Foundation for “gate access control” is effectively distinguishing between authorised and un-authorised. Within distinguishing of Authorised and Unauthorised, several processes exist. Recognising authorised (flow) is easy comparing unauthorised hence gate access control is mainly designed or engineered on regulating unauthorised. Once authorised users are handled well (with comfort and convenience), remain is unauthorised. This sometimes create concerns and inconvenience for the authorised users, as they are regulated/need to follow the process to filer unauthorised.
The differentiation between authorised/authorised starts with “effective
recognition at registration” i.e. creating ability to identify who is right for
registration. Often registration process is ignored and therefore weak, which
may lead to registration of wrong person. Generally, process is implemented around
issuing of ID card under ‘Registration process’, but to whom the ID-card is to
be issued is not considered and thought through well. Connect this situation with
issuance of system password, but to whom is important to know. Point to
remember “right person accessing without ID-card is not a threat comparing wrong
person accessing with ID-card”. Hence only having registration process to issue
ID-card is not important, person is important.
While
managing routine Gate Security, team forgets this basic check and only looks
for ID-card issuance but to whom ID-Card or entry pass is being issued, is not
taken into consideration. Registration process is first and important chance to filter. Tools are available to take care that actual ID-card holder is
only entering i.e. biometrics based access control. Therefore, the filter in the beginning is important – Security should have answer of “To whom we are registering? Is he is the right
person?”.
“Background
checks” is one of the tools to identify ‘go’ or ‘no go’. But such checks
generally are limited to HR concerns only i.e. education or previous employment
verifications etc. I faced a question in recent, “what is the biggest Security
concern?” and my answer was “surprises”, an event for which Security System and
Manager is not prepared. The worst, nor perceived. “Insider threat” is one
of those surprises. Main reason for not able to prevent insider threat is, not
able to filter. HR considers on-boarding filtration differently, there are
trainings on “interviewing techniques” as the aim is right hiring as per desired
skills. Is there’s training for “Security registration techniques”?. Customised
trainings are available and imparted but due to Security concerns and other
reasons never advertised. Remember “Risk chain”, adversary can create maximum
impact when he has capabilities. Entering as authorised registration person
give him more capabilities to be near to the asset or target, therefore insider
threat is a great-risk and generally Security arrangement is not prepared for
it. The Security Manager must have robust registration system to filter and avoid
mistakes like:
- Outsourcing registration process without adequate checks, DoA mapping, lapse tracking mechanism, process control and governance. Practically it is giving authority for allowing unknown to penetrate in system.
- No integration between Security and HR systems or lose-end at HR or Security end.
- Poor data management, especially when it is large site and/or multi-location organization, missing unique identification.
- No data management for watch-list checks, and lack of coordination with law enforcement agencies and neighboring agencies for sharing of watch-list criminal data.
- No authorization management i.e. who can approve registration. Generally, no link established, most of the times process is available for “authorized signatory” but implementation is poor.
- On technology side several mistakes like poor card management, majority organization are using smart cards for access control but only CSN which is easy to clone.
- No process for lost card management, provision to report / auto-deactivate.
Security
Manager must be one step ahead, more important is to focus on minute details
especially when Security need is high. In addition, “access control of right
person is daily activity” that means for highly sensitive locations, all key
personnel should be under clandestine watch.
Following
practices help in maintaining the effective access control:
- Correct registration process
- Fool proof enrolment
- Correctness of data – remember and avoid GiGo.
- Background checks especially for people working in critical areas
- No dependency on Security Operator for registration – strong governance, better proactive rather auditive.
- Encrypted ID-cards for sensitive areas. Key control for ID-cards being encoded.
- Gate Access control
- Well-designed gate (remember CPTED concept) – no space for bypassing the access control. Enough space for screening, exception handling area, response & containment area, denial lanes – avoid chaos.
- Integrated access control system
- As far as possible, implement access control system where data travels from HR system, rather manual entry This will avoids authority at operator end to create ID-card for anyone.
- Ensure Access control system is integrated with HR system for auto-deactivation of ID card during separation.
- Alarm panel and effective monitoring process – ensure access control system alarms are acted, least false alarms from system enable operator to focus.
- Analyzing of in/out data to know the loopholes e.g. pairing in and out to find correctness in people flow, system performance.
- Vigilance - Keeping people working in sensitive areas under watch – big brother watching concept.
There are many more measures for Security access control on perimeter, gate protection, material movement management etc. Security managers can derive own practices and code to match the ground requirement. As per study, access control contributes 55% to 60% of overall Security operations. This is applicable to almost all types of industries. Therefore, if Security managers takes care of Access Control effectively, design the system (5 layers) for managing access control well, the Security need is nearly completed.
Well articulated.
ReplyDeleteIndeed valuable for Security professionals. Sir, Thank you for writing blogs for Security fraternity..
ReplyDeleteGreat learnings..
The snappet summary is well articulated. The basic fundamental concept of Security. Kudos to Author.
ReplyDeleteVery insightful.... Thanks for sharing sir
ReplyDeleteExcellent illustration of gained knowledge...
ReplyDeleteVery well defined sir..
ReplyDeleteThanks for sharing sir... Lot of learnings in it
ReplyDeleteJust wow 👌👌
ReplyDeleteThank you sir for sharing this..
ReplyDeleteagain good article Smit ..knowledge in depth for new learners and refreshing for others
ReplyDeleteVery well articulated Sir..
ReplyDeleteVery well explained sir
ReplyDelete