key management process and provides the legal “teeth” needed to enforce the agreement in the event a key control violation takes place.
Controlled Distribution of Key Blanks: Patented, restricted key blanks should not be available to just anyone. Part of the key control equation involves limiting the accessibility of the blanks and having a clear and limited chain of custody for distribution. Each set of hands that touch the key blanks increases the likelihood of lost or stolen blanks. While the order for the end user key blanks should come directly from an authorized security professional, the key blanks should ship directly from the manufacturer to the end user and only to the authorized individuals identified and approved by that end user. This ordering and verification process is managed using a Letter of Authorization that must be included with each key blank order submitted to the manufacturer. The letter must be a hardcopy original, with the authorized end user’s signature and include the specific part number and quantity of the key blanks needed. In today’s digital world, some manufacturers have been able to enhance this authorization process using digital and web-based tools to verify and authenticate the identity of the authorized end user when placing an order for key blanks.
Key Identification: Knowing where keys originate is critical to a well-managed key control program. Without some simple, yet permanent marking on the keys, there is no reliable way to track the keys’ origin. Some manufacturers use a special coining process to permanently mark key blanks for their customers. This coining process is identical to the process the U.S. Mint uses to make circulating coins (nickels, dimes, quarters, and pennies). The coining process produces an attractive, raised and permanent marking on the key bow that allows an end user to quickly identify a key that does not belong to their system.
The Key Control Policy: Security with the Stroke of a Pen
Even if all of the other key management elements discussed previously are in place, the control and integrity of a key system will deteriorate quickly without a well-crafted and enforceable key control policy. It is difficult to manage something as dynamic as a key system without proper planning, tight controls, or the right management tools governing the day-to-day operations of key system management. The key control policy should cover all aspects of the key management process. This includes the methods for issuing, cutting, storing, returning, auditing, and accounting for keys. Specifically, the key control policy should address these topics by answering a few of the following questions:
· Key Issuing and the Returning of Keys:
o Who has the authority to request keys? And what level of key can be requested?
o How is that authorization enforced?
o Do you have a plan in place to account for keys that are returned? Managing returned keys is just as important as issuing them).
· Key Cutting:
o How are key requests processed, and how do you identify or mark the keys issued?
· Key Storage:
o How will key blanks and cut keys be stored and where?
o Who has access to the key blanks and cut keys?
· Accounting for Keys:
o What method will be used to track keys that have been issued or assigned? How will each key holder and the keys they carry be identified?
· Re-keying locks:
o How often will locks be re-keyed, and under what type of events lead to an automatic rekey?
These are just a few of the questions the key control policy should address.
Endorsement and Support from Executive Management: Lastly, one of the most critical elements to a successful key control and key management program is the endorsement and support from Executive Management. Management’s support of the key control program is necessary in the implementation, administration, and enforcement of the policies and procedures. Not having the support of Executive Management can cause serious problems in managing the program, and without the backing, funding, and continued support from management the program will likely fail. The best strategy for getting a strong key control program off the ground would be to enlist the support of Executive Management from the very beginning. By making a business case and presenting justification for key control program, the management team can feel informed and educated about the benefits (or risks of not having a program) of the initiative and will be more willing to fund and support the program.
The Future of Key Control
What’s the future of key control? What would be better for your key control program that keys that only work when you tell them to? Or, keys that expire when not in use? What about keys that allow you to change the doors or applications they access whenever you want – without cutting new keys or rekeying locks? Or, a key that provides you a history of which doors it has opened and when those doors were opened? Sound intriguing? It should, especially if you or your customer has experience managing a mechanical key system. Today, digital cylinders and keys are a real thing, and the technology that powers them can allow you to:
- Establish access schedules so the key only works when you tell it to
- Allow you to change the access rights on a key without rekeying locks or cutting new keys
- Provide audit trails of key usage (when and where the key was used).
Some key system manufacturers offer these digital cylinders in formats that are compatible with your existing hardware, eliminating the new to change out hardware to accommodate. These same manufacturers also offer their digital cylinder designs with technology that is backwards compatible with mechanical cylinders – allowing you to customize your key system by selecting which doors need a higher level accountability and audit, versus those that just need a strong, physical cylinder with tight key control.
Establishing an effective key control or key management program is not an easy initiative. However, it is an important initiative that is essential to the safety, security, and accountability of the customers you work with and help protect. I hope the elements contained in this article have helped you feel more comfortable with discussing the need, and the requirements, of a strong key control or key management program with your customers. They can’t do it without you.
Dale L. Bowman, CML, CPP, PCI, PSP, and LEED BD+C is the Director of Business Development for Medeco Security Locks, an ASSA ABLOY company. Medeco is the leader in high security, key control, and digital key system designs, and has been helping organizations with their key system challenges for over 50 years. You can connect with Dale via Twitter @dalebowmanCPP or via Instagram at thedalebowman