Practical Steps to Improve Access Control Maintenance on Campus
Being proactive when it comes to things like database management and firmware/software patches can reduce potential problems in the future.
Back in the days when locks and keys were the standard-bearers for access control, performing routine maintenance was a relatively straightforward proposition. If a lock was faulty or keys needed to be replaced or made for new hires, a locksmith or custodian could simply replace the hardware or duplicate the necessary keys. Times have changed, however, and so too have the technologies that campuses use to keep students, patients, clinicians, staff and faculty members safe.
The introduction of electronic access control systems and the software platforms that manage them has brought numerous advantages. By leveraging credentials instead of keys, administrators and other school, university and hospital officials can not only keep tabs on who exactly is in their buildings at a given time, but they can also see when they arrived, what areas they accessed while they were there and when they left the premises. Of course, the ongoing upkeep that’s needed for these systems goes well beyond making sure the locks on the doors remain operable.
Proactive Database Management is Critical
Perhaps the greatest need all organizations have when it comes to maintaining their access control management system is that of reliable IT support, either from in-house personnel or a trusted systems integrator. In any event, those given the responsibility of managing the access control system should place database management front and center on their agenda.
Ideally, every access control platform should have a feeder database of some sort, such as an HR management system, sharing data with it so that records don’t need to be created inside the physical access control system (PACS) itself and to ensure the information remains current.
However, this is oftentimes not the case, and this lack of synchronization results in records never being purged, improper history archival, duplications of records, rampant misspellings, and access privileges and restrictions failing to be updated for employees as their position changes within a hospital, school district or college.
Despite the threat posed by disgruntled employees, it’s not uncommon to find workers who have been terminated who still have an active credential and access privileges in an organization as a result of a breakdown in communication between security and HR. For many organizations, their idea of routine maintenance is only going into their PACS based on an absolute need, such as when a new employee needs to be added to the system or if someone must have a new ID card printed. That’s why some companies may only have about 5,000 employees on their payroll but nearly 40,000 listed within their active directory.
Being proactive in managing the database that feeds your access control system is a critical step that could save you a lot of headaches down the road.
Apply System Patches and Updates
Second to performing routine database management, it’s paramount that campuses apply relevant firmware and software updates in a timely manner to not only their access control hardware devices and management platforms, but also on the overall operating system (OS) they use. Often when an integrator is contracted to overhaul a security system within a school, hospital or university, when they get into the nuts and bolts of the actual implementation, they realize that end users’ computer systems haven’t been updated in many years. You can’t make the leap from an operating system like Windows 98 to Windows 10 with a simple patch.
In addition to facilitating a smooth transition for a new access control system, applying patches will also help schools minimize their exposure to cyber threats, which is an area of ever-increasing concern.
Last year’s Equifax data breach that exposed the personal information of more than 140 million Americans was because of a Web application vulnerability that had been patched more than two months earlier. There isn’t a week that goes by in which Microsoft and other OS providers publish software updates to address various vulnerabilities. Any maintenance contract entered into between a campus and a systems integrator must include a clause that covers firmware and software updates and the identification of who is responsible for applying them.
You don’t want something as simple as failing to update or apply a patch to your access control system to be a means by which hackers can infiltrate your network or, worse yet, actually help criminals to physically circumvent your security system. The rise of cloud-based access control solutions and hosted services has allowed patches and software updates to be performed automatically without any involvement from the end user or integrator, but many organizations, including schools, have policies in place that prohibit keeping data off premises, so that may not be the answer for securing campus environments.
Where to Turn for Help
Because of budget constraints, many school districts and other types of campuses have a limited number of IT personnel. Often their resources are already stretched thin as they are trying to keep the networks of the facilities they are responsible for up and running. That means the task of keeping the PACS up to date could get put on the back burner, creating significant vulnerabilities. This is where security systems integrators can play a valuable role in helping to maintain access control systems within campuses.
The most successful access control implementations are those in which there is a strong relationship between the end user, integrator and manufacturer of the hardware and software components of the system. In many instances, an integrator working on a campus project is responding to a bid document and bidding on said project that is well-defined. However, the project definition may only cover the installation of the system and not the administration of it, which may leave the organization responsible for programming and setting up the database. As previously noted, this may not be an optimal situation considering the limited resources of many campuses.
Also, a hospital, university or school might have a good idea of what they want to achieve with a new access control system but they might not necessarily know the best way to go about it. Having a manufacturer that actively engages on projects should be a key consideration for campuses looking to upgrade their access control technology as they can provide training courses to show them how a PACS solution can meet their various needs, as well as help them understand all its complexities and the capabilities it can provide.
Nearly any integrator can provide the necessary maintenance of the mechanical devices involved in access rdeployments. However, not all of them can address some of the more subtle, ongoing services that I’ve already mentioned. Among some of the other maintenance steps you should cover with your integrator partner include:
- Establishing standard naming conventions. Having good descriptions on where physical devices are located within a facility and how they are named is critical.
- Having a standard template. Making sure all of the doors are similar and the systems are wired consistently is crucial. Using a color-coded system is advised.
- Avoiding spelling errors. Humans make mistakes; it’s a simple fact of life. However, it can be a cause for concern when it comes to assigning credentials and granting access privileges in a school, university or hospital.
This list is by no means comprehensive and I would encourage you to employ the best practices that make sense for your application. However, applying these basic steps within your organization is a solid foundation on which to build future security projects.
Mitchell Kane is president of Vanderbilt Industries. This article was originally published March 2018.
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!
You are spot on about the maintenance thing. But there is are a lot of things you did not note. Too many in fact, to go into here. Anyway, one statement you made about metallic keys is not exactly correct. It is not strait forward and it is extremely difficult to do correctly. I have done many security assessments in my days and i have not seen a single institution that was even close to being correct. Particularly in colleges and universities, control of metal keys (assuming it can be done at all) is the single most difficult security task. In comparison, keeping up with a card system is a piece of cake.