In the wake of last September's terrorist atrocities, a great many City organisations have embarked upon full-scale evaluations of their security provisions. Today's intelligent access control technology appears to offer the ideal solution to the threat of illegal intrusions but, as Sylvia Campbell explains, when it comes to specification corporate security managers should consider much more than pure security issues.
The final few months of 2001 – and, indeed, the first weeks of this year – marked the beginnings of a radical shift in many peoples' attitude towards corporate security. Largely thanks to the terrorist atrocities Stateside, and the seemingly constant breaches of security at Heathrow Airport, many blue chip businesses have been forced to review their security arrangements from top to bottom.

What's now immediately apparent is that the degree of liberty we once took for granted has been significantly curtailed. And, while some of the impetus for that can be attributed to a knee-jerk reaction to the dreadful events in New York and Washington, there's little doubt that many of the security audits undertaken during the last few months have revealed some woefully inadequate procedures in many of UK plc's foremost companies.

Although a host of organisations do indeed boast well thought-out security policies implemented many years ago – and which, with proper and regular reviews, still serve them well – the past few months have acted as a wake-up call. A catalyst for those concerns and their management teams that have perhaps adopted a somewhat laissez-faire approach.

What we should always remember is that security is a process, not simply a product or a series of systems. As such, corporate security managers need to embrace an holistic approach whereby several different elements work in tandem with one another. Given that many City firms and corporate hqs could indeed represent a credible target for malicious activity, such an objective is paramount.

Vulnerability on several levels
By their very nature, banks, financial institutions and similar multinational organisations represent the face of this country's establishment. Not surprisingly, this makes them vulnerable on a number of levels.

More than anything else, though, they remain a potential target for covert activity. It's all-too-easy for a passing individual to slip unnoticed into these large corporate behemoths whereupon, without adequate checks and controls, they can easily pilfer personal property and cause untold damage to essential equipment and data.

Against this backdrop of corporate worry, what's the solution? In the majority of cases, the remedy is very simple. Modern, intelligent access control systems provide the ideal solution for those organisations that need to guard against both external and internal threats (not to mention actual theft and the spectre of violence against their staff). Such systems represent the perfect response to the eternal dilemma of how to allow the freedom of movement that employees crave, balanced against the need for restricting entry to highly sensitive and critical areas.

Before deciding to install one of any number of access control systems that are currently available for specification, the security manager must first define – in conjunction with the IT and Human Resources Departments, as well as the Board of Directors – what is needed from the system(s). Most of all, the access solution chosen must be totally secure. After all, that's the very reason for installing it in the first place.

In real terms this means that, as well as the system being well-protected against inadvertent or intentional misuse, it needs to successfully distinguish between those individuals with the necessary authority to enter the premises, and those who have no business being there at all.

Just as important is that, for the system to be truly useful, it must be able to expand beyond the remit of mere access control.

For an access control system to be truly useful, it must be able to expand beyond the remit of pure security. As a minimum, it should offer genuine management information and human resources facilities that will augment its basic functions

As a bare minimum, it should offer genuine management information and human resources facilities that will augment its basic functions. For a start, because security means more than just denying or granting access, an advanced system ought to provide some form of event monitoring capability.

Such systems incorporate a separate window within the user interface that presents the operative with a real-time view of each card transaction as it occurs. That said, as well as allowing security managers to check on general system use, the event module can monitor alarms such as a forced entry, a door being left open too long or even the attempted use of an expired card.

By applying the appropriate system filters to each event, the user can specifically monitor certain card readers (such as turnstiles, or perhaps a particular zone in one of the buildings on the corporate campus). This way, an image of the individual cardholder appears on the screen each time that card is used – enabling the on-site security personnel to verify not just the identity of the cardholder but their specific movements as well.

The benefits of reporting
Reporting is another significant area that separates the leading systems from the also-rans. These functions should be configurable such that end users can create new filters, and save them for future use. Human resources managers are said to find the reporting capabilities of these systems invaluable.

The intelligent system should also offer a 'readers report' (showing exactly which cardholders have passed through given entry/exit points and when they have done so). It should also be possible to combine this with what's known as a 'gallery report' (providing a visual confirmation of where personnel are situated in the building).

If all of this sounds too much like Big Brother to contemplate, bear in mind that the technology has its origins in a much less cynical motive. Imagine for a moment that your company's buildings need to be evacuated quickly. Most large organisations will have little or no idea which members of staff are actually on site at any one time. If that's the case, it's even less likely that they'll know the precise whereabouts of each individual. This begs a question. How can the conscientious employer make sure that all company staff are accounted for in an emergency?

The very latest intelligent access control systems are able to maintain a real-time log of all staff movements, updated through their access card use. Should an emergency situation arise, the Personnel Department or Human Resources Department is then able to gain an immediate snapshot of who remains on the premises, and where they are.

One of the most recent intelligent systems innovations is the inclusion of graphical site plans within the user interface. These make it easier for administrators to see, at a glance, any events or alarms inside their building or corporate campus. Again, this makes the system simpler to operate by way of displaying relevant information when it's most needed.

These windows may also be configured so that the map view automatically changes to the area that has triggered the alarm or event (giving security personnel the best possible insight into what has taken place and where).

The intelligent system ought to provide a ‘readers report’ (showing exactly which cardholders have passed through given entry/exit points, and when they have done so). It should also be possible to combine this with what’s known as a ‘gallery report’ (off

Of course, our 'intelligent' system needs to be able to distinguish between authorised and excluded users. The most effective way to achieve this is by adopting a 'zoned' approach. This method uses the information contained within the database to classify access card holders according to which specific areas of the building they need to enter (and at what times).

By way of an example, certain members of staff may need to enter the building at different times to others or, equally, may work shifts that require them to be present on site outside of normal working hours. At the other end of the scale, some users will need to gain access to certain areas of the building purely based on their job function.

A perfect example of this would be a member of staff in the IT Department, who would not only be required to enter sensitive zones where mission-critical office equipment might be located, but who might also have to work unsociable hours. In this scenario, an access control system that's capable of offering defined zones will not only allow that member of staff to go into so-called 'privileged locations', but it will also be able to govern exactly when he or she can enter the building.

Attending to visitors on site
On top of overseeing the movement of staff, access control is essential for determining how visitors are treated within the realms of the organisation in question. More and more corporate concerns are issuing visitors with specific 'single event' passes, bearing details of the time of issue and whom the visitor is meeting. However, given the current concerns about corporate security, organisations should really be adopting a more thorough approach to vetting their guests, and restricting visitor movements through unauthorised areas.

What many companies fail to realise is that invitees to their offices are there for one reason alone – to meet with employees, or undertake a specific task. Therefore, it seems reasonable to restrict their movements to those locations that are wholly relevant to their visit. After all, there's everything to lose and nothing to be gained by a company allowing visitors to roam freely throughout its offices.

In essence, all of this means that guests will have to be treated slightly differently than before. That doesn't mean they should be ignored or insulted. Quite the opposite, in fact. For their own protection, as well as that of the office and its employees, companies should have in place a security procedure that's set in motion well before a guest arrives on site. Every employee that is expecting a visitor should advise reception of their name, employer, time of arrival and the purpose of their visit. In other words, observe basic management procedures.

Many of today's intelligent access control systems can include a visitor management module that, at its most basic level, enables visitor badges to be produced almost instantaneously from the initial information supplied. However, more sophisticated systems will allow the individual host to e-mail the reception desk with full details about the anticipated guest so that they can then be incorporated on the visitor pass.

Nevertheless, none of this means very much when you're talking about controlling the movements of a guest once they're on the premises. What we really need is a system that will issue a visitor pass that's capable of operating an access control system.

Thankfully, the latest contactless card technology makes this a reality. Not only can the new breed of systems provide zoned access for visitors as well as staff, but they're equally capable of granting access rights solely for the duration of the guest's stay in the building.

Scalability on the corporate campus
The march of technological development means that what's state-of-the-art today can often be tomorrow's landfill. However, since the very best access control systems use a modular software construction, they can be extended and upgraded – often without the need for expensive modifications. This also makes them scalable throughout a corporate campus, such that they can operate over several buildings from a single networked PC.

Source

SMT

Postscript

Sylvia Campbell is chief operating officer at Public Access Terminals