Intrusion & Access Control

 

 

https://sm.asisonline.org/Pages/Healthy-and-Secure.aspxHealthy and SecureGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-07-01T04:00:00Zhttps://adminsm.asisonline.org/pages/holly-gilbert-stowell.aspx, Holly Gilbert Stowell<p>​With more than 8,000 Locations across the United States and approximately 247,000 employees, drugstore chain Walgreens puts a priority on protecting its assets, employees, and customers. The company’s security team, located at Walgreens headquarters in Deerfield, Illinois, strives to respond to any incident that requires attention in a timely manner, whether it be a robbery or a door alarm.</p><p>“Responding to events and dispatching is extremely important, especially in critical situations where we want to provide the best services to our people,” says Hal Friend, director of physical security and fire prevention for Walgreens.</p><p>The corporate headquarters, known as the support office, is home to around 7,000 employees. The security department, referred to as Asset Protection Solutions, is made up of asset protection officers (APOs), a physical access control systems team, and security specialists, among others.</p><p>About five years ago, the company was looking to upgrade its access control solution at its corporate headquarters and distribution centers. “We realized that we had outgrown the old platform we were on, and it wasn’t going to be able to keep up with us,” Friend notes. <img src="/ASIS%20SM%20Callout%20Images/0717%20Case%20Study%20Stats.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:289px;" /></p><p>Walgreens turned to the Genetec Security Center platform, which offered an integrated video and access control solution with various features to meet the corporation’s needs. The installation was rolled out over the last few years across the corporate campus’s more than 40 buildings and distribution centers, and the last phase of the installation was completed in February 2017. </p><p>Synergis, the access control platform from Genetec, is unified with Genetec’s Omnicast video management platform through Security Center, tying the support office’s 700 cameras into one system. </p><p>Synergis operates card readers and turnstiles located throughout Walgreens’ support office campus and allows Walgreens to easily issue temporary badges for employees who forget or misplace their credentials. If workers forget or misplace their cards, they must produce identification to one of the company’s APOs. “The APOs verify in Genetec that the person is a badged employee, and then we have a process in Synergis to issue them a temporary badge that will expire at the end of that business day,” Friend explains.  </p><p>Through Synergis, the company can also set an expiration date for temporary badges for vendors, consultants, and contractors who need access for only a certain amount of time. </p><p>Walgreens has a handful of high-security locations, such as data centers, which require two-factor authentication. The employees with access to these areas must present their card to the reader, and place their fingerprint on a biometric scanner. </p><p>The company has also deployed anti-passback measures, which means the worker must badge in and badge out of the high-security location to prevent the badge from being shared. “If you leave without badging out, it will prevent you from badging back in, because the system thinks you’re still in there,” Friend notes. “It helps enforce compliance in high-value areas, so that we have exact record keeping on who was where, when.”</p><p>Through Synergis, the security team can also generate ad hoc reports that show the company who has access to specific locations. “We send those reports to the managers of those high-value areas, such as the data centers, and they audit them routinely to ensure that people who have access still require access,” he says.</p><p>Security Center from Genetec integrates into the company’s own security operations center, a 24/7 monitoring location staffed with trained officers called security specialists. If an alarm goes off anywhere on campus, the officers can click the associated alarm notification to view the video. “It’s really easy to immediately get that footage to see what happened,” he notes. </p><p>Many of the cameras on campus are situated around the perimeter or pointed at access control points. This allows for easy review of video footage related to any alarms triggered by doors forced open or turnstiles that appear obstructed. If an alert goes off, “we can immediately dispatch an asset protection officer to respond to that alarm, realizing that most of the events are mistakes,” he says. “But we investigate them all in case we do have an intrusion.”</p><p>In addition to protecting the support office, these officers monitor Walgreens locations across the country and provide dispatch calls to local law enforcement in the event of an emergency, using a video management platform from a different vendor.  </p><p>When a burglar alarm goes off at any of the store locations, security specialists use high definition video to go back and view the video associated with the alarm. If they can confirm that an intruder set off the alert, they call the police. “We dispatch only on verified alarms to cut down on false alarm dispatching, which is appreciated by law enforcement,” Friend notes. </p><p>With the headquarters located in a suburban environment, near major roads and highways, Friend says that unwelcome visitors can wander onto campus, though it is a rare occurrence. “There was an instance where the Genetec platform helped us identify an individual who came to the campus, and was not supposed to be here,” Friend says. Using video, which they turned over to law enforcement, “we identified how he got in, and then assisted the police in the investigation to apprehend that individual and resolve the matter.” </p><p>Walgreens does retain video for a specified amount of time to remain in compliance with the various audits that the company participates in. </p><p>Friend says that Genetec Security Center gives the corporation the flexibility it needs to maintain business efficiencies while providing security. “We’re ensuring security, but at the same time we never want security to impede the needs of the workforce at the campus,” Friend says. “We really feel we have that experience today with what we have.”</p><p><em>For more information: Beverly Wilks, bwilks@genetec.com, www.genetec.com, 866.684.8006</em></p>

Intrusion & Access Control

 

 

https://sm.asisonline.org/Pages/Healthy-and-Secure.aspx2017-07-01T04:00:00ZHealthy and Secure
https://sm.asisonline.org/Pages/Accesos-Bajo-Control.aspx2017-06-01T04:00:00ZAccesos bajo Control
https://sm.asisonline.org/Pages/On-Site-and-Cloud-Access-Control-Systems.aspx2017-05-22T04:00:00ZOn-Site and Cloud Access Control Systems
https://sm.asisonline.org/Pages/Message-to-the-Masses.aspx2017-03-01T05:00:00ZMessage to the Masses
https://sm.asisonline.org/Pages/Yale-Opens-Doors.aspx2016-12-01T05:00:00ZYale Opens Doors
https://sm.asisonline.org/Pages/Sounding-the-Alarm-at-Lone-Star.aspx2016-08-01T04:00:00ZSounding the Alarm at Lone Star
https://sm.asisonline.org/Pages/Cannabis-Cash.aspx2016-07-01T04:00:00ZQ&A: Cannabis Cash
https://sm.asisonline.org/Pages/What-the-Pulse-Nightclub-Attack-Means-for-Soft-Target-Security.aspx2016-06-14T04:00:00ZWhat the Pulse Nightclub Attack Means for soft Target Security
https://sm.asisonline.org/Pages/A-Dearth-of-Gun-Data.aspx2016-04-01T04:00:00ZA Dearth of Gun Data
https://sm.asisonline.org/Pages/When-Simulation-Means-Survival.aspx2016-04-01T04:00:00ZWhen Simulation Means Survival
https://sm.asisonline.org/Pages/Book-Review--The-Alarm-Science-Manual.aspx2016-02-01T05:00:00ZBook Review: The Alarm Science Manual
https://sm.asisonline.org/Pages/Campus-ID-Gets-a-Makeover.aspx2015-11-30T05:00:00ZCampus ID Gets a Makeover
https://sm.asisonline.org/Pages/Access-Under-Control.aspx2015-08-10T04:00:00ZAccess Under Control
https://sm.asisonline.org/Pages/Washington-Navy-Yard-On-Lockdown-After-Reports-of-Shooter.aspx2015-07-02T04:00:00ZWashington Navy Yard On Lockdown After Reports of Shooter
https://sm.asisonline.org/Pages/Airports-Scrutinize-Employees.aspx2015-06-23T04:00:00ZAirports Scrutinize Employees
https://sm.asisonline.org/Pages/Driving-Toward-Disaster.aspx2015-06-15T04:00:00ZDriving Toward Disaster
https://sm.asisonline.org/Pages/10-Factors-to-Consider-in-Designing-Vehicle-Checkpoints.aspx2015-05-28T04:00:00Z10 Factors to Consider in Designing Vehicle Checkpoints
https://sm.asisonline.org/Pages/Night-Watch.aspx2015-05-01T04:00:00ZNight Watch
https://sm.asisonline.org/Pages/Book-Review-Integrated-Electronic-Security.aspx2015-02-09T05:00:00ZBook Review: Integrated Electronic Security: A Layered Approach
https://sm.asisonline.org/Pages/Preparing-for-the-Worst-2.aspx2015-01-21T05:00:00ZVIDEO: Preparing for the worst

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Healthy-and-Secure.aspxHealthy and Secure<p>​With more than 8,000 Locations across the United States and approximately 247,000 employees, drugstore chain Walgreens puts a priority on protecting its assets, employees, and customers. The company’s security team, located at Walgreens headquarters in Deerfield, Illinois, strives to respond to any incident that requires attention in a timely manner, whether it be a robbery or a door alarm.</p><p>“Responding to events and dispatching is extremely important, especially in critical situations where we want to provide the best services to our people,” says Hal Friend, director of physical security and fire prevention for Walgreens.</p><p>The corporate headquarters, known as the support office, is home to around 7,000 employees. The security department, referred to as Asset Protection Solutions, is made up of asset protection officers (APOs), a physical access control systems team, and security specialists, among others.</p><p>About five years ago, the company was looking to upgrade its access control solution at its corporate headquarters and distribution centers. “We realized that we had outgrown the old platform we were on, and it wasn’t going to be able to keep up with us,” Friend notes. <img src="/ASIS%20SM%20Callout%20Images/0717%20Case%20Study%20Stats.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:289px;" /></p><p>Walgreens turned to the Genetec Security Center platform, which offered an integrated video and access control solution with various features to meet the corporation’s needs. The installation was rolled out over the last few years across the corporate campus’s more than 40 buildings and distribution centers, and the last phase of the installation was completed in February 2017. </p><p>Synergis, the access control platform from Genetec, is unified with Genetec’s Omnicast video management platform through Security Center, tying the support office’s 700 cameras into one system. </p><p>Synergis operates card readers and turnstiles located throughout Walgreens’ support office campus and allows Walgreens to easily issue temporary badges for employees who forget or misplace their credentials. If workers forget or misplace their cards, they must produce identification to one of the company’s APOs. “The APOs verify in Genetec that the person is a badged employee, and then we have a process in Synergis to issue them a temporary badge that will expire at the end of that business day,” Friend explains.  </p><p>Through Synergis, the company can also set an expiration date for temporary badges for vendors, consultants, and contractors who need access for only a certain amount of time. </p><p>Walgreens has a handful of high-security locations, such as data centers, which require two-factor authentication. The employees with access to these areas must present their card to the reader, and place their fingerprint on a biometric scanner. </p><p>The company has also deployed anti-passback measures, which means the worker must badge in and badge out of the high-security location to prevent the badge from being shared. “If you leave without badging out, it will prevent you from badging back in, because the system thinks you’re still in there,” Friend notes. “It helps enforce compliance in high-value areas, so that we have exact record keeping on who was where, when.”</p><p>Through Synergis, the security team can also generate ad hoc reports that show the company who has access to specific locations. “We send those reports to the managers of those high-value areas, such as the data centers, and they audit them routinely to ensure that people who have access still require access,” he says.</p><p>Security Center from Genetec integrates into the company’s own security operations center, a 24/7 monitoring location staffed with trained officers called security specialists. If an alarm goes off anywhere on campus, the officers can click the associated alarm notification to view the video. “It’s really easy to immediately get that footage to see what happened,” he notes. </p><p>Many of the cameras on campus are situated around the perimeter or pointed at access control points. This allows for easy review of video footage related to any alarms triggered by doors forced open or turnstiles that appear obstructed. If an alert goes off, “we can immediately dispatch an asset protection officer to respond to that alarm, realizing that most of the events are mistakes,” he says. “But we investigate them all in case we do have an intrusion.”</p><p>In addition to protecting the support office, these officers monitor Walgreens locations across the country and provide dispatch calls to local law enforcement in the event of an emergency, using a video management platform from a different vendor.  </p><p>When a burglar alarm goes off at any of the store locations, security specialists use high definition video to go back and view the video associated with the alarm. If they can confirm that an intruder set off the alert, they call the police. “We dispatch only on verified alarms to cut down on false alarm dispatching, which is appreciated by law enforcement,” Friend notes. </p><p>With the headquarters located in a suburban environment, near major roads and highways, Friend says that unwelcome visitors can wander onto campus, though it is a rare occurrence. “There was an instance where the Genetec platform helped us identify an individual who came to the campus, and was not supposed to be here,” Friend says. Using video, which they turned over to law enforcement, “we identified how he got in, and then assisted the police in the investigation to apprehend that individual and resolve the matter.” </p><p>Walgreens does retain video for a specified amount of time to remain in compliance with the various audits that the company participates in. </p><p>Friend says that Genetec Security Center gives the corporation the flexibility it needs to maintain business efficiencies while providing security. “We’re ensuring security, but at the same time we never want security to impede the needs of the workforce at the campus,” Friend says. “We really feel we have that experience today with what we have.”</p><p><em>For more information: Beverly Wilks, bwilks@genetec.com, www.genetec.com, 866.684.8006</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Protecting-Executives-at-Home.aspxProtecting Executives at Home<p>​</p><p dir="ltr" style="text-align:left;">Maybe it's temporary copycatting, or it could be a new trend, but more and more executives and other high-profile figures are experiencing protest attacks at home.</p><p dir="ltr" style="text-align:left;">In just the first five months of 2017, protesters have gathered outside the homes—not offices—of the following U.S. executives, political leaders, and other prominent persons:</p><ul dir="ltr" style="text-align:left;"><li>Wells Fargo CEO Tim Sloan</li><li>Facebook CEO Mark Zuckerberg </li><li>U.S. Bank CEO Richard Davis</li><li>Robert Mercer, co-CEO of hedge fund Renaissance Technologies</li><li>Ivanka Trump</li><li>U.S. Senator Mitch McConnell</li><li>U.S. Representative Maxine Waters</li><li>U.S. Federal Communications Commission Chairman Ajit Pai</li></ul><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;">Protests at executives' homes are wildly unpredictable in their timing and other characteristics. Throngs ranging from a dozen to hundreds of protesters may appear overnight after a news report or a social media posting. This can happen despite the real possibility that the account that led to the protest is inaccurate, exaggerated, or even completely false. </p><p dir="ltr" style="text-align:left;">Regardless, spontaneous mobs or paid protesters may show up at an executive's house to express their displeasure, disturb the neighbors, block access to the home, and frighten the home's occupants by bombarding them with chants, signs, and angry marchers. </p><p dir="ltr" style="text-align:left;">One client of ours was targeted at home by protesters opposed to his company's marketing, which appealed to children. The protesters' presence and aggressive tactics caused the executive's special-needs son to panic and attempt to escape the home from a second-story window. Protests at homes are not always innocent. They are sometimes belligerent and can lead to bad outcomes for the family or the protesters. </p><p dir="ltr" style="text-align:left;">What can a security department or its executive protection division do to minimize the potential harm to executives (a duty they owe to those important, exposed employees) and even to protesters (whose injury could lead to bad press for the company)? </p><p dir="ltr" style="text-align:left;">The answer is anticipation and preventive measures. As for anticipation, one of our clients, a large multinational corporation, takes special efforts to track mentions of the company and its executives—not only in news sources but also in social media. The company's intelligence team also joins the distribution lists of adversarial organizations and, when possible, uses geofencing to monitor social media activity that mentions executives' homes or originates near them. Staff members also conduct research on the specific individuals who make potentially threatening comments online to gauge their possible dangerousness. </p><p dir="ltr" style="text-align:left;">In addition, it makes sense to delist the executive's home phone number to minimize the risk of abusive calls and to make it harder to find the executive's address. Delisting is difficult and not reliably permanent, but it is worth a try. A dedicated adversary may still be able to find the phone number and address, but there is no reason to make the task easy, especially for less-organized, spur-of-the-moment, or unbalanced persons. </p><p dir="ltr" style="text-align:left;">This anticipatory work, along with planning, makes it possible to implement special measures quickly when risk spikes. The following are some of the measures security personnel can put in place when they detect a plausible risk of protests at an executive's home:</p><ul dir="ltr" style="text-align:left;"><li>Provide security driving services to the executives and possibly to members of their families. Protesters may swarm or attack personal vehicles, and a security-trained driver would be better equipped to avoid or otherwise handle such incidents.</li><li>Contract for a law enforcement presence outside the executive's home. If the protesters remain on public property and are not violating the law, police may not do anything to protect the executive. However, a police officer in a marked or unmarked patrol car parked in front of the house may help keep the situation from escalating. </li><li>Set up temporary exterior video cameras, viewing 360 degrees outward from the home, to monitor and document protester behavior, especially any trespassing or throwing of projectiles.</li><li>Make sure the home has bright floodlights shining outward at night so protesters cannot easily trespass undetected.</li><li>Remind the family to turn on its security alarm system.</li><li>Consider having the family live elsewhere for a few days.</li></ul><p dir="ltr" style="text-align:left;"><br></p><p dir="ltr" style="text-align:left;">Protests at executives' homes are disturbing and potentially dangerous. They cannot be prevented, but with careful research and planning, they can be managed.</p><p dir="ltr" style="text-align:left;"><em>Robert L. Oatman, CPP, is president of R. L. Oatman & Associates, Inc.</em></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Access-Under-Control.aspxAccess Under Control<p>​<span style="line-height:1.5em;">Companies spend significant resources on access control equipment. Estimates of the size of the global market range from about $6 billion to around $22 billion, and a recent ASIS survey indicates that 57 percent of U.S. businesses will be increasing access control spending through 2016. </span></p><p>Upfront costs are just the start. Security professionals take time to determine which doors need to be locked and when.  They decide where to install readers and decide how to pro­cess visitors. Despite the effort spent on the access control equipment layout and maintenance, over time the access control database can become mismanaged. Requests for tweaks to reader groupings and access levels are continuous. One group may want time restrictions for the janitorial crew; another group may need access to one door but want to restrict others. If these accommodations are made without regard for the overall system, over time a complicated tangle of access control levels is created. The next thing you know, security no longer controls access; access control takes charge of the organization’s security, resulting in a chaotic mess.</p><p>BB&T, a large financial services institution headquartered in Winston-Salem, North Carolina, has protocols in place that ensure appropriate and accurate administration of access control systems at its corporate locations. The Fortune 500 company has more than 1,800 financial centers in 12 states.  In addition, it has approximately 120 corporate buildings–data centers, operations centers, call centers, corporate and regional headquarters–that have access control systems. ​</p><h4>Challenges</h4><p>Regulatory developments over the last decade make it necessary to closely maintain access control data. The Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 require health­care and financial organizations, respectively, to keep strict watch over sensitive and personal information. The Sarbanes-Oxley Act of 2002 forced a strengthening of internal controls within corporations. More recently, the Payment Card Industry Data Security Standard requires that companies keep tight control over credit and debit card data. </p><p>These regulations, as well as others that affect specific industries, have brought more scrutiny to the administration of access control data. Most large organizations, especially those in regulated industries, have experienced an increase in audit activity as it relates to physical access controls. This means that regular reviews of access reports are required in many cases. For this reason, it is critical that the data in a company’s access control database be clean and accurate.  </p><p>Numerous challenges can arise from failing to properly maintain an access control system. Maintenance lapses can result in thefts when, for example, terminated employees get into a facility. What good is an access control system if, due to negligence in maintaining the system, people can enter places they shouldn’t? If your access control database has been around for years and has turned into a Byzantine web of access permissions, what steps can be taken to get control over the data? </p><p>Access control database administrators must have an ongoing process of maintaining the accuracy of the data. A standards-based approach must be taken to manage any effective access control program. Standards include defining the types of users in the system–employees, vendors, visitors, temporary card users– and establishing credentials for which each of these user categories will be managed and reviewed. Once the user categories are defined, space definitions and ongoing maintenance procedures must be established. ​</p><h4>Database management</h4><p>BB&T categorizes its cardholders into three groups based on the users’ network login ID. There are employees and contractors with a company network login ID; vendors, tenants, and others without a company network login ID; and temporary users. BB&T uses the network login ID for employers and contractors because the network ID is also used in the IT security database. This allows security to match the IT access records to the physical access records. Human resource data was considered for this match, but the bank determined that many vendors, temporary employees, and contractors who have a BB&T network login ID are not included in its human resource system. Matching the network login ID covers a majority of the organization’s users. If the records do not match, the user’s access is terminated.   </p><p>For cards not involved in the matching process, BB&T identifies a company employee who can serve as a sponsor for each vendor and tenant. The company conducts quarterly reviews of those cards, during which the company sponsor ascertains whether the vendor or tenant employee still works for the third-party company and still needs the BB&T card.</p><p>All temporary cards in the system are assigned to the individuals who have the cards in their possession. The temporary cards may be used by visitors, trainees, vendors, and employees who forgot their badge at home. Information on the cardholder is housed within the access control database. Quarterly reports for all temporary cards are sent to one person who is responsible for ensuring that their temporary cards are accounted for.  ​</p><h4>Space</h4><p>BB&T has established criteria and definitions of the physical space in its environment and categorizes space into three categories: critical, restricted, and general. Criteria are established for each category of space. The critical category is reserved for high-risk, critical infrastructure areas, such as server rooms or HVAC sites. Restricted space is office space for departments that the company deems restricted. All critical and restricted space is assigned a space owner. The space owner is then responsible for approving or denying people’s access to that area. General access areas are common doors and hallways.</p><p>For each category of space, standards are established on how access is governed. For example, the data center standards might state that janitors or nonessential personnel are not granted access without an escort. Standards also dictate who can approve access to that space and how often access reports should be reviewed. For example, critical and restricted space reports are reviewed monthly or quarterly.</p><p>Access devices are grouped together based on the categories of space and the users that access the space. This streamlines the access request process and makes it easier for the requestors to understand what access they are selecting. Grouping as many readers together as possible minimizes the number of possible groupings meaning that there are fewer choices for those requesting access. It also makes it easier to ensure that access reports are accurate, and it simplifies the process of approving access and access report reviews. If all readers for critical space to a building are grouped together, only one approval would be required for critical space and only one report would need to be reviewed.  </p><p>However, in some cases, minimizing groupings may not possible. For example, one group of users may be allowed into the IT area but only a subset of that group has access to the server room that resides within the lab. In this case, groups would be categorized by the users rather than the readers.</p><p>It’s also important to make sure that access levels and device groupings don’t overlap. This can complicate the request process and the report reviews and could cause access reports to reflect an incomplete list of users who have access to a space. For example, in a building with three readers, grouping one may include the front and back doors, and grouping two may include the communications room. If, in addition to these two groupings, there is an overarching grouping three that includes all three readers, this could create a problem since each of the three individual readers belong to two different groupings. In this scenario, if a request is made to determine who has access to the communications room, rather than producing a report of the communications room reader group, an additional report of the group of all three readers would need to be provided. In many organizations, this second step is missed, causing an inaccurate representation of those with access to a specific area. This can be a major issue if discovered during an audit.</p><p>Another way to remedy this issue would be to run reader reports on individual doors, in this example, a reader report on the communications room only. Most access control systems allow for this type of report. However, in companies with a large number of individual card readers, this would require many more reports. The same users often need access to multiple doors, so combining them into groupings that don’t overlap makes more sense than running individual reader reports. As a rule, BB&T does not allow a reader that has been deemed critical or restricted to belong to more than one reader grouping. This ensures that access reports are accurate and complete.  It does, however, require that a user who needs access to a full building, such as a janitor or security officer, request access to each area of the building rather than requesting overarching access to the entire building. This is beneficial, not only for reporting reasons, but also because it requires that space owners approve all users who have access to their space and holds the space owners responsible for knowing who is entering their space. Controls in the report review process can be set up to ensure that a space owner does not remove access for a janitor or security officer. Some systems allow cards to be flagged and would require a higher level of scrutiny before access is removed. Nonetheless, this is a cleaner way to set up access levels and ensures that space owners will review a report of all users that have access to their space, which is what most auditors are looking for.   ​</p><h4>Clean-Up</h4><p>If an access control system has become muddled over time, a database clean-up is recommended. A good place to start is to deactivate all cards that have not been used in a specific timeframe, such as the previous six months. Thus there will be fewer cards to review. Then, security can find a common piece of data with another database in the company that provides a match of current employees. Human resource or information security data is best to determine whether active cardholders in the system still work for the company. Of the remaining cards for nonemployees, visitors, tenants, and contractors, security should research whether the card users can be associated with a manager or employee within the company. Security can work with these internal partners to implement an ongoing review of access cards. ​</p><h4>Maintenance</h4><p>Performing a regular match of human resource or information security data ensures that cards are deactivated for users whose information does not match that on the card. If a user is not captured in the match, that person should be assigned to a sponsor for quarterly review to determine whether any credentials need to be terminated. Access reports should be reviewed for all nongeneral space to ensure that users still need access to the designated areas. Such reviews should take place at regular intervals–not more than quarterly. An important piece of the access request process is to ensure that all necessary information is captured to support the new standards and to support the report review. For example, if the request is for a visitor, security should capture the name of the person who will have that card in their possession during the request.   ​</p><h4>Automation</h4><p>BB&T is working to upgrade the auto­mation of its access control request and audit reporting system by the end of 2015. It is considering software that automates the entire access control database management process from the onboarding human resource system to the access control system. This would include a software interface that would be fully integrated with the information security credentialing system. The ideal software would fully integrate with the access control system where approved access is automatically provisioned with no human intervention.</p><p>Cost is a major factor in implementing such automation. Some companies choose to automate pieces of the process. Some use a simple Web portal form that sends e-mails to approvers and ultimately e-mails the request to the team that provisions access or provides a dashboard for the access control team to view requests. Many companies have integrated with human resource or information security data to update their access control system, which allows for the automatic deactivation of cards for terminated employees, vendors, or contractors. Others have found a way to automate the report reviews. Few access control manufacturers provide these additional software tools in combination with their access control software. Some will work with or direct their customers to third-party solutions, while others are beginning to see the need for automation and are incorporating pieces into their standard software package, such as more robust reporting capabilities.  </p><p>These efforts may seem daunting, but once the standards are set and the database is cleaned up, ongoing maintenance is initiated, and some level of automation is implemented, the system will be under control. It is imperative that security professionals see beyond the equipment and installation and not rely solely on these for protection. A sound maintenance program ensures that, should access control processes be called into question, security can be confident that the company’s program is under control.  </p><p>--</p><p><em><strong>Briggette Jimenez, CPP,</strong> is physical security manager at BB&T where she manages the company’s security command center, security operations, and workplace violence prevention programs.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465