Skip to main content

Effective Access Control nearly completes Security

In earlier blogs overview on ‘Risk Chain’, ‘Methodology to break’ the chain and ‘Five layers’ of Security was presented. There are various Security processes which contribute to complete the de-risking need. If we try to put score on each component of Security need, we will be able to prioritize the implementation requirement vis-à-vis risk. Threat” exposure is not possible without movement of men, material, or information. Therefore, controlling, regulating, and monitoring movements to-n-fro Secured - Non-Secured area is important. 



Crime is not possible without access breach therefore, reasoned ‘Access control’ establishment nearly completes the Security. Access control is “The practice of regulating entrance to a property, a building, or a room to authorised person”, access could be physical or digital. Un-authorised access could be for property or information (damaging Or stealing). Out unauthorised movement of material (property) and information is also access breach.  Generally, Security Managers considers Gate Security as only the Access Control, but complete access control consists of several other aspects like Securing access from perimeter, material movement management etc.

Foundation for “gate access control” is effectively distinguishing between authorised and un-authorised. Within distinguishing of Authorised and Unauthorised, several processes exist. Recognising authorised (flow) is easy comparing unauthorised hence gate access control is mainly designed or engineered on regulating unauthorised. Once authorised users are handled well (with comfort and convenience), remain is unauthorised. This sometimes create concerns and inconvenience for the authorised users, as they are regulated/need to follow the process to filer unauthorised.

The differentiation between authorised/authorised starts with “effective recognition at registration” i.e. creating ability to identify who is right for registration. Often registration process is ignored and therefore weak, which may lead to registration of wrong person. Generally, process is implemented around issuing of ID card under ‘Registration process’, but to whom the ID-card is to be issued is not considered and thought through well. Connect this situation with issuance of system password, but to whom is important to know. Point to remember “right person accessing without ID-card is not a threat comparing wrong person accessing with ID-card”. Hence only having registration process to issue ID-card is not important, person is important.

While managing routine Gate Security, team forgets this basic check and only looks for ID-card issuance but to whom ID-Card or entry pass is being issued, is not taken into consideration. Registration process is first and important chance to filter. Tools are available to take care that actual ID-card holder is only entering i.e. biometrics based access control. Therefore, the filter in the beginning is important – Security should have answer of “To whom we are registering? Is he is the right person?”.

“Background checks” is one of the tools to identify ‘go’ or ‘no go’. But such checks generally are limited to HR concerns only i.e. education or previous employment verifications etc. I faced a question in recent, “what is the biggest Security concern?” and my answer was “surprises”, an event for which Security System and Manager is not prepared. The worst, nor perceived. “Insider threat” is one of those surprises. Main reason for not able to prevent insider threat is, not able to filter. HR considers on-boarding filtration differently, there are trainings on “interviewing techniques” as the aim is right hiring as per desired skills. Is there’s training for “Security registration techniques”?. Customised trainings are available and imparted but due to Security concerns and other reasons never advertised. Remember “Risk chain”, adversary can create maximum impact when he has capabilities. Entering as authorised registration person give him more capabilities to be near to the asset or target, therefore insider threat is a great-risk and generally Security arrangement is not prepared for it.  The Security Manager must have robust registration system to filter and avoid mistakes like:

  1. Outsourcing registration process without adequate checks, DoA mapping, lapse tracking mechanism, process control and governance. Practically it is giving authority for allowing unknown to penetrate in system.
  2. No integration between Security and HR systems or lose-end at HR or Security end.
  3. Poor data management, especially when it is large site and/or multi-location organization, missing unique identification.
  4. No data management for watch-list checks, and lack of coordination with law enforcement agencies and neighboring agencies for sharing of watch-list criminal data.
  5. No authorization management i.e. who can approve registration. Generally, no link established, most of the times process is available for “authorized signatory” but implementation is poor.
  6. On technology side several mistakes like poor card management, majority organization are using smart cards for access control but only CSN which is easy to clone.
  7. No process for lost card management, provision to report / auto-deactivate.

Security Manager must be one step ahead, more important is to focus on minute details especially when Security need is high. In addition, “access control of right person is daily activity” that means for highly sensitive locations, all key personnel should be under clandestine watch. 

Following practices help in maintaining the effective access control:

  1. Correct registration process
    • Fool proof enrolment
    • Correctness of data – remember and avoid GiGo.
    • Background checks especially for people working in critical areas
    • No dependency on Security Operator for registration – strong governance, better proactive rather auditive.
    • Encrypted ID-cards for sensitive areas. Key control for ID-cards being encoded.
  2. Gate Access control
    • Well-designed gate (remember CPTED concept) – no space for bypassing the access control. Enough space for screening, exception handling area, response & containment area, denial lanes – avoid chaos.
  3. Integrated access control system
    • As far as possible, implement access control system where data travels from HR system, rather manual entry This will avoids authority at operator end to create ID-card for anyone.
    • Ensure Access control system is integrated with HR system for auto-deactivation of ID card during separation.
    • Alarm panel and effective monitoring process – ensure access control system alarms are acted, least false alarms from system enable operator to focus.
    • Analyzing of in/out data to know the loopholes e.g. pairing in and out to find correctness in people flow, system performance.
  4. Vigilance - Keeping people working in sensitive areas under watch – big brother watching concept.

There are many more measures for Security access control on perimeter, gate protection, material movement management etc. Security managers can derive own practices and code to match the ground requirement. As per study, access control contributes 55% to 60% of overall Security operations. This is applicable to almost all types of industries. Therefore, if Security managers takes care of Access Control effectively, design the system (5 layers) for managing access control well, the Security need is nearly completed.



Comments

  1. Indeed valuable for Security professionals. Sir, Thank you for writing blogs for Security fraternity..
    Great learnings..

    ReplyDelete
  2. The snappet summary is well articulated. The basic fundamental concept of Security. Kudos to Author.

    ReplyDelete
  3. Very insightful.... Thanks for sharing sir

    ReplyDelete
  4. Excellent illustration of gained knowledge...

    ReplyDelete
  5. Thanks for sharing sir... Lot of learnings in it

    ReplyDelete
  6. again good article Smit ..knowledge in depth for new learners and refreshing for others

    ReplyDelete

Post a Comment

Popular posts from this blog

The Master Plan - achieving end state

Master plan is the ‘end state’ Security Manager wants to reach with respect to all desired improvements & upgrades are complete/full-filled, Security is best-in class, best-fit and “perfect” in today’s risk scenarios. The definition of "best-fit Security" is very simple, which is sufficient and logical to balance all credible risks (its a myth). <Overview - how to get visibility of Security Master Plan> But as we know risks are dynamic, changing with time, reshaping and threat-actors are innovating & instituting new ways to attack, therefore “Master Plan” cannot be static. Reaching perfection is a mirage, achieving or completing master plan will never appear possible. Adversary, the bad guy will always find new path to breach, one time made & achieved master plan cannot prevent such innovated risks. So the queries arises, why we need a master plan? how to make it? How to manage master plan? The blog aimed to explain the experience of drafting, practice imp...

The Five Layers

There are five important layers in Security for risk mitigation (refer last Blogs on Risk Chain and Finding Solution to Break the Risk Chain). Implementation of these layers is generally in combination of each other. Correct balancing the implementation of layers at appropriate risk chain link and at right timings will result into Cost-effective and Optimum Security, which every management is looking for. But to have this achieved it is important to understand the components within these five layers. It is also important to note that while you are changing any layer, other layers will be affected. Therefore, change management is not one time activity, need to observe the impact in long term. The five layers includes ‘Infrastructure’, ‘Equipment’, ‘Application’, ‘Process’ and ‘Human Resource’. We will go in detail of each layer, understand the components and interconnections between the layers. All layers together should be seen like an engine, wherein each layer is individual gear, sho...

Speaking Risk

Earlier blogs on Risk Chain and Security tools gave understanding on Risk components and risk treatment (five layers of Security). Even after implementation of Security measures, ‘Risk will exist’. The fact which Security Manager and Management must accept. There are many reasons for existence of Risk even after treatment. 1. 100% risk mitigation is not possible. This is one of the facts Security Manager and especially Management must accept. Known risk but not treated may be due to lower probability or practically not possible to treat due to cost of treatment or risk is low impact-low probable. This is known as ‘Risk Appetite’ of the organization. So, the condition here is, risk still exists but in knowledge. 2. Risk Treatment is not done properly – this is where Security manager or management have not measured the risk properly or not given proper treatment. Risk not estimated or missed in assessment is possible when adequate preparation in Risk assessment is not done – old risk...