Access Management - ISMI Certification PDF

Unit 8 – Access Management Introduction Access management is a core security management process for managing who (or what) can go where and when. There are two kinds of access management: Physical access management. Logical (IT systems) access management. This module focusses on physical access management (people, property, and vehicles), although it is recognised that the move towards convergence is gradually bringing the two areas together. The module uses both the terms access management and access control. Access control relates to the specific functions of access control systems, such as automated access control systems. It is also the term preferred by installers, and it is the term you are most likely to encounter in standards. Access management is a more holistic, overarching term which is applied to the broader concept of who/what is where and when, and is therefore the better term from the security manager’s perspective. True access management requires the full and proactive cooperation of all personnel to ensure a secure workplace. Access management is often regarded as the most important security component for the provision of effective physical security, and some form of access control should be applied at every facility. At its most basic, it may just be a camera or a branch security representative responsible for local security arrangements. Access management is only one aspect of the overall security arrangements of a facility; it should be designed to complement other measures which are in place. Some other components of a successful security programme (discussed in separate CSMP modules) include the following: Physical protection of the perimeter and buildings. Intrusion detection systems and response. Video surveillance (CCTV). Guarding. Procedures. 10 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Access Management Configuration The Aims of Access Management The aims of access management can be summarised as: To prevent unauthorised entry. To facilitate authorised entry. To prevent the introduction of prohibited items. To prevent the unauthorised removal of property. To monitor and control egress. To provide an account of who is on site at any given time. Additional aims, which are specific to context, include: To provide information to security personnel. To prevent unauthorised observation of sensitive processes/operations, or compromise of sensitive information. To protect the organisation’s employees and their property. To prevent facility attack or misuse (occupation, sabotage, terrorism). To provide an audit trail of access/egress transactions. The Components of Access Management 11 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Access management is based on the presumption Site perimeters should be well that the boundary of the space to be protected is defined, well illuminated, signed and secure and that control is provided at every point of guarded in order to serve as a visible entry/exit. The number of entrances and exits should deterrent to unauthorised passage. A be as low as possible, consistent with operational key function of the perimeter is to requirements. direct persons to controlled entry/egress points. The principal component parts of any access control system are: A perimeter in which all access points are secured, alarmed, guarded or access-controlled. A portal (barrier, door or gate) to control access. A means of identification/authentication. For this to work, the perimeter should be strong (see Module 6). It should be well defined, illuminated, monitored and provided with signage that deters unauthorised entry and facilitates authorised entry. Policy and Communication The organisation should set out its policy regarding access control and promulgate it to all employees. This can be achieved through: Example setting. Induction briefings. Awareness briefings. The Employee Handbook. Contract of employment. Notices (relating to specific points, such as prohibited items, do not enter, tailgating etc.) The Employee Handbook is an important communication tool. Points to highlight in the handbook are badge wearing policy, prohibited items, access privileges/zones, managing visitors, and challenging strangers. Separate policies drawn up between HR, Security and in some cases Legal, would cover more specific issues such as badge issue and replacement policy, searching, vehicle access etc. 12 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Standard Good Practice The following are good practices which help to establish effective access management: Signage To advise people that certain areas (site, zone) are private. Also to remind staff and advise visitors what is prohibited on site, and the conditions of entry (eg. search). A Secure Perimeter Barriers (such as a perimeter fence) to direct those entering towards an authorised entry point. There should be as few points of entry and exit as the site operations and safety considerations allow. Crowe (1999) also recommends natural access control such as hostile landscaping. Entry Points Secured Identification and securing of all gates, doors, windows or any other means of entry to the site (and its buildings and critical areas). Identification A means of establishing / verifying the identity of those entering. Surveillance CCTV or via guarding; to monitor perimeter vulnerable points (including fire exits). Zoning Internal segregation of areas, so that access to critical areas is restricted. Staff Awareness Especially to the risks of walk-in thieves, who are typically very confident and enter a site with specific targets in mind – often personal property or laptops. Card Management A sound badge management and accountability system. For example, ensuring that cards are issued only to those who need them and that they are programmed for the required time period and user group. Furthermore, there should be a system to retrieve cards from those that no longer require them. Patterson (2004) identifies the following key elements in establishing access control systems: Use single-entry devices, such as turnstiles or revolving doors, to eliminate tailgating. Use automated access control systems with secure card keys that are counterfeit resistant. Restrict access so staff can enter only during appropriate working hours. Periodically reassess levels of access for all staff. When an employee or contractor is no longer associated with the organisation, collect his/her badge key and re-key locks, as applicable. 13 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Design Models - Public ‘Exclusion’ or ‘Admittance’ Model There are a variety of considerations to be made regarding the chosen access management regime. These include the following: Public allowed in; exclusion by exception - In open facilities such as retail sites and hotels, access management is generally exercised by employees. The basic rule is that anybody is allowed on site (those excluded are specific and by exception). Of course, retail, accommodation and entertainment sites are, in effect, private property. So, the owner has the right to exercise access control via the employees. Open facilities will usually contain specific staff areas to which access is prohibited, except to those with specific authorisation. Public not allowed in; admittance by exception - In closed facilities, such as manufacturing sites, headquarter buildings etc., the rule is that only those with specific authorisation are allowed on site. These (authorised) personnel will typically include those that have permanent and temporary access. These are discussed in due course. Critical Areas and Zoning In theory, access management is relatively easy to achieve. The facility is enclosed within a secure perimeter, the inside is zoned into critical and less critical areas, cards are issued to all those seeking access and the system is configured to allow access only to those who have a need to be there. In practice, this may not be so easy to execute. A typical site can be considered to comprise 2 or 3 types of zones, for example: A public area (on some facilities, although strictly speaking it is private property). A controlled area (access is granted only after passing through an access control point). Restricted areas (critical areas to which access is allowed only to certain individuals or workgroups). Often, zoning into “controlled” and “restricted” areas isn’t sufficient. More rigorous application of the principle of layered protection may need to be employed. For example, a famous household brands manufacturer divides its property spaces into four zones: Level 1 - Public Anyone welcome. Public environment. No barriers to entry. Level 2 - Open Collaboration Invitation only. Discretion required. Wide choice of locations. Level 3 - Confidential Trusted individuals. Private environment. Evidence of ID. Level 4 - Restricted Vetted individuals. Secure and secret. Strict access control. Another, site specific, example is provided in the drawing overleaf: 14 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Most organisations wish to maintain the free movement of their employees through normal circulation space in a facility. Fischer, Halibozek & Green (2008) advise that critical areas should be identified and protected. Further, in some regulated industries it is important to identify and protect such space. Examples of critical areas include: Mail rooms. IT server rooms. Hazardous areas. Cash handling areas. Security control rooms. Executive leadership areas. Shipping and receiving bays. High-density archiving areas. Research and development space. Critical equipment and plant rooms. High value storage or production areas. However, there is some debate over how such areas should be identified. Labelling the area with a sign that identifies its function could invite crime. Labelling it anonymously with a sign stating “Restricted Area” could cause employees to assume that because they have access to one restricted area this applies to other restricted areas also. In the case of the latter, it is better to add a sign that says: “Do not enter. Authorised persons only.” Halibozek & Kovacich (2002), as a general principle, advise that doors inside buildings should be locked when not in use (subject to fire and life-safety regulations) and controlled when in use. This is achieved by utilising a combination of the following measures: Lock and key systems. Combination locks. Card-access systems with electronic locks. Other employees. 15 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management The level of protection required will vary according to time of day and the risks to which specific assets (or individual rooms/buildings within a site) are exposed. You will recall from Module 7 Premises Security (beginning on Page 21) that we identified the two regimes of buildings protection, working-hours and out-of-hours. As a general rule of thumb, during working hours reliance should be placed on strong access management and monitoring for deviance. During quiet hours, the emphasis should be on sealed barriers, locks, intrusion detection and response. The Two-Person Rule Some organisations have high security areas in which a person cannot be in the area alone. To control entry, two employees with valid coded cards must use their cards in sequence – within a specific number of seconds of each other – to unlock the entry or exit. If only one employee attempts to enter or exit, passage will be denied, an alarm will sound and a permanent record will be made of the violation attempt. The locking feature can be designed to fail- safe if life safety requirements dictate that the exit should not be impeded under emergency conditions. Increasingly, the need for the two-person rule is being obviated by greater use of CCTV surveillance, which can also incorporate facial recognition. Adding Value – The Role of Staff Much access control places over-reliance on layers of boundary security. It is important, however, to always view the space between layers of security as a layer in itself. The emphasis should be on all staff and visitors wearing identification badges (which indicate clearly where they can and cannot go), and a culture of staff challenging any lone visitor whom they do not recognise. Here, polite questions like “Are you new here?” or “Do you need any assistance?” will usually receive a more cooperative reply than “Do you have authority to be here?” However, there may be times when a forceful tone is appropriate, such as when safety regulations are being violated. Emergencies All buildings must comply with local and national fire regulations, including emergency exit requirements. Where there is a requirement for means of escape it should not rely on the operation of the automated access control system. Subject to good design, the automated access control system can provide for “fail safe” or “fail secure” operation. In fail safe mode portals will release on loss of power; in fail secure mode portals will remain closed. Automated access control systems should not provide the emergency means of escape. Instead, emergency exit should be provided by human operation at portals. When such an event occurs, portals will signal a door open alert, following which an appropriate response should be defined. 16 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Access Management and Automation The Historical Picture Historically, access control measures relied solely on officers to manually check badges and a series of locks and keys (the most basic form of access control), barriers, structures and guards. Human verification still has its place. For example, it can be used as an extra security measure so that the user is initially identified by an electronic system but only the subsequent verification by a human operator permits the door to open. This method also allows for checks against tailgating. But manpower is expensive and inconsistent. Metal keys are easy to duplicate, locks are problematic to re-key when a key is lost or compromised, and there is no audit trail of who used the lock to gain access or egress, and when. Increasingly these functions are integrated into automatic access control systems (AACS), allowing for campus-wide access management. AACS can provide additional functionality such as automated identification/authentication, audit information and zone-controlled access. For non-sensitive sites of less than 50 staff, there may be no need for a formal badge- checking mechanism. Automating Access Management AACS are a means of managing the passage of persons, In some circumstances, an access vehicles or materials through designated points within acontrol system, especially AACS, may also facility via an electronic control system. They utilise bothserve the Payroll Department as a time electronic and electromechanical hardware systemsand attendance monitoring tool. Note together with specialised procedures and programming tohowever, that legal advice should be sought before this data is used for control and monitor movement into, and out of, a protected evidential purpose in any investigation. area. Technology allows for systems not only to perform basic lock and key functions, but can also establish and control specific access procedures for each person and each door within a facility, and adapt to changing circumstances, such as employee turnover, temporary employees and contractors. Dalton (1995) notes that AACS can become extremely effective and cost effective, especially when integrated with other security and facility-related functions such as intrusion detection, CCTV and fire safety mechanisms. 17 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Globally, there are hundreds of AACS manufacturers offering solutions ranging from simple stand-alone configurations to In the UK (and Europe) BS EN 50133 provides guidance on automated fully-integrated multi-site systems. This makes it difficult to access control systems. compare like-for-like systems. Before selecting a system, great care needs to be taken with vendor research and selection to ensure that you select a system which: Works well with existing door hardware and locking systems. Is competitively priced and delivers good value. Is adaptable to re-scaling and integration with other PPS elements. Has the capability to deliver added return on investment through additional functionality, such as time and attendance. Takes account of the accessibility needs of less able people and any relevant associated legislation (for example, in the UK the Equality Act and Disability Discrimination Act). The advantage of a fully integrated system is that the software can be programmed to produce automatic responses when certain events are triggered. For example, when a fire alarm occurs in a facility, the computer system might display a floor plan of the affected area, or will record and show CCTV images in real-time, make the necessary adjustments to the access management regime, and may even indicate a pre-agreed series of actions for the monitoring security controller to follow. 18 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Key advantages of AACS include: Baseline Provide a baseline and auditable level of security across an organisation. Cost Reduction In most circumstances AACS are less costly than guards. AACS also operate to a consistent level of performance. Mobility If using a standard system it should be possible to provide mobility from one site to another – so-called “agile working”, allowing company employees to work at any company site. Health and Safety at Those who regularly work in an area will be aware of the health and safety Work risks and will have been trained as necessary. AACS ensure that the chances of inadvertent access to a hazardous area are reduced. Personal Safety By limiting access into work areas and parking, the risk of assault on personnel, or robbery, especially during quiet hours, can be reduced. Grouping (Suiting) Using AACS, access can be granted by various criteria in addition to individual credentials. For example, the system can group employees into specific access categories, as is often the case with IT access management. Intrusion Detection AACS are able to notify immediately of any attempt by an intruder to pass through an access control point. If the system is part of an integrated PPS the system should automatically be able to provide CCTV evidence. Importantly, AACS facilitate immediate and accurate response. Hassle-Free Using proximity cards with AACS significantly speeds up throughput. Operation Emergencies AACS provide an instant record of who is on site and where, depending on the degree of the sophistication and zoning of the access management system. Improved AACS can monitor all movements within a facility and produce system Accountability reports to ensure personnel compliance with policies and procedures. Investigations The audit trail data stored by AACS may be critical to many investigations. Inventory AACS can be integrated with passive and active RFID (see Module 7, page Management 52) to track inventory and to ensure that important assets don’t leave the facility in the wrong hands. Even without RFID, AACS are an important element in protecting assets. Facilities AACS can regulate heating, ventilation, air conditioning and other Management equipment, and can automatically open doors for emergency exit. 19 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Card Cancellation AACS allow for the immediate cancellation or suspension of cards that are reported lost or stolen. Moreover, access control privileges can be instantly removed or changed in the event of employee termination or departmental change. Card Deletion or If an employee leaves the company, or a card is lost, this can be managed Replacement in one simple automated operation. This avoids the need to change locks. Increased Employees are confined to their allocated work areas where their Productivity presence will benefit the organisation. Consistency and AACS perform more consistently than humans, and are not subject to Improved human failings, weaknesses and temptations (eg. bribery, favouritism, Accountability turning a blind eye, bullying). Evidence and Audit AACS provide an irrefutable record of who was (or at least whose card was Trails used) where and when. Time and AACS can be used for time and attendance monitoring. This provides Attendance opportunities for other departments to share in the procurement budget Monitoring for new AACS. Reducing By locating toilets and smoking areas outside of the controlled workplace, Unauthorised employees are less inclined to abuse the time spent in these places. Breaks Again, another example of shared budgeting. Integrated Using TCP/IP, AACS can be incorporated into an integrated PPS, with a Management management system that controls associated functions such as IDS, CCTV, inventory management etc. No Card/ No Entry Ensures that no employee enters the site without a valid card having been Policy read. Protection of Multi- Each tenant can receive an individual report for their floor or suite. Thus, Tenant Buildings the operating costs associated with having individual systems can be reduced and the building is safer in the event of an emergency. Authorisation Profiles All personnel enrolled into an AACS should be allocated an authorisation profile. This may be specific to the individual or to a group of personnel. The authorisation profile defines the ability of the card through the data encoded on that card, which is read by the reader. This may be an identification number in the case of some technologies (such as Wiegand) or stored data specific to the user. Authorisation profiles typically take into account: Access level. 20 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Zone. Door. Working schedules. Previous events (eg. mantraps, pass back etc.) Alarm condition. On-line and Off-line AACS For an on-line system, when a credential is presented to a reader, the information is sent to a door controller. The controller compares the credential to a list of authorised users in the database. If there is a match, taking account of the day/time of the request if applicable, the controller will send a signal to release the door lock, gate, barrier or turnstile. The controller will then ignore a door open signal generated by a monitor contact switch to prevent an alarm. A signal is sent to the reader to provide audio/visual feedback to the user to show that access is granted. For an off-line system, when a credential is presented to a reader, the reader checks with the data on the credential if the user is allowed through the access point at that time. If access is allowed the reader will release the lock and then update the credential with this information. At some point the credential must be used at a reader connected to a controller so that all transaction data on the credential can be logged and any changes in access rights can be written to the credential. Anti-Passback Functionality An anti-pass back procedure stops an authorised user passing their badge back to another person to gain access through the same reader. The problem is quite common at lunchtimes in some facilities when someone has “forgotten” their badge; another employee passes back their badge after gaining access into the site. But the weakness can also be exploited by criminals. Therefore, high-risk facilities might consider the deployment of an anti-passback feature. The BSIA (2012) states that anti-passback functionality is designed to detect whether a user’s credentials are used to enter an area when the system already believes the user to be in that area. This feature can be useful to stop a user who has entered an area from passing their token to another person outside the area. Two forms of anti-passback exist, namely hard anti-passback and soft anti-passback: Hard anti-passback disallows a second access to an area if a valid exit has not previously been registered and generates an alarm. Soft anti-passback does allow a second access to an area if a valid exit has not previously been registered but generates an alarm. Anti-passback rules are generally reset after a pre- set period after valid entry, at a fixed time each day, on exit from site or manually as an over-ride. 21 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Anti-Tailgating Functionality Tailgating is an access management vulnerability. It occurs when two people pass through an access control point at the same time, or when an unauthorised person quickly follows behind an authorised person after they have presented their badge to a reader. It is most common where a door may take some time to close after having been opened by an authorised person. Although a common practice by employees, this technique is often exploited by criminals (who, otherwise, present themselves as being legitimate). Two forms of anti-tailgate exist, namely hard anti-tailgate and soft anti-tailgate: Hard anti-tailgate employs physical means such as turnstiles to restrict movement. Soft anti-tailgate does not prevent the unauthorised person, but uses detection methods to generate an alarm, for example an infrared beam. Interoperability of AACS Source: BSIA (2012) Over the years, systems from different manufacturers have started to use common methods of interconnecting components, LAN technology being a common example. In addition, common communication protocols such as TCP/IP have also been developed. These developments have led to an increasing likelihood that systems from different disciplines can be integrated to give a common benefit. This is called Interoperability. An integrated security solution can reduce cost and provide a return on investment by eliminating costly manual processes. However, the major benefit is the improved security that can be provided at a time when security is a great concern to all organisations whether they are in the public or private sector. Any system chosen must meet today’s requirements, but must also fit the customer’s needs into the future. This is a difficult challenge which requires predicting how the organisation may change and grow and ensure that the systems have the scope to expand to meet these needs. There are many advantages to integrating systems. The following list represents some of the major benefits: Different disciplines may be operable from a common user interface, where the operator can see access control events, intruder alarm activations and video activity on a single screen. This can make investigation much more straightforward and reduce the need to send security officers out to respond to security breaches. Combining access control and fire systems allows fire alarm mustering - know where your employees are at a given time. Furthermore, the access control system can monitor the fire alarm system to automatically release the appropriate electric locking mechanisms. The proposed link between the access control system and the fire system should be evaluated as part of the fire risk assessment. 22 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Access control and other security detection systems can initiate pre- and post-event video recording, linking the video clip with the event information. This can make searching for events more effective as it is much quicker to search for an event in the alarm log, rather than search through hours of video. Intruder and hold up alarm system control functions can be managed by the access control system – allows the intruder alarm system to be unset on presentation of a card before entry is granted. If the user is not authorised to unset the system, access is denied. Initiate camera presets when specific pre-determined events occur, eg. when entering a room in a bank, switch the camera to zoom onto the door to identify the individual. Use video with time and attendance system to detect / eradicate “buddy-clocking”, a practice where employees clock each other on and off work. Using an occupancy count from the access control system can reduce false alarms - the intruder and hold up alarm system can be notified not to set if the access control system is aware that not all users have exited the building. Building management systems (BMS) are responsible for monitoring and controlling the environment of a building, for example lighting, heating and ventilation (HVAC). By integrating access control systems with BMS systems, the lighting can be switched on and the temperature can be increased to normal when a user enters an area. One of the fundamental objectives of a security system is to provide protection at the outermost perimeter of a property. A perimeter intruder detection system can be used, linked with video, to provide early warnings and increased security through verification in the event of a breach. For example, external doors could be automatically locked if the perimeter system detects an abnormal event. By using smartcard technology, cashless vending becomes a reality. The same card that gets you into the building can also hold money for the vending machines or canteen. 23 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Access Management Regimes The UK Grading System In the UK, access control points are graded according to the type of business and risk associated with the premises being secured. The grade applies to the protected area and not the overall system, therefore mixed grades may be utilised within any premises. In this regard, the BSIA (2012) provides the following information: There are four grades: Grade 1 (Low risk) A stand-alone lock (code, PIN or token), or off-line system, controlled in a public area for low risk situations. Grade 2 (Low to medium risk) An on-line system utilising tokens or PINs to prevent access to the premises. Events are received in real-time on the monitoring software. Grade 3 (Medium to high risk) An on-line system using two factor authentication or single-factor biometric to prevent access to the premises. Events are received in real-time on the monitoring software. Grade 4 (High risk) An on-line system using two (or more) factor authentication, one of which should be biometric or human image verification to prevent access to the premises. Events are received in real time on the monitoring software. The grade applied to each point may increase with time according to requirements, for example, card only during office hours and card and PIN outside hours. The grades applied by the UK’s BSIA correspond to those used by the UK National Security Inspectorate in NCP 109 - Code of Practice for Design, Installation and Maintenance of Access Control Systems, but differ slightly from those used in European Standard EN 50133-1. More on the grading of specific access control elements can be found in the BSIA guide at: https://www.bsia.co.uk/zappfiles/bsia-front/pdfs/132-specifiers-guide-access- control-systems.pdf Some of the more common control regimes are presented below. 24 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Card Entry and Push-Button Egress In such configurations entry is controlled by a card reader and exit is by pressing a request-to-exit button. This is a very basic and common system that can restrict access to a degree, but is best confined to small, low-security buildings. The system may be off-line (all card transaction data stored locally, such as with a hotel room), or on-line (card transaction data displayed or recorded centrally). May just require a handle or thumb-turn knob to egress, rather than a push button. Advantages Disadvantages Convenient. Weak security. Simple to administer. No accounting of who is on site. Vulnerable to tailgating. Vulnerable to card passback. The BSIA (2012) notes that an important safety feature to consider is the ability to exit a door if the access control system is unavailable – this is called mechanical free egress. This is usually achieved with a green break-glass device that removes power from the lock. This must always conform to building regulations, local authority requirements and fire service requirements. Card Entry and Card Egress Generally entry is controlled and exit is uncontrolled. If exit is to be controlled, a second reader is needed on the secure side of the door. This is a commonly used system and provides a low to moderate level of security if anti-passback functionality is incorporated. It is easily exploitable, but is a standard used in many facilities. System should be designed not to allow egress to cards which have not “entered”. There must always be push-button or push-bar override at exit for emergency. Advantages Disadvantages Convenient. Vulnerable to tailgating. Retains a record of transactions and Vulnerable to card sharing. can be monitored in real time. Card Entry and Card Egress plus Internal Movement Controls This is a variation of the previous, but with a fully-zoned system. The layered approach increases security but it provides only a moderate security level. This kind of regime allows for complex access privileges to be allocated to personnel or workgroups using spacial and temporal criteria. Advantages Disadvantages Real-time monitoring of movement. Vulnerable to tailgating. Vulnerable to card sharing. 25 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Can be used for guard tour management. Lots of programming options. Card Entry and Egress plus Internal Movement Controls and Dual-Factor Authentication Dual-factor authentication requires a unique PIN to be entered into the reader at the time of card reading, significantly raising the level of confidence in the security of the system. The slightly longer transaction times (throughput rate) is offset by the risk reduction of walk-in thieves. Throughput can be optimised by the use of proximity cards. The card is read remotely and all that is required of the holder is to enter a PIN. Usually not specified as “default”. You have to request this functionality. Advantages Disadvantages As per previous, plus… Vulnerable to tailgating unless turnstiles are used. Higher level of security. Longer throughput times unless Option to “dual factor” specific zones proximity cards are used. only. Option to use “dual factor” for out- of-hours operation only. Card Entry and Visual Identification by Guard This kind of system is used where guard labour costs are low, on a temporary site, or where a very high level of security is required, such as at a military installation. It is also often used to manage the access of contractors. Some systems display user photograph on a screen for guards to compare. This kind of system is sometimes developed into a badge exchange system, where the holder exchanges an identification credential for a second badge to be used on site. Advantages Disadvantages Can be very quickly established. Heavily dependent on guard to do his Easily re-scalable. job properly. May be used as extra security measure Labour intensive. if security alert and operating level Little ability to audit trail and to know rises. who is on site in the event of an emergency. 26 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Implementation Methodology The Security Risk Analysis Often, AACS will be specified as part of the baseline security standards, but it is useful also before considering the installation of an access management system to carry out a security risk analysis (Refer to CSMP Module 1 for methodology) in order to determine the level of security required. An access management system will be only one element of an overall security package. The risk-based approach uses the following cycle: The analysis will also consider the operations of the area to be protected and any special features or local legal requirements. Within a single facility, there are likely to be different levels of risk. It may also review environmental aspects and the aesthetics of the building or area to be protected. Fischer, Halibozek & Green (2008) note that controls must not interfere with the facility’s operation. Perhaps most important of all, a safety risk assessment should be undertaken to ensure that nothing which is implemented can pose a risk to the evacuation of building occupants (or their movement within the building) in the event of an emergency. Controlling access to a facility is the property owner’s right, but impeding egress may put lives at risk. For example, the bolts on emergency exit doors should be checked regularly, as they could stick in an emergency. This includes electronic bolts, which may not release if the door is subject to pressure from employees pushing on the door to exit. 27 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management In cases of upgrading existing systems a security vulnerability analysis (Module 7, page 18) should be carried out also. Specifying a System – Methods of Specification On page 40 of Module 6, you were introduced briefly to the concept of specification. There are three basic approaches to specification: Invitation for bid (based on a common understanding of the features required). Request for proposal (based on the desired performance characteristics of the system). Sole source (when you have a vendor “on board” and you want to maintain continuity, or for projects that don’t require competitive tendering. Both Patterson (2004) and Garcia (2008) advise against the use of invitation for bid (IFB) for security systems procurement as this usually leads to the selection of the lowest cost equipment based on the presence or absence of features, rather than performance. With request for proposal (RFP), however, the vendor or consultant is presented with the problem (the requirements) and responds with a comprehensive solution. RFP is a longer process, and often more expensive, but it usually provides a much better solution, allowing for better integration and rescaling at a later point. It also means that if the system doesn’t perform as it should when installed, the onus is on the installer to fix the problem. If you are faced with a new build, you may find yourself in a situation in which the majority of the door hardware has been procured by the fastest and cheapest means – Invitation for Bid (IFB). After all, a door is a door and a lock is a lock. But you are advised, nevertheless, to go through the RFP process if you then plan to install a campus-wide, fully integrated AACS. With existing sites, RFP is the correct approach for system-wide replacement, but IFB or sole source may be appropriate if only an upgrade or addition is required. There is a great deal beyond the scope of this module on specification, and in this regard Patterson’s Implementing Physical Protection Systems (published by ASIS, and available via Kindle) is a strong recommendation. 28 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Specifying a System – Some Considerations There are many issues to consider when specifying a new or upgraded access management system. The following lists some of the many considerations. You will doubtless be able to think of other considerations and factors. What Am I Looking for? What are the system objectives? What am I trying to achieve? What are the threats, risks and vulnerabilities and how well does the proposed system address these? What are the technologies available, and the cost implications involved with each? What functionality do I need? Proximity? Smartcard storage? How big is the system to be? What exactly do I need to control? Does the new system deliver a quantifiable return on investment? (This may be quantified in various means, including risk reduction, faster throughput, greater productivity etc.) Are there any specific cultural considerations? What are the operating and sundry costs? What will be my requirements with regard to system integration, production of reports etc.? What do I have the space to physically fit in? Which of the available technologies will work best for my site? What level of tamper resistance do I need? What type of access regime am I seeking? (Discussed later). Will I need a lock-down facility (eg. hospital baby snatch, gunman on site etc.)? If so, should it be zoneable so as to contain a threat or will this increase the risk to personnel trapped in the zones? Procurement Who will be on the consultative and procurement project management teams? Am I going to involve representatives from all stakeholder groups? Who are they? Do I want to project manage the introduction of the system directly or work with a supplier, general consultant or specialised technology integrator? What are the cost implications of each of these choices? To what extent will use of particular components or specification of particular features tie me into a single supplier, and what are the cost and contingency implications of this? Can the system be built, programmed and tested off-site (factory acceptance testing)? To what extent will the site be disrupted by the installation? 29 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management How much support with be required from the vendor (eg remote access)? Management What are my real-time data display requirements? What are the manpower implications of the selected system? How simple will it be to add/delete/suspend users? How simple/quick will it be to produce cards? What is the site’s employee turnover and what are the implications for card production? How long should it take to produce a card? Vendor-based card production system or local on-site? What will be the verification and authority procedure for card issue? What are the classes of contractors that are authorised to have semi- permanent/ permanent badges? Who will control the badge management process, Security or HR? What are the associated procedures that need to be written and published (issue, lost and stolen, return, replacement, display etc.)? How will I enforce badge wearing discipline? What are the in-hours/out- of-hours requirements and the traffic flows associated with each? Integration To what extent does the system need to be integrated with other PPS components, such as CCTV, IDS, RFID inventory management systems? Can the new system be retrofitted into the existing system? Is the system going to be stand-alone or am I going to use TCP/IP protocols for data transmission? If so, will I use Power over Ethernet? Am I prepared (redundancy) for cyber-attack disruption if I select the IP option? How will the system integrate with electric door strikes and where will I use electromagnetic locks? What access control furniture? Turnstiles or other? What are the compatibility issues of the choices? Do I have any legacy systems to integrate (eg. other readers, existing door strikes, existing turnstiles etc.)? If so, will I need to choose a system with more than one technology (eg. magnetic strike and proximity)? Do I require the system to work across multiple sites? Is it possible that a multi-site card will be required in the coming 5-10 years? Convergence with logical (IT) access control? Other functionality, for example time and attendance, vending, HVAC control, automatic elevator call, lighting, on-board card storage space for consignment details if logistics employee? Any required storage space for personal details and biometric information? Single site or multi-site? 30 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Multiple technology cards? Functionality and Reliability What should be my target throughput time for each user? What throughput do I need to achieve at peak periods? How many pedestrian access lanes are needed for access at peak periods? Will the access and egress points be the same? How reliable is the proposed card technology? How long can I expect a card to last? How easily can I generate a card? How easily can a card be forged? How reliable are the access control readers? False acceptance rate? False reject rate? Can the system integrate a visitor pass system with ease and what are the labour implications? What anti-passback safeguards do I want? Do I require two-factor authentication (in part or in full)? If the card is not used at the entrance, can the system ensure that it will then not function elsewhere? What would be the extent and frequency of maintenance downtime? How versatile is the system? Can it use cards from generic manufacturers? What is the maximum number of users and what is the potential for future expandability (future proofing)? Does the system need to incorporate strong physical barriers (eg. full-height turnstiles)? What height do I want the readers? After what period of time should an open door alarm if left open? How will I configure the system to work in an emergency? How will the system cater for users with disabilities? Which entry portals should “fail secure” and which should “fail insecure (fail safe)”? Are there any wireless requirements? (Relatively uncommon in AACS). Cards How long can I expect a card to last? How easily can I generate a card? What data do I want to have on the card? How easily can a card be forged? How future-proof is the card technology? How secure will the selected system be against card forgery? Am I going to use different card systems for employees, contractors and visitors? To what extent, if any, should visitors’ cards have embedded technology? What information to put on the badge? (Discussed later). 31 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Access Control Hardware Options There are many means of granting authorised persons access to specific areas. Bearing a badge or token is one method used since ancient times. Carrying an authorised key is another. In its simplest form, access control imposes a physical restraint to be overcome or bypassed in order to gain entry. The most basic form of restraint is a locked door or a guard. Locks and doors were addressed in Module 7 – Protecting Buildings. Module 7 also presented, in Annex B, some guidelines for good key control. Modern technology presents us with a myriad of conventional and unconventional locking systems. Despite this, most sites tend to stick with the conventional/familiar, many of which have significant security shortcomings. Some of the more common entry control systems are discussed below. Card Readers In a typical facility, doors are protected by card readers. Ideally, this should be set up as part of an access management zoning plan for a facility. Card readers read the credential from a card, or a PIN from a keypad, and forward the data to a controller. Most also provide an audio and visual method of feedback to indicate to the user whether access has been granted or denied. The principle of protection in depth dictates that security should become progressively stronger towards the target. With AACS, unfortunately, the opposite is often the case. The strongest access management is encountered at the main perimeter access control point, and what follows between there and valuable assets is often, at best, a series of doors with card readers, which are relatively easy to defeat. To an extent, this can – and should – be overcome by requiring card holders to enter also a PIN. But this doesn’t alleviate the problem of tailgating. Physically, this can be prevented by the use of turnstiles or glazed rotating entry booths. Electronically, infrared light can be beamed across a doorway (also known as an “air gate”) to permit one entry per card transaction or cameras can be set up to automatically identify if more than one person enters on a single card transaction. Procedurally, employees can be threatened with discipline if they violate the one card swipe/one entry rule. But in practice, there are always vulnerabilities. Some card readers require the card to be placed inside or directly onto the reader, while others are designed to read cards at a distance (proximity). The latter is convenient but such systems should always be used in association with a PIN, as in some cases an authorised user could walk past doors and inadvertently unlock them. 32 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Card Reader Variations – Combined Reader/Controller As the name suggests, some system readers combine the functions of the reader and the controller in a single device. They hold a copy of the user database allowing them to make the decision to grant or deny access even if the controller cannot access the network. The access decision logic can be made on the unsecure side of the access point (Source: BSIA: 2012). Card Reader Variations – Offline Readers An offline reader differs from a combined reader / controller in that it does not maintain a database. With offline readers, the card itself holds the information that defines which doors are valid, and the times that access is allowed. The offline reader analyses this information and grants or denies access as appropriate (Source: BSIA: 2012). Card Readers and Single or Dual Factor Authentication With single-factor authentication (based on “something you have”) a holder presents a badge to a reader and an access decision is made based on the validity and authority credentialed to that badge. Single-factor authentication is preferred where there are high throughput needs, but the system is relatively low in security value and can easily be circumvented. Dual-factor authentication requires the card to be accompanied with another piece of information unique to the holder, usually a PIN. This slows down throughput but significantly increases security. Some facilities use single-factor authentication on busy, main entrances, and dual- factor authentication for inner, more sensitive areas, or for access during quiet hours. This works only in cases where the security access furniture to the inner areas is of an appropriate standard to prevent tailgating and passback (eg. turnstiles). 33 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Controllers In an AACS, a controller (or collection of controllers) monitors and controls all tokens and all access points in an installation. In higher security applications, individual doors may also be equipped with single door controllers of varying complexity. The image left, courtesy of ADT, depicts one such single door configuration. The elevation is shown from the inside of the secure area. According to ADT (2001) the controller can provide detailed information about a door, if additional attributes are added to the access point. These include: Door Open Sensor Annunciation that the door has been left open, or opened without the use of a valid token. Door Open Timer Ensures that a limited amount of time is used for access through the door. Door Locked Sensor Annunciation that the door lock is not secure. Door Locked Timer Ensures that a limited amount of time is used for access before the door lock is activated. Door Closer A mechanical device to ensure the door closes. An important addition in helping to prevent tailgating and maintaining access control, but there must be consideration for users with special needs. Exit Button Allows access from the secure side of the door without the need for a token. Emergency Green Break- Provides a means by which fail-safe locks can be released under Glass Box emergency. On monitored systems when the door is opened, this action will generate a door forced alarm event. 34 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Door Contacts A door contact is a magnetic switch used for sensing opening and closing of a controlled door. It also performs the function of intrusion detection for a building’s perimeter shell. You will recall that magnetic switches were addressed in Module 7. Typical magnetic door contacts are made up of two component parts: the contact switch that is installed on the door frame; and a magnet that is mounted on the door. In some cases monitored locks (where the lock is monitored rather than the door) are used in addition or as a replacement to door contacts. The BSIA (2012) notes that door contacts are used to monitor events such as: Door forced alarm – a door being opened without the use of the reader or normal egress device. Door held alarm – someone holding the door for another party or blocking the door for delivery or to return later if they have no card. Emergency Egress Hardware To comply with local authority and building regulations and to meet local fire officer requirements, emergency egress must not depend on the operation of the access control systems controller, software etc. In the case of fail-safe locks this is normally provided by a green break glass device (in the UK). Operation of this device will remove power from the lock and the door is no longer secure. This device should be monitored to show its operation. Opening an access control monitored door in this way would generate a “door-forced” alarm event (BSIA, 2012). Mechanical Push-Button Locks A push-button lock utilises mechanical numbered push buttons, set to a pre-determined code and is mounted directly in the door. The complexity of the code and the security of the lock is a function of the number of keys on the pad and the number, or format, of digits in the code. Push-button locks are an effective privacy device in controlling access to manned, restricted areas, but should never be used in place of a lock and key to prevent access to an unoccupied area. All too rapidly, the combination is compromised, and the need to frequently reset the code causes employees to write the code down, or enter it slowly, easily observed by unauthorised persons. There is no doubt that such locks have their place in an access management system. The fact that they can speed entry and obviate the use of keys is an 35 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management advantage, as long as there is no requirement to prevent tailgating. But push-button locks should not normally be used as a primary locking device. It is normal to use them during the working day, when there is major use of the door. However, during quieter periods, they should be supplemented by a standard, mortise deadlock. A typical application of a push-button lock is to separate public and private space. For example, in an office complex, push-button locks can control entry into storage rooms and rest rooms. In a retail area, push-button locks can be used to separate management areas from public areas. They also have their place in hotels, leisure complexes and anywhere where there are lots of members of the public present. Electrical Push-Button Locks Electrical versions of the push-button lock are available and these have the added advantage of alerting an operator if the wrong code is entered or initiating a time penalty for each incorrectly entered code. Some electrical push-button systems have the ability to allocate different codes to individual users but there is a downside to this if used alone without any other credential (eg. A badge). The BSIA (2012) warns that if used by themselves then the number of different PINs on a reader must be kept low in order that a PIN cannot be guessed by chance. It recommends that ideally there should be at least 1000 times more possible PINs than there are actual PINs. Electrical push-button locks can be networked or stand-alone. The BSIA (2012) notes that stand- alone readers have all the necessary inputs and outputs to control door hardware, as well as the memory and processing power to make access decisions independently. A stand-alone reader usually has one credential (eg. common code) and anyone knowing that code is allowed access through the door. The access decision logic can be made on the unsecure side of the access point. Telephone Entry Systems Commonly used at apartment buildings but increasingly at small commercial buildings. They are useful in multi-tenant buildings, where other options, such as manual identification through hardened door glazing, is not possible. They may also be used on industrial facilities or isolated sites, perhaps during quiet hours, where there is a very low throughput and where a level of security beyond that of a simple card is required. In such cases they may incorporate a full-height turnstile for added security. Systems consist of a panel installed with a handset and touchpad. Modern systems usually incorporate video. 36 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management The visitor identifies himself/herself either by a code or in person by video, whereupon the building occupant makes the access control decision and sends an electronic command often to an electric door strike, which opens a keeper to allow free passage to the non-bevelled side of the latch. For VIP residences in high-risk areas video entry systems may be a consideration: See http://www.youtube.com/watch?v=L-JyxLMmqd0 for an example. Human Image Verification Systems Also known as stored image verification. To increase the security of a system, a challenge or video verification mode is often available. When a token is presented at a reader, an operator at a PC is presented with the stored photograph of the user, together with a live image from a camera viewing the reader. Depending on whether the operator identifies the person in the live image against the displayed photograph, access can be manually granted or denied. Specific personal data (name, details etc.) may also be displayed to the operator to aid identification (Source: BSIA, 2012). Doors Module 7 addressed the problem of weak doors, and emphasised that intrusion detection systems were not a viable substitute for weak structural barriers. The same can be said of access control systems and doors. For an integrated system to be effective there must be balanced security across all elements of the PPS (Garcia, 2008). Holding Hollow Core Softwood / uPVC Hardwood Steel Force 3kN Internal door – Internal door – not not security, security, privacy privacy only only 5kN Internal door – not PAS 24, STS201 Internal door – security, privacy low risk only only 7kN Internal door – not PAS 24, STS201 PAS 24, security, privacy LPS 1175 SR 1, STS 202 BR 1 LPS 1175 SR 2, STS 202 BR 2 only Low risk external doors (use Medium risk external doors with separate night locking) (use with separate night Medium risk internal doors locking) Medium risk internal doors 10kN PAS 24, PAS 24, LPS 1175 SR 2, STS LPS 1175 SR 2, STS 202 BR 2 202 BR 2 (depending on door) Medium risk external and Medium risk external and internal internal 12kN PAS 24, LPS 1175 SR 3, STS 202 BR 3 LPS 1175 SR 2, STS 202 BR 2 Medium / high risk external (depending on door) Medium risk external and internal LPS 1175: Certified by LPCB to LPS 1175 with Security Rating (SR) as indicated. (SR can be from 1 to 8) PAS 24: tested to meet PAS 24 (published by British Standards) STS201: Certified by Warrington Certification to PAS 23/24 (formerly WCL1) STS202: Certified by Warrington Certification to STS 202 (formerly WCL2) with Burglary Rating (BR) as indicated. (BR can be from 1 to 6) 37 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management In this regard, the BSIA (2012) provides the above table relating to door strengths, uses, classifications and standards. It is appreciated that if you are outside the UK, much of the standards detail in the above table may be irrelevant. Turnstiles The major advantage of turnstiles over doors is that they allow access to only one person at a time. Turnstiles are a useful adjunct to any access management system, especially main entry points. Turnstiles come in a variety of styles, low-height, full-height, revolving, one-way, metal, glass, paddle barriers, etc. Traffic flow is slow but the use of turnstiles ensures defined access to one person at a time, and prevents tailgating. Full-height turnstiles are best. They ensure that only one person passes through in any single authorised entry transaction, and defeat any attempt to jump over, as can happen with low-profile turnstiles. Full-height turnstiles are much more likely to be encountered at outside entrances, at the pedestrian entry point to the inner perimeter. Inside buildings these are used only in exceptional circumstances as they have very slow throughput. Low- profile (also called half-height) turnstiles (or gates that mimic the function of turnstiles) are more common inside buildings, especially in an office lobby environment where access to the building lobby will have required entrance through a lockable door and reception staff can monitor the turnstile use. There are many different kinds of low-profile turnstile. For examples and illustrations of some of the more common you should refer to page 31/32 of the BSIA Specifier’s Guide to Access Control Systems, which can be found at: https://www.bsia.co.uk/zappfiles/bsia-front/pdfs/132-specifiers-guide-access- control-systems.pdf The BSIA guide also contains a table listing the relative merits of different kinds of turnstiles on page 34. Airlocks An airlock (also known as mantrap) comprises two portals separated by a secure space where both portals are not permitted to open at the same time, allowing for only one person to pass at a time. The second portal cannot open until the first is closed. Airlocks must be monitored either by officers or CCTV to prevent tailgating. 38 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Electric Locks General In Module 7 you were briefly introduced to electric locks: Electromagnetic Lock Electric Strike Useful on doors where Operates as an adjunct mechanical latching to any standard could not be achieved. mechanical lock. Usually fail safe. Electricity is delivered to a solenoid that either opens or closes a mechanical latch keeper or strike plate. Electric Lockset Electric Deadbolt Simply a regular Can be either fail safe mortise lockset that or fail secure, but care has been electrified. needed with Popular in automated emergency doors as access control bolt may bind if people systems. push against doors. Such locks are an integral feature of automated access control systems. They can be operated by either DC or AC electricity. All locks that are AC are fail secure, meaning that in the event of power loss the door remains secure. This may seem like the optimal configuration, but it could be dangerous in the event of an emergency evacuation in which power to the building – or part of the building – has been lost. DC-powered locks can be configured to fail secure or fail safe. The latter means that in the event of a power failure the lock releases. Cumming (1992) suggests that reasons for the wide acceptance of electric locks include: Reduction in key use, copying, unauthorised use etc. Removes the need for extensive suiting of locks. Provides remote, automated control. Can be reprogrammed to perform different functions without lock removal. Allow timed opening, multifunctioning, and interfacing with safety systems. Provides added features while remaining as reliable as mechanical locks. Reduces patrol and manpower requirements by allowing centralised control of closing, opening etc. Gives positive door status and lock status indications. 39 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Electromagnetic Locks (Maglocks) This type of lock, powered by DC current, secures a door by applying a magnetic force and is perhaps the simplest means of remotely locking and unlocking doors. A current passing through the electromagnet attracts the armature plate and thereby holds the door shut. There are no moving parts. Typically, the electromagnet is visible and mounted on the outside top of the door and jamb, but some systems (shear locks) can be built into the door and frame. The Maglocks can vary tremendously in cost and performance ranging from armature is mounted on the door. 1kN to 14kN holding forces. The principle is very simply an electro- In the event of loss of power, electromagnetic locks will magnet and a ferrous plate that are in fail safe, releasing the door. If required, this can be contact when the door is closed. The avoided by the use of a back-up power supply or by magnetic field is only on when an specifying a special kind of electromagnetic lock that electric current (12V DC) is passed employs a solenoid activated bolt that works in through the electromagnet. Because conjunction with the magnetic portion of the lock. of this they are only available as fail unsecure (unlocked) and for this During working hours electromagnetic locks are a reason alone they are generally seen as low security solutions. valuable adjunct to an access control system. However, electromagnetic locks should never be specified as the Source: BSIA sole means of securing a door, especially during quiet hours, when the door should be secured by a more robust means. The BSIA (2012) warns that despite their powerful holding forces, often only one magnet is used at the head of the door, and the door can become vulnerable if attacked at the base through either the door failing or sufficient leverage being gained to break the holding force on the magnet. When specifying electromagnetic locks you should always specify a holding force of at least 500 kg (approximately 5kN), as a holding force of less could easily be defeated by two strong individuals forcing the door. Shear locks generally have a greater holding force than standard electromagnetic locks. Patterson (2004) advises that electromagnetic locks are usually suitable for use with single and double doors with mortise or rim hardware and are usually compatible with right- or left-hand mounting. ASIS (2009) advises that electromagnetic locks are useful on doors that are architecturally significant, and where mechanical latching otherwise could not be achieved. Electromagnetic locks should be coordinated with safety codes, as there are specific and additional requirements with these doors that must be provided. Various national standards exist for specifying electromagnetic locks, and locks are sometimes classified into grades. In the US, the standard is ANSI/BHMA A156.23-2010. 40 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management The BSIA (2012) cautions that for fail-safe locking, where no key override is supplied, a means of removing the power from the lock from the unsecure side may be required if this is the only entrance into the secure area. Examples of different configurations of electromagnetic locks can be found at http://www.youtube.com/watch?v=A73KHHh3qV4 A version of the electromagnetic lock is the shear lock. The BSIA (2012) notes that a shearmag or shear lock is similar to a maglock in that it relies on the attraction between an electromagnet and a plate on the edge of the door to lock. However, in this case, the plate has a number of protruding metal pins on the surface, with matching recesses on the face of the magnet. When the door is locked, the electromagnet pulls the plate onto the face of the magnet. In this position the holding strength is then provided by the metal pins which are held within the recesses of the magnet. This provides much greater holding force than a conventional maglock, typically in the order of 7kN and upwards depending on size and type. Shearmags always fail unlocked in operation and often require larger amounts of power than maglocks to operate. Electric Strike Locks Typically, bolts and latches are mounted on the door. The door is locked when it is closed and the bolt or latch projects into a recess in the strike located in the doorjamb. A strike is used to strengthen the recess into which a bolt or latch projects. Strikes may be passive or active (electrically powered). The only function of a passive strike is to strengthen the recess (Garcia 2008). An active strike is an electrically operated device that replaces a conventional strike plate and allows a door to be opened by using electric switches at remote locations. The electric strike is the most popular locking device in AACS, but is also found widely used elsewhere, such as communal doors to apartment complexes. Power is supplied to the strike rather than to the lock, and it works on the principle of a solenoid which, when powered, moves a small pin that in turn engages or disengages a blocking mechanism, which then allows a moving plate (usually referred to as the staple, pivoting lip or keeper) to be released. This allows the release of the lock’s latch or bolt from the keep in the frame. This is useful as it obviates the need for wiring to pass into the door. It may be used with a latch bolt or deadbolt, and the strike mechanism can be set up as fail safe or fail secure. Used in conjunction with a door handle, this mechanism is especially useful where entry is to be controlled but egress unhindered. 41 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management The BSIA (2012) notes that electric strikes vary significantly in their holding power from 1.5kN of side force up to 14kN or more on some of the higher security versions. Some versions are available with a monitoring switch that can detect whether the latch is engaged. This can save the need for a door monitor. The fact that the release is fitted to the doorframe also means that the doorframe material and size affect the security. The BSIA (2012) cautions that the electric strike is generally used on low to medium security doors with medium to heavy traffic. It is suitable on internal doors or external doors if there is a further mechanical lock for use at night or outside normal business hours. Electric Locksets – Solenoid This type of solenoid lock secures a door by applying power directly to a bolt. It can be set up as fail safe or fail secure. This kind of lock is suited for medium- to high-security applications, where it would be used in fail-secure mode, and perhaps augmented with electric deadbolts. Holding strengths of up to 10kN (approximately 1,000 kg) can be achieved. The BSIA (2012) notes that most standard electric locksets operate with a deadlocking latch lock which in most instances will not give quite the high level of engagement as a standard deadlocking bolt. Like an electric strike, these can be specified as fail secure or fail safe. These can be specified with different functions inside to outside. For example the inside lever handle can always be active (for emergency egress) but the external handle is only engaged when the solenoid is operated. This type of lock can achieve quite good levels of security, as the lock will behave much like a traditional lock under attack, and can be used on portals with medium to heavy traffic. Electric locksets may employ deadbolts for added penetration resistance. The bolt may either slide or swing into position. Some solenoid locks have a built-in mechanical deadbolt for deadlocking during out of hours. Electric Locksets – Motor Locks The BSIA (2012) states that in outward appearance electric motor locks appear very similar to a solenoid lock but rather than a solenoid have an electric motor that drives a dead bolt. This type of lock can achieve as high a security level as any mechanical single-point lock generally and will behave much like a traditional lock under attack. Most of these locks operate with a deadbolt, which in the correct door and frame installation can achieve high levels of security. In the event of a power failure the lock will remain in the status it was in at the time of the power failure (BSIA, 2012). The motor lock is generally used on higher security doors with medium to low traffic. This is because the lock takes a few seconds to withdraw the deadbolt. For an office entrance at peak times it would not be the best choice. It is suitable on both high security internal and external doors (BSIA, 2012). 42 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Access Badges Identification Documents Effective access management usually relies on a system of identity documents (ID cards, passes and permits) which will have been issued under control. The access control function is then exercised through automated means (card readers) with these documents at authorised points of entry and exit to sites. The data from the reader is transmitted to the control unit for evaluation. It is compared against the user authorisation profile (discussed later) for that card and an access control decision is made. If the decision is positive, the system returns a signal which changes a contact closure on an electric locking mechanism to allow passage. The use of badges has long demonstrated a strong deterrent effect against those wishing to attempt unauthorised access to a site. Even on relatively small sites where there is no formal mechanism for checking badges on entry/exit, mandatory badge wearing is strongly recommended. However, it should be noted that no pass system is completely effective; the possession of a pass does not confirm the identity of the bearer unless it is authenticated, either manually, by an officer reconciling a photograph on the badge with that of the bearer, or automatically, using two-factor authentication, where for example, the bearer must enter a PIN. Good security culture and the actions of employees also ensure that those entering your premises and work areas have authority to do so. You will recall the ancient Greek philosopher Thucydides wrote: “The security of the city depends less on the strength of its fortifications than on the state of mind of its inhabitants”. Credentials Access decisions are granted usually on the basis of one, or more, of the following credentials: A credential is a physical or tangible object, a piece of Personal Characteristic - Who you are (eg. knowledge or a facet of a person’s recognition). physical being that enables an Personal Characteristic - Who you are (eg. individual to gain access to a biometric). controlled area. Typically, credentials can be something you Possession - What you have (eg. a badge). know (such as number or PIN), Knowledge - What you know (eg. a PIN). something you have (such as an access token), something you are For the most part we make decisions about people based on (such as a biometric feature) or the first factor. This is perfectly acceptable for small any combination of these. The workgroups. Imagine if you refused to interact with family, typical credential is an access neighbours and friends unless they formally identified card, key fob, or other token. themselves to you with an ID card! Source: BSIA 43 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management In the workplace, however, it is better to have a formal badging system, especially when the workforce exceeds a few dozen employees. It also helps customers, contractors, delivery persons etc. recognise employees. There are many different systems for access badging. Some are weak; some are relatively secure. It is less the quality of the badge and more the way in which the process is undertaken that determines the security of the system. For example, basic magnetic stripe technology can provide more than adequate levels of security for many facilities if the system is designed correctly. Normally, an employee’s identification card doubles up as the displayed badge. An exception to this may be in an “exchange badge system”, where an identification card is surrendered to a guard in exchange for a displayed badge. Certain professions that require a badge by law (eg. police, military) are likely also to wear while on site a badge that is separate from the carried ID card. In the future, access badges – or at least credentials to operate door readers – may be replaced by smartphones using near-field communication (NFC) technology. What to Display on the Employee Badge Views differ strongly on what to display on a badge worn by employees. The strongest views appear to be around whether to display the company logo or to make the badge anonymous. ISMI advises against the use of branded badges unless there is a specific reason to do so. One of the reasons for this is that many sites use single-factor authentication (the badge is presented to the reader and the holder is granted access) so badge loss makes it easy for any adversary to spoof the identity of the authorised holder and enter. This may pose a personal safety risk to staff. Typically, a badge will display at least: Clear passport-style photograph. Name. Employee number. Validity and expiry dates. The photo background may be colour-coded to show additional information, eg. access permissions. The reverse side would be expected to show a PO Box number address for return, if lost. Purpura (2008) suggests adding additional information such as physical characteristics, location of work assignment and signature. Fischer, Halibozek and Green (2008) suggest that to be effective, badges must be tamper-resistant, which means that they should be printed or embossed on a distinctive stock that is worked with a series of difficult-to-reproduce designs. They should contain a clear and recent photograph of the bearer, preferably in colour. The photograph should be at least 25x25mm and should be updated every two or three years or when there is any significant change in facial appearance, such as the 44 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management badge-holder growing or removing a beard or moustache. The badge should, in addition, contain vital statistics such as date of birth, height, weight, colour of hair and eyes and gender. It should be laminated and of sturdy construction. The use of holography is recommended to reduce the risk of forgery. Badges often require that a judgment about the wearer be made from a reading distance that is greater than normal. Badges must therefore have characteristics that can be identified at a distance. Bold and large letters, logotypes, artwork, colour patches and unusual shapes may be used to make the badges distinctive. Where to Display the Badge Unless there is a health and safety reason not to do so, badges should be worn around the neck on a breakable cord, where they are on clear display. Badges clipped on jackets have a tendency to fall off, creating security vulnerabilities. They are also often left behind at desks on jackets. Badges should not be worn around the waist or belt area as this makes it difficult for staff to identify any unauthorised persons in their work areas. Here, there is an important role for security to play in leading by example. Badge Wearing Discipline It is important that staff wear their passes at all times and that their issue is strictly controlled and regularly reviewed. Visitors should be escorted and wear clearly marked temporary passes, which must be returned on leaving. Anyone not displaying security passes should be either challenged or reported to security or management. Badge wearing must be set by example by management and by security, and HR should ensure that it is addressed in the Employee Handbook. Poor badge wearing discipline leads to easily exploitable security. One way to ensure badge wearing is to fit the maximum number of doors possible with card readers. Thus employees will be aware that they can’t move about the facility without their badges. One problem created by the use of a single card for physical and logical access control is that the badge must usually be removed from around the neck to insert into the computer’s reader. Badges should not be worn outside the facility. 45 | P a g e © Copyright ISMI Certification Ltd. No unauthorised sharing, copying, reuse in whole or in part, uploading or webhosting permitted. V 3.0 (0923) Unit 8 – Access Management Card Technologies General This section will examine some of the more common card technologies. There is no single ideal card- based solution. The level of security is often dictated by how the card is used (eg. single/dual authentication, associated entry furniture, anti-passback and tailgating protocols etc.). In essence, you can achieve a very high level of security with a magnetic stripe card and a low level of security with a smartcard unless you fully understand at the outset all of the associated issues. You can also mix technologies. For example, it is not uncommon to combine smartcard technology with magnetic stripe; just examine your credit card. Magnetic Stripe A magnetic stripe (or magnetic swipe) card is a very common form of credential, and originated in the commercial banking industry. Cards are relatively low cost and can hold a small amount of data, such as basic holder details. Unless used with a PIN, th

Access Management - ISMI Certification PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue