It seems everyone is paying more attention to security these days, and it is warranted. Considering the recent data breach at Facebook, data security is high on the list, but physical security and access control should be an integral part of preventing these and other types of security threats.
Unauthorized physical access could lead to stolen data, theft of property, destruction, vandalism, and bodily harm to employees.
Consider how one young man used physical access to use a USB device to destroy computer equipment. Such a USB could also contain malicious programming to infiltrate and/or wreak havoc with computer systems.
Physical security is and should be a primary concern of workplace security efforts. Fences or walls around parking lots, locked building doors, security cameras and security personnel are all physical and organizational barriers that keep property and people safe.
Access control is the process of determining and enforcing who has access to buildings, grounds, equipment, and sensitive areas. Understanding who is on property and who is inside buildings is important to preventing the types of crimes that make headlines. It can also be a safeguard in emergency situations so emergency response personnel can count people to ensure that everyone has evacuated and is accounted for.
It goes beyond simply securing the premises from the unknown criminal. Robust access control also keeps employees from going where they are not supposed to go. If an organization deals with sensitive chemicals, equipment, or data, employees without proper clearance should not be poking around. They could easily harm themselves, damage equipment or get and share information they should not have.
Of course, password protected computer networks are also a form of access control. Digital access control is also a very important component of security designed to protect an organization’s private information, files, programs, databases and infrastructure.
Robust security starts by doing research, planning appropriately and following the best practices in security.
In the computer world, this restricts what rights a computer user has. They may be able to enter things into a database, but they may not be able to define fields in that database. They may not be allowed to install new programs, but they may be able to delete files from a certain set of folders. The idea of least privilege ensures that a user can’t mess things up for others, either accidentally or on purpose, or at least is much less likely to be able to do so.
Depending on the type of workplace, the principle of least privilege may also apply to physical access to areas within the building and grounds. In a highly regulated, semi-hazardous research and development laboratory, it is unlikely the administrative assistant should have or need access to the laboratory. Thus, they should not have security clearance so they do not accidentally harm themselves or contaminate an experiment.
Baseline access works in conjunction with the principle of least privilege. Baseline access is the access that everyone needs. While certain members of an organization may not have access to restricted areas, everyone will likely need access to the main entrance, the restrooms (at least any that are NOT in restricted areas), the cafeteria or break area, and certain other common spaces.
Baseline access for employees may be different than baseline access for visitors.
Entrance access control is the process of creating physical barriers to entrance that only release with proper clearance. These are doors, turnstiles, etc, which lock and keep employees and people accountable when going between areas.ID cards, and possibly ID cards that serve as key cards to unlock doors. If employees are issued IDs upon starting employment, their identity is verified. Using cards as keys serves both to help grant access to areas based on the person’s role and identity, but also creates a record of an employee’s movements.
Visitors can also be issued visitor badges that are somehow different from employee cards so people can recognize them as visitors. These cards may have baseline keycard access, or no keycard access at all, depending on the security level of the organization.
Regular communication plans are necessary. Some possible elements to include are:
One way to ensure that all the people onsite are accounted for is to have a visitor management system in place. These systems enable an organization to keep tabs on who is in the building, for what purpose, and what kind of access they have.
A good visitor management system will:
The best visitor management systems combine a watchful staff member with a digital visitor check-in kiosk. Having a set of human eyes ensures that every person is actually checking in. It is all too easy to slip in through an open door behind someone else who has already checked in.
At the same time, the digital system frees up staff time to accomplish other necessary tasks. It can require guests to fill in certain fields, like name, phone number and host employee, whereas it is easy to skip fields on a paper log, or a staff person might take shortcuts to save time.
In addition, the digital system is an incredibly useful tool for record keeping. If a theft occurred within a known time frame, a digital system is easy to search for records of all the guests who were on premises during the time in question. (This requires guests to check out and turn in their visitor badges.)
In another scenario, a problematic guest – such as an angry ex-employee – can be flagged in the system. This red flag might require the ex-employee to meet with a corporate mediator or lawyer when on premises, be accompanied by a security officer or another employee, or prevent the person from entering the main building altogether, instead requiring them to remain in the lobby.
A visitor management system does not just include the digital system for checking in. It also requires certain employee procedures, both from anyone who staffs a welcome desk, but also those employees who invite guests.
Some possible expectations and requirements for employees may be:
Access control in all of its forms – computer access, and physical access – is, quite frankly, the backbone of any organization’s security efforts. Without appropriate access control, it is far to easy for employees and unauthorized people outside of the organization to do damage in multiple ways.
Digital versus physical access control carry risks that aren’t all that different from one another.Unauthorized computer access could lead to:
Implementing all the elements of access control help to prevent these and other problems caused by employees or visitors. ID cards, passwords, visitor management, and more keep everyone more secure.
Implementing physical security and access control measures is an ongoing process. As an organization and the community it serves evolves, so does the risk level. Regular audits, committees that re-evaluate procedures, and ongoing enforcement and vigilance are necessary for a safe environment for employees to do their work.