It has been well established that physical security is essential for ensuring business continuity and that an access control system is a key part of establishing a secure working environment. Throughout the past few years, having experienced the challenges of a global pandemic, many of us have already witnessed first-hand just how important it is to manage and limit the flow of people entering and exiting business sites.
When considering security and control management, it’s important to assess whether or not a detailed, documented physical access control policy has been established. It’s equally important to know how often it is updated – lack of proactivity can lead to less effectiveness!
1. So, what is a physical access control policy?
As the name suggests, this is a document that outlines who has access to which locations in your organisation (such as sites, buildings and secure rooms) and under what circumstances. It also describes how these access rights must be managed.
A physical access control policy is typically used in conjunction with technology, such as a physical access control system and a visitor management system. The access control model you select will determine some of the crucial details in your access control policy.
2. Why are physical access control policies so important?
To create a safe, secure environment, you need to address all three elements of the security triangle – system, procedures, and people. In an ideal scenario, you’ve selected an effective access control system, with the right people within your security team and effective training.
A physical access control policy oversees the third element of the triangle by ensuring people know the procedures that they need to follow when using your system(s). This is crucial. Even the very best access control technology does not negate risks if people aren’t clear on how they must use it. Research has suggested that between 80-90% of workplace accidents are caused by human error – eliminating this element in regard to security through effective training is therefore key.
It’s important to remember that physical security isn’t just about protecting people, places and physical assets – it helps protect digital assets too. This is a key consideration because as soon as people have access to your physical locations, they can easily access your network, files, data, and intellectual property.
With all this in mind, it’s clear why we should look at access control policies as one piece of the bigger puzzle of an organisation’s whole security strategy. It is, however, a key piece that requires the collaboration of multiple stakeholders and management organisation.
3. What should be included in a policy?
Each physical access control policy is different, but they often include sections such as the ones described below, take a look at this access control policy from the University of South Alabama:
Purpose
This explains and outlines the goals of your physical access control policy. Fundamentally, the objective is to manage access to physical spaces, but the reasons for controlling access will be specific to you. You might, for example, want to prevent events that could affect your business continuity, such as theft of stock, damage to your equipment or entry to hazardous sites.
Whatever your goals, it’s important to spell them out clearly, so people understand the broader potential consequences of not following your access control policy.
Scope
If people aren’t sure of your policy’s scope, they may assume they don’t need to follow it. This section should be specific regarding who the physical access control policy applies to – for example, employees, visitors, contractors and customers – and which locations it relates to. It might, for example, cover headquarters, factories, warehouses and retail outlets. The most robust policies are specific and leave little room for interpretation.
Responsibilities
Outline who is responsible for what in relation to your access control policy. Delegate writing and planning to one team, with another team responsible for implementing it. One person might maintain your access control system while another manages the security team that uses it.
Never give a single individual full responsibility for your access control policy – This removes the possibility of individual human error or a breaking of the policy, whether intentional or not.
Policies & procedures
This part explains the individual policies and procedures that combine to create your overall physical access control policy.
You might want to describe, for example:
– How authorisations for employees, visitors and contractors should be set up and managed.
– Who is and isn’t allowed into certain locations.
– What types of identification are needed to gain access to each area.
Audit controls & management
To verify that your access control policy is being followed, you’ll need to run regular audits. This section should detail this audit process.
To remain effective, your access control policy will also need ongoing management and updating. So, include the details of how this will be done in this section.
Enforcement
Sometimes entitled ‘Adherence’, this section explains the sanctions people will receive if they don’t follow your access control policy. Some people need a deterrent to prevent them from cutting corners or overriding policies, so it is important to be clear on the consequences for them personally if they break the rules.
It’s also important to provide regular training on the details included in your access control policy.
Policy version history
Your access control policy is a living document that’s reviewed after each risk assessment. You should always review and assess your current policy if and when there are significant changes in your company.
This helps you keep track, and it also reinforces that this is an important document that people can trust and must follow.
4. Best practices for building your access control policy
Involve the right people when you’re doing the groundwork when creating your physical access control policy. When ensuring that it’s adhered to, involve people who truly understand your access control needs and risks. For example, include people from your security management, facilities management and IT teams, as well as other stakeholders such as senior directors.
Remember to do the groundwork before beginning to write your physical access control policy.
Thinkcurity recommends focusing on four key components when beginning to build your access control policy: access groups, compliance, training and implementation. It helps to keep things simple, as this removes ambiguity and complexity.
Once your access control policy goes live, make sure it remains a living document that remains up to date, functional and easily implemented. This helps with maintaining security as your company grows, changes or adapts to market conditions.
As Nedap Security Management’s Head of Enterprise Professional Services, Jeroen van Dormolen is an experience leader and seasoned program manager within the security software industry. Jeroen has spent the last 10 years working closely with security leaders around the world to bring positive change to multinational companies in their pursuit of secure technology. He’s passionate about translating organisational needs into tailored solutions and his mantra remains, “The only constant factor in security is change.”.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.