The suitability of an access control system hinges on the selection of compatible products that are fit for the purpose. How can end users ensure that their chosen system will be effective and free from compromises in security?
It's fair to say, that over the years, electronic access control systems have not benefited from a solid framework of standards and codes. Certainly nothing like the 'rules and regs' that govern intruder alarms, at any rate.

The outcome is all-too-predictable – uninformed specifications courtesy of Mr Security Manager resulting in access systems that are far in excess of what's actually needed. In the worse case scenario, loopholes may be created that allow unauthorised access.

What end users have needed for some time now is a definitive guidance document. A 'This is how you do it' ready-reckoner that will help them improve the quality of their specifying decisions. Thanks to the British Security Industry Association they now have such a document.

Aimed at security managers and specifiers (including those in the insurance sector, the police service and facilities managers), and based on BS EN 50133.1: 1997, the BSIA's 'Security Classification of Access Control Systems: Guidance Notes for Specifiers' offers an excellent overview of the procurers' art.

Salient words in the introduction should be heeded by all specifiers: "Be aware of the potential contribution of access control systems when surveying your premises, and understand how and when to specify such systems to effectively control or restrict access."

You'll be thinking to yourself: isn't there a suite of European standards that have been adopted as British Standards (and which adequately cover the design and installation of access control networks? Well, yes there are such standards in existence, but they don't give you any guidance on system grading. That's where the BSIA document scores.

First of all you need to determine the level of risk at your premises which, in turn, will influence the choice and design of access control system to be used.

The security of an access control system is determined by a combination of the type of reader(s) used at the access point(s), the various features employed in the system, the type(s) of access door(s) and locks used and the thoroughness of end user security procedures.

There are four levels of access control system in all. These are as follows:

  • Level 1: stand-alone PIN pad or token and reader without time-based controls or transaction recording capabilities (the lock control may be on the unsecured side);
  • Level 2: PIN pad with unique code for each user, time-based controls and transaction recording capability (in this case, lock controls should be on the secured side);
  • Level 3: a token and reader or biometric reader with a unique code for each user, time-based controls and transaction recording capability (here, the lock controls must be on the secured side);
  • Level 4: a system with the same features as Level 2 and Level 3, except with token and reader or biometric reader in association with PIN pads at each access point (to gain entry, each user must present a token or a biometric as well as inputting a valid pin unique to them).

The BSIA guide stresses that, in some instances, additional security may then be provided by a host of 'special features', including anti-passback, dual-badging, video verification and card referral (ie the release of an access-controlled door – remotely – by a Control Room operative subsequent to the user request via card swipe).

A short discourse concerning the various types of access door and electro-mechanical locking devices is handy, but it's the section immediately after that which is arguably of most interest to the practising end user.

The reason is simple. It's all about security management procedures.

Management and levels of access
It almost goes without saying, but the end user must be trained "in the management of access control technology in order to ensure the integrity of the system." The BSIA guide states users should be instructed to ensure that:

  • there is strict control of the issue and good care taken of tags/cards for staff and visitors;
  • staff changes, lost cards or tags are actioned in the central database as soon as possible;
  • staff/system users are fully-trained in the use of the system(s);
  • a strict control is maintained on the access that individuals have in premises where there are varying degrees of access.

At the end of the day, the security manager should have well-defined written procedures in place for all of the above.

Written specifications
The final section of the new guide provides some handy examples of security levels employed by access control systems. Access control for security on a low risk internal door, at the main entrance to a company premises, the rear car park of a corporate hq and external warehouse doors are just some of the scenarios outlined.

For example, the level of security needed for the main entrance to a company building that's in use 24 hours per day would be Level 4 (when a building is to be used round-the-clock, then a token and PIN system should be deployed during those periods when there is no manned security presence at reception).

As the BSIA rightly states, end users should remember one truism here: any access control system should be designed and installed according to a written specification, preferably accompanied by appropriate plans.

Remember that every point of entry into a building must be assessed in terms of risks. Your choice of access control system should then be consistent with those risks.

Source

SMT

Postscript

Copies of 'Security Classification of Access Control Systems: Guidance Notes for Specifiers' are available free of charge from the BSIA (tel: 01905 21464). Alternatively, you can order on the Internet at: www.bsia.co.uk