Who's Controlling The Keys?

Apr 1, 2002 12:00 PM, By Peter Guidi

Access control — the process of managing the flow of people into, throughout and out of our facilities — is achieved through a layered approach that identifies a facility's needs and delivers the specific hardware/software necessary to serve those needs. Comprehensive access control is comprised of a number of facets all layered together into a succinct program through policy and procedure. A primary component of a comprehensive access control strategy — and one that is sometimes overlooked — is the mechanical key system. This article will cover the different roles of the security and facilities departments in managing an organization's mechanical key system.

The term access control is sometimes used interchangeably with the term card access. It is critical to understand the difference. Card access is just one element of an access control program. Card access is an electronic, computerized system. It is used in any of three specific areas:

• a secure space with a large number of authorized users. Typically a space with 25 or more authorized users merits a card access system, depending on the economics of the facility.

• a secure space where time and specific usage needs to be controlled.

• a secure space where an audit may be needed for report or investigative reasons.

Card access systems are critical elements of an access control program. Using specific criteria to decide when — and when not to — specify card access systems will allow a facility to maximize its security budget.

SECURED OR UNSECURED?

If a secure space does not meet the criteria to justify a card access system, it is likely that the door has a mechanical lock. Why is key control important? The answer is simple: It determines whether a space is secured or unsecured. Secure spaces require authorization to gain access; unsecured space does not. Secure spaces are locked; unsecured space is not. If the space has a mechanical lock, we need to know who has the key.

Regional security directors from a large governmental agency that controls security at many of the nation's high-profile facilities were recently involved in a conference call. Being assessed was one of its facilities that attracted significant national attention in the fall of 2001. Glaring examples illustrated the extent of a failed key control program. It turned out that the security department did not know how many doors were locked, or how many people might carry keys. Why? Because at this organization the lock shop is not part of the security department. It's part of the facilities department, which holds responsibility for locks and keys. A regional security director suggested that it might not be important to have key control on all doors. In that case, we should remove the locks from those doors! The point is: There is no compromise. Either the space is secure or it is not. If space is secure, we must know who has access (who has a key). Thus key control is a responsibility of the broadly defined access control program. It needs to be a part of the security management program — not relegated to the maintenance or facilities department.

REMEDIATING A KEY CONTROL PROBLEM

One of the nation's leading medical centers also completed an assessment of its key control program. It's a world-renowned facility with the very finest security personnel. Last summer at a conference, one of the managers admitted to problems he suspected from his day-to-day interaction with the key system. The problems he observed are typical, and can be recognized in many facilities:

• high housekeeping turnover,

• unknown contractors and maintenance workers entering secure space freely,

• no access to space even though a key should have worked,

• doors to which no one had a key.

And, finally, security did not manage the key system; the facilities department had that responsibility. An assessment later sought out three fundamental pieces of information:

• How many doors have locks? We needed a dynamic and accurate list of doors including all system information related to the door. We also needed some update procedure in which changes in the door database are accurately maintained.

• How many subscribed users are authorized to carry a key and to which space would the key provide access? We needed a current list of assigned key holders to audit against current employees.

• How many keys had entered circulation, and were there unaccounted or unrestricted keys in the system? We needed to reconcile the number of keys that had entered the system against the current key holders.

The answers to these questions were unsatisfactory. The facts are that the facility department did not maintain an accurate door database, had no idea how many keys had either entered or remained in circulation and certainly had no idea who carries a key to any specific space. This facility has more than 20 buildings with perhaps 35,000 locked doors. Remediation of the key control program will cost this facility more than $2 million and three years to fix. How could this happen? And once fixed, could the system be maintained?

HOW COULD IT HAPPEN?

The answer to the first question has to do with the historical nature of the security industry and the evolution of locking technology. The answer to whether a system can be maintained is more complicated.

Over the last decade the importance of security has grown steadily. It's easy to remember when security was a weak stepchild in many organizations; some are still fighting for limited dollars and facing reduced budgets. Historically, the facilities department maintains the mechanical systems, including locks and keys. In many facilities, the doors and locks may be 50 years old or even older. In most facilities the key system reflects the growth of the facility, with different systems and hardware added with each new phase or renovation. Maintaining this complicated system requires tools, and as anyone with experience knows, doors all have a personality of their own. This responsibility is clearly a job for facilities. But there is more to the key system than maintenance and repair.

There are two elements to a key control program:

• the administrative aspects of the key control program, and

• the maintenance of the door and lock hardware.

Administrative key control refers to the ongoing job of managing the access control aspects of the system, clearly a security function. Secondly, there is the maintenance and repair required to maintain the system hardware. In many organizations these two responsibilities are considered the domain of the locksmith. This is why in many organizations the locksmith controls access to the facility. Lock shops are historically focused on the maintenance and repair of the hardware and not the administrative issues involved with access control. In many cases, the definition of key control can be two very different things to a facilities or security department.

The reality is that the value of the key system lies in the information developed from the administration of the system. Much like computers, the hardware is of little value without the software. When administrative key control is handled in the facilities department, there is a cross-departmental responsibility where accountability and responsibility are misplaced. Security management, by definition, is access control — the very safety of the organization is clearly a security function. If there is an event, a simple theft, robbery, perhaps a serious crime, rape or even murder, ascertaining who has access is critical. The investigative responsibility is a security function. Telling law enforcement that you can give them all kinds of information — except who has a key to the door — is simply unacceptable. This is where the cross-departmental nature of the problem is most clear. In order for any system to work correctly, accountability and responsibility must be in the same place. As long as security is accountable to access control the responsibility for the key system must also be with security.

Security directors can evaluate their key control programs using some simple techniques. The first thing to remember is that the key system is the relationship between three specific groups of information — subscribed users, locked doors, and keys. Generally speaking, any inaccuracy in these three groups of information points to a breakdown in the program.

DETERMINING EFFECTIVENESS

There are some techniques to determine the operational effectiveness of your system. The first question you should ask is about the information: Is it even available? More often than not, the information to evaluate the system is not even available. If this is true at your facility, it means the system is failing. One of the most important concepts in key control is restricted key sections. The only way to ensure your program is restricted is to audit the system by attempting to purchase unauthorized duplicate keys at lock shops and retail stores. If you can purchase a duplicate, anyone can and your key control program is not secure.

The second issue is a simple formula

keys in = assigned keys - negated keys.

How many keys flowed into your system? If keys have entered the system without a corresponding number being voided through the repining process, key control has been lost. Is there an accurate door list? How many doors at your facility have locks? This must be exact. The same goes for subscribed users. Can you audit all subscribed users and know which key they hold and which spaces they can access. A security director recently admitted that an audit of the maintenance staff revealed a pirated grand master on every employee's key ring!

In many organizations security and facilities are in the same department or report to the same management. In some organizations the lock shop has already moved to security. Regardless of organizational structure, the operational effectiveness of the system must be based on accurate information that can be audited and confirmed. The challenge is to properly separate the responsibilities of administrative key control from the maintenance and repair of lock and keys. If not for the fact that change is difficult and organizations resist it, this task would be easier. Along with the difficulties of change is the loss of control. The key system represents true power in an organization. The ability to carry a grand master means unrestricted access. The ability to provide that type of access is a powerful tool. Is it one that you control?

FOR THE RECORD

ABOUT THE AUTHOR

Peter Guidi is a consultant specializing in integrated access control solutions. He can be reached at JGuidiJr@Maine.rr.com

HERE'S A PLAN OF ACTION

1. Establish if key control is mandated at your facility; it may not be clear.
2. Agree on one definition for key control in your facility.
3. Establish a set of policies and procedures for key control. Clarify the roles and responsibilities for management of the key system.
4. Have your key control program evaluated by a professional who understands administrative key control.
5. Mandate and verify that all key sections cannot be purchased from local retail establishments.
6. Audit the door database for accuracy. Do you know exactly how many locked doors are at the facility?
7. Audit the keys. Can you account for every key that has entered the system? Can you ensure that no “ghost” grand master, department master or user keys are in circulation?
8. Audit the subscribed user database. Can you determine who carries a key and which door it opens?

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue