At one time, the function of an access control system was simply to enable facilities to control the ability to enter and leave without using hard keys, while creating a logging system with no paper. Access control systems have evolved into multi-faceted tools that can control the movement of people and assets, support video, and integrate cameras as well as financial and vending systems — all with the use of one smartcard or token. Because of this complexity, it’s essential to follow the proper steps in planning access control systems.
For those looking to upgrade functionality and those just starting out, the questions are the same:
- What primary needs and functions are you trying to manage with an access control system?
- Are those needs and functions going to be managed through stand-alone systems or through networked systems?
- Do you intend on integrating some, most, or all of the systems right away or put some off until funding is available down the fiscal road?
- What’s your budget?
Those are big questions, of course. To answer them, it may help to put the following five items on your access control planning to-do list.
- Identify the Stakeholders
Stakeholders provide critical information throughout the entire process, from conception to implementation. The people who use the systems involved are the best sources of information that will either make or break the access control endeavour, so it’s essential to include them from the beginning.
Information technology, security, parking and transportation, food services and, in the case of academia, student services, residence life, athletics, and the numerous faculty and staff committees: All are integral to the buy-in phase of any system, especially if it requires new processes and procedures for the end users.
Once those stakeholders are identified, a strong working committee should be formed, one that includes a representative from each stakeholder plus a project manager; a broad-based committee is especially important if the integration of numerous systems is involved.
- Select the Right Type of Card
Many access control projects involve an upgrade to an existing system. An upgrade may integrate existing non-access control systems such as IP cameras that run over the network and are capable of reacting to an event initiated by a card swipe or proximity card. The upgrade may also enable the access control system to work with parking and gate control, vending operations, dining-hall-access, debit, and numerous other systems that support the facility.
No matter what the goals of the upgrade, a single access control platform should be selected early on, during the “needs and wants” stage, whether it’s a magnetic stripe card, proximity reader card, a smart card, or any of the various cards or tokens. Deciding to change from one type of proximity card to another in the middle of a project is probably manageable, but brings enormous complications.
Input from the stakeholders will determine what is really needed, what can be done, what the future requirements are, and how goals can be achieved without requiring users to carry too many cards or tokens. The decision is this: What kind of card should you get and how much money do you spend on each? Keep in mind that people lose cards or use them to scrape ice off the windshields. A card may even be used to manipulate a hard lock by inserting it into the door crack between the spring bolt and frame (a sure sign that an access control reader is needed on that door).
Many systems in existence today have a standard magnetic stripe with three tracks that can be used for door control, banking information, or identification. One of the main drawbacks to swipe-type magnetic stripe cards is the actual wear and tear of using them as they were intended. Mag stripes wear out — it’s inevitable.
With the advent of contactless cards and smart cards, the wear and tear is practically eliminated, except for abuse. These options enable access and other applications without touching the card to a reader. One of the main reasons for using proximity cards is their ability to carry or hold more data than the regular magnetic stripe card, allowing more financial or other uses.
There are two types of proximity cards: passive and active. A passive card has no internal source of power and uses the reader, which does have power, to read the card. Although it does not have to touch the reader, a passive card must be held close enough to be read. Active cards contain a small battery and are most commonly used to open parking gates — the card is mounted somewhere on the vehicle, where it can be read to open the gate. The card tends to be expensive and will wear down in five years or so. Of course, many companies or facilities will have changed logos, photos, or even platforms within five years, so the cost of replacing the cards is just a part of the infrastructure.
Each type of access control card has its pros and cons. The main idea is to determine what will work best to enhance your security as well as function well in incorporating other applications that your stakeholders identify.
- Get IT Involved
Most people believe that access control is a security system when in reality it’s an IT system that uses a security “moniker” as its identification. Even in the basic, stand-alone hotel magnetic stripe system, a portable programmer is needed to program each of the individual door units with the times, access personnel, and other control information required to make it work. Many facility people treat this as a locksmith or key control responsibility. That’s fine at the beginning, and only if the most basic of systems is being used.
Once system integration takes place and the facility is past the issuance of hard keys as the only method of access, then identifying a responsible person who has IT experience, or has been trained to make the transition to an IT-based system, is critical to keeping the systems functional and at peak operational status. One of the worst things that can happen with an access control system is that it won’t let legitimate personnel access the facility because “the system is down.”
Here’s one good example of why IT involvement is crucial: Suppose you’re determined to find the best system compatible with existing IT systems, one that will enable a smooth integration. Some vendors or integrators claim that their systems are compatible with all existing platforms, but they achieve “compatibility” by adding or revising a significant amount of software, and the cost to write that code may be prohibitive. Your IT staff can ensure that the new system actually is compatible with the current IT platform.
- Spec and Bid the Right Way
The next-to-last step is to actually procure the system. This step can be as simple as signing a contract and issuing a purchase order. But that’s the wrong way to do it. The right way is to identify the specifications needed for any system that can do the job.
Never write a specification document based on what a sales person said and never write it from the specifications outlined in the specific product you may be looking at or that a sales person said was the best on the market. Instead, develop a list, as extensive as you wish, but one that takes in all of your existing methods of operation, i.e., your networking platforms, existing applications that you plan to integrate, how you want it to perform, and the kind of card (not a specific name brand) that has the method of operation you intend to use.
An example would be that you need a contactless card that has a bar code for store purchases, magnetic stripes for other business operations, and the capability to contain logos, pictures, and other identifiers within the card surface. If you plan to store more information and to embed working applications on the card, then a smart card with a computer chip inside needs to be identified.
Once your list is created — and hopefully the IT department was an integral player in its development — the next step is developing a bid document to send to qualified vendors. Depending on your individual situation regarding procurement laws or processes, you may need to set up a method to answer questions as they arise during the process. Many facilities are governed by agency requirements that mandate a certain number of vendor bids, and, once the request for proposals is “put on the street,” the office handling the bid may prohibit the end user from answering questions from the vendors, who may communicate only with the bid office. This prevents any of the bidders from filing a grievance on perception of favoritism.
Once the bids are in, a checklist of the requirements is generated, and each of the vendor responses is reviewed to determine whether it complies with the specific items. This process ensures that what you want to have done can actually be accomplished with that particular product. The more in-depth the questions, the more confident you will be later once the product is paid for.
- Test the System Carefully
Once the system is procured, it’s easy to think that life is good. But in reality, this is where things can go wrong if you’re not careful or don’t have checks and balances in place. The first item to install is the head end or server that will control the access control system. All software and any other component items should be installed and tested prior to replacing any old card readers with new ones. When dealing with multiple buildings, select a “test bed” where any issues or bugs can be worked out as they occur. Enough time for testing is needed to ensure that the access control system works as intended. But if the project involves integrating other systems, those systems need to be kept running regardless of the new access control. Bringing on those systems one by one can help to avoid major problems and it allows existing functionality to be used to maintain operations.