Access control systems help counter unauthorised access to a company’s facilities, which is a vital security installation as it’s one of the most dangerous incidents that a business can face. It is the prelude to virtually every conceivable kind of crime, from assault to data breaches and from equipment theft to industrial espionage. Unsurprisingly, this makes physical access control installations one of management’s major priorities when opening new UK facilities or overhauling existing ones – and the maintenance of these systems one of their top long-term priorities.
According to a study conducted by the Home Office, approximately 33,000 on-premise incidents – including burglary, vandalism, vehicle and property theft – have affected companies in the IT and communication sector in 2015. The following year, the Home Office found that almost 1 in 5 companies in the administration & support industry has experienced on-premises crime. Physical breach incidents are harmful not only to the physical well-being of employees, but also to a company’s financial well-being, reputation, and business opportunities. For example, according to a study conducted by Ponemon in collaboration with IBM in 2016, the average cost associated with the loss of data exceeds 100 GBP per single record of information lost – a disastrous statistic if you think about the hundreds or thousands of customer records that even small companies can hold today. FSB estimates that, for small UK companies, the average cost of offline crime per business affected is almost 6,000 GBP, and nearly 3,000 GPB for cybercrimes.
Broadly speaking, access control systems perform four major functions: identification, authentication, monitoring and recording.
Authentication, as its name implies, refers to the process of identifying the person who is attempting to gain access to an area, either uniquely or as part of a particular group.
Authorisation refers to the process of granting (or denying) access based on the identification process.
Monitoring refers to the process of supervising access, from the moment it is requested to the moment when it ceases.
Finally, recording refers to the process of saving and logging any useful data regarding this process. Basic access control systems can at least record access events (granting or denying access, and who attempted to gain access), but it is becoming increasingly common to maintain more comprehensive records, including, for instance, CCTV footage of access attempts.
Personnel authentication is the most visible of these functions. Its aim is to verify who a person is, or what credentials he or she holds – in other words, to ask them to present their identity, and to verify their identity through some mechanism. This can be done by verifying access codes, tokens (such as the familiar magnetic stripe card) or biometric data, such as fingerprints or iris patterns. Identification based on the first two types of data does not rely on verifying a person’s identity per se; rather, they verify that a person holds some particular information or physical object that is issued in a controlled manner, only to people belonging in specific groups (employees vs. visitors, IT personnel vs. administrative personnel etc.). Biometric data, however, is essentially unique to each person, and allows unique identification of an individual.
Authorisation is granted based on a specific set of rules, and is implemented through various types of access control components, such as door locks or turnstiles. The rules can vary, from group-based, generic access (such as granting access to the main facilities to anyone who presents an employee badge – and is, presumably, an employee) to specific, identity-based access (such as allowing access to highly-sensitive equipment only to certain employees using fingerprint-based authentication).
Access control is relevant only insofar as it is continuously monitored. At a minimum, it should be possible to know whether someone is present on-premises or not, but more advanced features, such as tracking, are sometimes required. Oftentimes, access control systems are integrated with general surveillance systems, so that the consequences of every access attempt can be tracked. And, generally, besides this continuous monitoring, some form of record keeping is also required. This is useful not only in case incidents need to be officially reported – it is also a useful source for internal evaluation and optimisation, and can also be integrated with HR and staff databases to provide time and attendance data.
This wealth of features and potential implementation mechanisms makes planning and designing an access control system a very complex task. It needs to balance a company’s current security requirements, future development, and the costs associated with implementing them. Furthermore, access control system installation is a very painstaking task, which requires specialised knowledge, advanced skills and a rigorous procedure.
Access control system installation and planning have to take into account a great deal of industry- and country-specific standards and regulations. In the UK, industry-specific standards include BS EN 60389-11, BS EN 50468, which specifically deal with security systems, and general electrical installation standards, such as BS 7671. However, UK companies that use access control systems also need to follow a diverse set of legal requirements, such as those concerning access for disabled persons, outlined in the Equality Act 2010.
Some manufacturers, such as Paxton, one of the leading manufacturers of access control systems, choose to impose additional requirements upon their partners. They disseminate and enforce these requirements through training and certification services, which focus on both general regulations, such as international standards, and manufacturer-specific knowledge and skills. Therefore, when offering such a certification, these companies vouch not only for their partners’ knowledge of their portfolio, but also for their compliance with international and regional standards.
This wealth of features and potential implementation mechanisms makes planning and designing an access control system a very complex task. It needs to balance a company’s current security requirements, their future development, and the costs associated with implementing them. Furthermore, access control system installation is a very painstaking task, which requires specialized knowledge, advanced skills and a rigorous procedure.
Access control system installation and planning have to take into account a great deal of industry- and country-specific standards and regulations. In the UK, industry-specific standards include BS EN 60389-11, BS EN 50468, which specifically deal with security systems, and general electrical installation standards, such as BS 7671. However, UK companies that use access control systems also need to follow a diverse set of legal requirements, such as those concerning access for disabled persons, outlined in the Equality Act 2010.
Some manufacturers, such as Paxton, one of the leading manufacturers of access control systems, choose to impose additional requirements upon their partners. They disseminate and enforce these requirements through training and certification services, which focus on both general regulations, such as international standards, and manufacturer-specific knowledge and skills. Therefore, when offering such a certification, these companies vouch not only for their partners’ knowledge of their portfolio, but also for their compliance with international and regional standards.
The design of an access control system revolves around correctly identifying access control requirements and the means to implement them. This is done through a process known as security grading, where access control points are classified in four classes or grades, based on the type of business and the risk associated with unauthorized access to each section of the premises. BS EN 60839-11-1 defines four grades or classes, from Grade 1 (Low Risk) to Grade 4 (High Risk), and access points are graded based on a survey procedure.
This initial survey takes into account the type of activity performed in each area, the staff who performs it, the persons who need to be present for it (whether staff or otherwise), what sensitive data needs to be retained in order to comply with specific legal regulations and for how long, and many other such aspects.
At the bottom of the risk scale are low-risk access points, such as those leading to internal areas where restricting public access is all that is needed. These access points can be secured using nothing more than hardwood doors and a standalone lock with a code, card or fob, and requires little to no monitoring. Grade 1 areas include, for instance, retail stores or waiting rooms.
The demands of most commercial companies will not exceed Grade 3 (medium to high risk areas), which require on-line systems using two-factor authentication or single-factor biometric authentication and real-time monitoring. Typical examples of Grade 3 areas are server rooms and data centres. Grade 4 (high risk) areas are the mostly costly to secure, and reserved for areas with highly specific activities, such as advanced research activity or airport cargo screening.
Correct grading is the cornerstone of a solid and cost-efficient design; underestimating access control requirements leaves your business unable to deal with certain risks, whereas overestimating them results in a needlessly expensive system that is costly to maintain and hampers day-to-day activity. Many businesses need little more than Grade 1-level protection, and companies which need Grade 2-, 3- or even Grade 4-level protection only require it for a few areas in their offices.
However, while correct grading is a necessary characteristic of a solid design, it is not the only quality that defines an access control system as adequate or inadequate. Design and planning activities also need to consider requirements such as integration with existing systems (such as staff databases or surveillance systems that are already deployed), the logistics of issuing, deploying and revoking access tokens, and long-term business development needs, such as scaling with the size of the company’s staff or upgrading access control panels.
The demands of most commercial companies will not exceed Grade 3 (medium to high risk areas), which require on-line systems using two-factor authentication or single-factor biometric authentication and real-time monitoring. Typical examples of Grade 3 areas are server rooms and data centres. Grade 4 (high risk) areas are the mostly costly to secure, and reserved for areas with highly specific activities, such as advanced research activity or airport cargo screening.
Correct grading is the cornerstone of a solid and cost-efficient design; underestimating access control requirements leaves your business unable to deal with certain risks, whereas overestimating them results in a needlessly expensive system that is costly to maintain and hampers day-to-day activity. Many businesses need little more than Grade 1-level protection, and companies which need Grade 2-, 3- or even Grade 4-level protection only require it for a few areas in their offices.
However, while correct grading is a necessary characteristic of a solid design, it is not the only quality that defines an access control system as adequate or inadequate. Design and planning activities also need to consider requirements such as integration with existing systems (such as staff databases or surveillance systems that are already deployed), the logistics of issuing, deploying and revoking access tokens, and long-term business development needs, such as scaling with the size of the company’s staff or upgrading access control mechanisms.
A less obvious, but equally important class of safety requirements refer to safety in case of emergency. Access control systems are inherently designed to restrict entry or egress, but egress needs to be free under certain circumstances, such as fires. According to the NSI, the design and installation of access control systems “must not conflict with fire regulations and must not restrict exit in such a way as to endanger people in an emergency”.
In addition to these four primary requirement classes, modern access control systems can perform a variety of other functions, such as integration with a staff personnel database, real-time alerts using various delivery mechanisms (email, text, etc.)
Access Control Systems Installation
Deploying access control systems is one of the most difficult tasks that security engineers face. It requires adherence to a multitude of standards and legal requirements, dealing with a wide range of equipment, from heavy doors to sensible fingerprint readers, and careful quality assessment and testing.
In the UK, the main body of requirements and recommendations for access control systems installation is NSI’s NCP 109 Code of Practice for Planning, Installation and Maintenance of Access Control Systems. This document supplements and clarifies the large set of security, quality and safety standards that we mentioned above.
Requirements related to access control systems installation are design to guarantee four major aspects: security, integrity, reliability and safety. That is, an access control system must provide a security level matching the risks associated with a business’ operation (security), must do so without being susceptible to tampering, bypassing or disabling (integrity), and must do so in a manner that does not endanger the health and well-being of employees and general public.
Implementing proper security begins in the design stage, when equipment is selected based on the security requirements drafted after surveillance and grading. However, the final stage – its physical deployment – is also critical. Proper deployment is critical to every physical access component carrying out its purpose. For example, CCTV surveillance systems can be hampered by improper lighting, thus jeopardizing audit trails by rendering CCTV images unusable for identification.
The integrity of an access control system is just as important as its security features. Indeed, if an access control mechanism, such as a magnetic door lock or a turnstile can be bypassed, it no longer offers any meaningful access restriction. The integrity of a system is ensured through measures taken both at installation and design time. At design time, it is ensured by selecting mechanisms with the correct protection parameters – such as the proper type of internal or external doors (made from adequate material and with adequate holding force) and by provisioning certain installation requirements, such as protective conduits for cables deployed outside controlled areas. However, in order for equipment to function at its rated reliability parameters, it needs to be properly installed, using adequate materials and tools and following the installation procedure prescribed by the manufacturer.
Requirements related to reliability – the equipment’s ability to function correctly at all times – are also strictly regulated. Access control systems can use uninterruptible power supplies (UPS) and redundant power and data paths in order to ensure that it continues to function properly even in case of power failures or incidents such as earthquakes and fires.
The fourth, and final concern of access control systems installation procedures is safety. The most visible aspect is operational safety – much of which, however, is inherently dealt with by integrity and reliability requirements. Operational safety requirements including routing cables so that they do not present a tripping or electrocution hazard and ensuring adequate shielding for electrical equipment such as electromagnetic door locks and PIN entry panels.
Given the importance of access control for modern businesses, it is of no surprise that access control systems installation is such a complex topic. As we have seen, it is meant to implement a highly complex design, while respecting a great deal of requirements imposed by governments, standard bodies, and sometimes even equipment manufacturers.
At the same time, identifying the correct security requirements is a challenging process in and of itself. While there is a place for advanced features such as two-factor authentication and facial recognition, many businesses need little more than eliminating the need for front door keys, which can be implemented using a simple PIN-entry panel or a card swipe door controller.
If you’re looking to upgrade your security, ACCL is your ideal partner. We are Paxton-certified partners, which means we adhere to the highest industry standards. Even more, we have been in this business for more than 25 years and all our clients rave about the quality of our services.
In need of access control installation services? Let’s talk and schedule your FREE, no-obligations consultation.
Services relating to this post: Access Control Installation, CCTV installation, Security barriers, IP Security
Related topics: Hands-free access control Standards
