Access control: the wider issues

The principles and methodologies associated with access control as a key security measure have evolved throughout the ages to meet the ever changing threats to life and property.     
    
From the basic locked door, moat and drawbridge approach of centuries past to the latest biometric technology those charged with protecting both persons and assets have witnessed an increasing deployment and sophistication of these systems both within the domestic and work environments.
    
Whilst the emergence of the ‘gated communities’ model and other security control measures within our society is evidence of the concerns that many have for their safety in the domestic environment, it may be argued that there still remains an element of complacency amongst those responsible for the funding and daily use of such projects in the workplace.         This is a source of obvious frustration for the professional security practitioner. The deployment of these measures in the domestic setting stems from a strong desire to protect oneself and/or family and possessions. However, it may be argued that in many industries, the transfer of those security anxieties and practices to the workplace environment is more problematic. One of the factors that inhibit the effectiveness of access control in the workplace is the reluctance demonstrated by some staff to fully embrace the principles of this element of security with a conscientious and consistent response, focusing more on the perceived inconvenience as opposed to the benefits.  

The definition
Access control manifests itself in a variety of different ways and operates on a variety of different levels. The label can be applied to any process that seeks to control or qualify entry to premises or access to information based on certain criteria. It is seen by the security practitioner as a significant element in that part of the crime reduction approach referred to as primary prevention, adhering to the principle of ‘defence in depth’, referred to in a previous article by Nick van der Biljl, aptly entitled, ‘Let the right one in’ (Health Business 9.6). As a fundamental element in the ‘target hardening approach’ it supports the Home Office principles of crime prevention. It is central to the concept of ‘defensible space’ and serves to increase the effort that a potential offender would require to achieve their objective.

Types of access control
It incorporates a range of features including the use of biometric and other forms of technology and hardware embracing password and personal identification (PINs) in computer systems to entry phones. From a healthcare perspective, access control can integrate with infant and vulnerable patient electronic tagging systems and the security of controlled drugs, monitoring the movement of assets, human or otherwise, within a location and beyond the agreed parameters.
    
Regardless of the complexity and sophistication of any such system, it should, in keeping with smart security practices, form part of an integrated security model that incorporates such other functions as effective CCTV monitoring and critical alarm systems. The deployment of signage, advertising that such systems are in place, can be an effective strategy sending out a clear message with the aim of reassuring those with legitimate access.         
    
Equally, these environmental cues may serve as a deterrent influencing potential offenders when they assess the risks of offending.  

Assessing the internal threat
Such systems can serve to confront both the external threat and the threat from within. The issues in addressing the external threat are invariably more straightforward where all the crime prevention layers can be called into play. Addressing the internal threat is far more complex and access control must be accompanied by such functions as continuous behaviour observation.     
    
The integrated approach requires that access control systems should be capable of interfacing with a panic alarm, lone worker alarm and asset management tracking systems to support a variety of emergency responses.         
This would include the ability to initiate an urgent lock down and/or lock in procedure that an organisation may need to deploy in the event of an internal untoward incident or an external incident that may impact adversely on the organisation’s activities, such as the threat from activists. However discretion needs to be applied in all such eventualities. The deployment of electronic methods to restrict an offender’s escape could induce panic with the potential for the incident to escalate to a hostage situation within the workplace. Other health and safety issues could equally apply.                 

Therefore, in keeping with the modern threats and the range of potential adverse outcomes, such systems should be part of a robust resilient programme which should be the subject of regular review including penetration testing.

Educating users
The process of educating users is fundamental to the success of such initiatives. Regardless of how sophisticated a system may be the potential to undermine such measures as a result of human error or omission is ever present. All users must be educated as how to respond when others seek to gain access on their individual transaction; commonly referred to as ‘tailgating’. The consequences of such carelessness can be very serious. However, security practitioners should legislate for the possibility that the member of staff may be acting under duress to facilitate unlawful entry into a critical area. Consideration should be given to the installation of panic alarms at such locations.
    
Other breaches may occur, when staff for the sake of convenience leave doors open and unattended for lengthy periods. Such doors should be fitted with a local audible alarm that activates after the door has been open for more than an agreed period. This would alert those in the immediate vicinity that a security breach is taking place.                 
This alarm should also feed through to a security control room. Such breaches provide the opportunity for the security practitioner to emphasise the fact that all users have both a moral and contractual responsibility to support the principles associated with the concept of a safe and secure environment

Planning makes perfect
Planning is critical to the success of any project that seeks to introduce or add to an existing access control system. In such cases where a system has been modified the new installations should have the facility of backwards compatibility with the capability of interfacing with existing systems. Such initiatives must also embrace the best principles of project management. Besides cost, other prime considerations will include the initial risk assessment that informs the decision making process along with the element of disruption that will arise in the installation process. The safety and security of all who interact with the organisation and the security of assets are other prime considerations, along with an understanding of future capital projects that may impact on security.

The importance of collaboration
All projects, security or otherwise, are vulnerable to the ‘fools rush in’ approach. The step from theory to practice can be a major leap littered with problems. In their study ‘Theorizing About Security’, Manunta and Manunta (2006), suggest that the nature and setting of the asset to be protected along with the resources and existing defences around that asset, incorporating technology and working practices, are fundamental to any decision.         

Further critical issues for consideration include compliance with relevant legislation, including fire regulations, organisational culture, management, operational and economic factors. Success is determined by the quality of the analysis of the control measures with a systematic reasoned approach to the task. Any unplanned changes can make the difference between success or failure or not achieving the total desired outcome. With these factors in mind, there needs to be a clear co-ordinated strategy involving collaboration with all client partners as part of the process of buying in to the programme. Hopefully such an approach will ensure a relatively seamless transition.  
    
Once the capital bid for a new access control system has been granted, the security practitioner, if fulfilling the additional role of the project manager, should consider commissioning an independent consultant to evaluate the specific requirements and ensure that the principles of best value are central to all project considerations. This will apply at the stages where consideration focuses on design specification, terms and conditions and ensuring that effective after sales support is in place with an appropriate maintenance contract to ensure sustainability of the product and functions. The principles of due diligence must apply and as custodians of public or private funds, security practitioners should ensure, within their remit, that the organisation’s interests are safeguarded at every stage of the negotiating process.             

A duty of care extends to all parties in the negotiation to guarantee that organisations are not locked in to punitive contracts that only benefit the provider as opposed to the client. The regulations relating to the tendering process are key considerations along with the need for an openness and transparency.

Getting it right
The process of due diligence also dictates that the right choice of contractor, hardware, technology products and methods of installation accompanied by the need to comply with standards are critical to any project of this nature. They must be the subject of considerable research and scrutiny and all aspects of the work must subscribe to the relevant British Standards. The installation stages are key elements for consideration to ensure the integrity of the product and process. It is important to emphasise that good administration in the collation and retention of all records of communications between all parties to the negotiation, including agreed minutes of meetings, will be essential to the success of any future litigation that may arise from the breakdown or failure of the product or breach of contractual agreement between the parties. In the final analysis business and professional ethics, accompanied by good management practices are central to the successful outcome.

Easy monitoring
At the implementation stage each organisation will experience its own problems unique to its environment and core services. In order to maximise the potential from and minimise the monitoring of access control systems, every attempt should be made in the planning stages to identify the best locations and routes to channel staff and visitors. This will assist in auditing and monitoring traffic and any subsequent response and/or investigation in the event of an untoward incident. Within the healthcare environment the problems are both unique and multi-fold. Security practitioners cannot just apply the ‘gated’ or ’lock down’ approach. Given the physical characteristics of many public sector healthcare institutions, patient treatment areas are often immediately adjacent to locations where strict access control is paramount. This has the potential to inhibit the development of an integrated security access control programme that is easy to monitor.

Looking after lone workers
This feature has particular significance for the lone worker who may be working at locations close to areas where patients and visitors would have legitimate access. In confronting the security risks that confront this group, organisations need to address a variety of issues before adopting or modifying any access control system.
    
Whether such lone working  is carried out on an ad hoc or pre-planned basis, security practitioners should collaborate with the relevant departmental managers to identify those locations and members of staff (contract or otherwise) to whom the issue of lone working applies. In addition to any access control system, it may be considered that ideally such areas should be the subject of a zone alarm system covering the periphery but obviously not the specific location where the lone worker is sited. This would alert the lone worker and the security department in the event of any breach by a potential offender or any unplanned visit by a person with legitimate access.
    
Regardless of whether these locations are adjacent to public areas or not, access control systems should be configured to address the need to monitor the lone worker both at the time of entry and up to the time of departure. Alerts can be interfaced with CCTV and the audit element of the programme catering for the last person remaining rule.         
    
At the point of exit from any workplace, signage should be displayed posing the question, ‘Are you leaving anyone on their own?’ Ultimately, if for whatever reason, such areas cannot be effectively secured then good practice would suggest that the lone worker should be provided with a personal electronic alarm in keeping with the latest technology and interfaced with the access control system. The other alternative is that the risk to the lone worker should be removed by relocating them, either on a temporary or permanent basis, to a more secure location that provides the opportunity for both formal and informal surveillance techniques
    
In conclusion it must follow that an effective security system cannot rely on technology alone but be complemented by a process of ongoing observations and systems evaluation as part of a comprehensive corporate security strategy linked with robust policies. No one organisation can claim that their standards of security are excellent. We have more to achieve and the sharing of experiences relating to incidents, products, contractors and methodologies will support the development of best practice.

Sources:
Manunta, G. and  Manunta, R. (2006) ‘Theorizing About Security’ in M.Gill (Ed), The Handbook of Security:  London: Palgrave Macmillan

Schneider, R.H. (2006) ‘Contributions of Environmental Studies to Security’ in M.Gill (Ed), The Handbook of Security: London: Palgrave Macmillan

For more information: www.imperial.nhs.uk