Access control can mean ten different things to ten different people. It can be as simple as a keypad unlocking a door, and it can be scaled up to an enterprise application with multiple sites and integration into different systems. If we talk in general, however, there are a few things that are commonly associated with access control.
Some forms of credentials are commonly part of an access control system. These can be cards, fobs, or even biometrics – handprint or fingerprint readers. These days a credential can even be your mobile device, where you present your phone and use a barcode to gain entry. Then there are the readers that receive the credentials and pass that information on.
There is technology around what you’re trying to gain access to. Locks, gates, turnstiles and so on. But also, in the case of a more advanced system, we could be trying to gain access to a piece of machinery or a logical system.
Then there are things that we don’t typically think of when discussing access control. Other kinds of inputs to tell the system how to behave. Request to exit buttons or bars to get out of a door. The connection between a fire alarm system and the access system to enable special door release during a fire event. These behind-the-scenes triggers are very much a part of access control.
Finally, all of this technology needs to be tied back to controllers, and those controllers need to be managed either through a piece of software or a cloud application or hosted cloud service. This ties the system together to control the system so it works the way you want.
The Many Layers of Access Control Systems
If we start at the basics, the way most people get introduced to access control systems is to be issued a card (or some other credential). Being able to present the card and go through a door at any time provides value and convenience. It also reduces the need for a locksmith to come and rekey a door when someone leaves.
As you move deeper into the building, access control can be used to restrict the movement of authorized users as well. It’s not just about keeping unknown people out. You might want the engineering department to only be accessible to engineers. You may wish for an IT closet to be off-limits to all but members of the IT team.
Then you can start to look at ways to further regulate access. Schedules for example – with an access system you can define which employees work which days, what time they’re allowed in, and you can restrict their movement. You can restrict the access of lower-level employees during emergencies. Say there is a snow emergency – an access control system can restrict employees from entering the building whether they’ve been informed it’s unsafe or not.
Since you don’t need to worry about keys being shared and you have individual credentials for each employee, you can use the access control system for audit trails. You can run reports and see who accessed your facility over the weekend, or who was there at an unusual time of day. This can be extremely helpful after an incident when doing an investigation. It can also be helpful just to make sure people are coming and going as you expect, they aren’t sharing cards, etc. That’s impossible to do with a traditional keying system.
What if you have multiple facilities? Access control systems allow you to grant someone credentials that give them access to facilities across the country or across the world. This reduces the headache of individually granting access on a facility-by-facility basis. Similarly, if you have a temporary employee such as a contractor, consultant, auditor, or delivery driver, you can make them a temporary user. You can allow them access facilities at certain times on certain days and then schedule the credential to expire at a given time.
You can also integrate with other building systems. Tying access control to an HR system makes new employee acquisitions seamless. It also makes deactivation of terminated employees automatic as well. Instead of the manual data entry process you’re automating it and streamlining the process. You can also tie the same access control card into computer systems so that an employee gains access to his or her desktop using the same credential that gave them access to the building. The limit is really your imagination with how integrated access control systems can become.
Convincing Your Organization to Invest in Access Control
The key to justifying the purchase of access control technology is determining your scope. It sounds much simpler than it actually is. Every business is different. The systems that are available are very different. They range from one-time cost and maintenance systems to systems with annual licensing fees, maintenance agreements, and cloud components.
Most access control systems are designed with specific business needs in mind. They need to be able to be justified so key stakeholders can write a check. When each feature is tied to a specific need you can map readily to the department getting the benefit and build your business case around that.
The danger for many organizations comes with under-specification. Often organizations will decide they only need simple standalone system. Then, down the line as the organization grows, they decide they want more features. Card access that can tie into other systems, or more advanced entry control. However, the simplistic system they first installed doesn’t integrate, and so the company is left starting over from scratch. You need to keep your future growth potential in mind.
The perception of the security needs for a facility can vary. Just because you haven’t had an incident doesn’t mean you won’t. Access control is a way to improve overall security. While it’s difficult to build ROI around physical security, as it’s a subjective subject, you need to use your own risk assessments to convince stakeholders to invest. If your company manufactures narcotics you’ll need more security and the risk of an incident is far greater.
There is still hard-dollar ROI value in access control, however. Eliminating the need to change locks or create new keys ever again. Automation coming from the integration with building systems. Reduction in the time to check people in and out of a building. If you can eliminate or reduce the need for paid employees to carry out these processes then access control has a clear ROI.
You can also integrate access control systems with things like utilities. Take HVAC for example. An advanced system can understand to shut down systems in parts of the building that aren’t occupied. Meeting rooms can have the lights shut off until someone accesses the space. In these ways you’re cutting out costs as a direct result of your access control system.
Writing an Access Control RFP
Before you write an access control RFP, you need to figure out the complexity of your needs. Are your needs general enough that you need to lean on potential partners to choose the technology and build the system that will meet them? Are your needs so complex that you need to make those decisions beforehand and spell them out in the RFP?
You can build a functional specification and take it to RFP for what you want to accomplish, but you don’t want to have four or five option on the table that fit your needs if you’re trying to make sure your system is compatible with existing facilities or you’ve got a specific sense of what you want to accomplish. If you’ve built the specification you should have an idea of one or two platforms that you will accept. Restrict your RFP to those platforms. When you get to the more advanced systems you want to be sure who you’re dealing with.
However, if you just need to limit access on a set of gates to a single facility, you can be more general. It won’t be tying into other systems, it will be used on a single site, and by the time it breaks down you’ll want to start over anyway. This is when you can lean on the installer for advice and recommendations.
In any case, you want expert help from the beginning. Unless the person writing the RFP is an expert, you want to make sure you’ve engaged an expert to talk through your risk profile, understand best practices, and learn how you can apply technology in your space. There can be nuance and creativity in your access control system.
In any case, especially for new construction, you want to engage way in advance of an RFP. You’ll want consult your architects to ensure that you’re choosing the correct lock mechanism for the type of glass, wood, or metal doorways you’ll have. Keep in mind as well that you need to include needs for emergency situations. You can never impede a person’s ability to get out of the building. There are disabilities and regulations to consider. While anyone providing these services will be cognizant of that, it’s always a plus to include it in the RFP.
What you should expect is for potential partners to come back with their own needs. They may need to consult with the electrical contractor and fire systems contractor to ensure proper release. If everyone gets the project started without submitting to the fire department to show what they’re doing there will be problems. Make sure you dictate in the RFP exactly who will have master responsibility for tasks such as this.
Make sure to include the blueprints and schematics for your building. They’ll expect a complete set. They’ll need to know exactly what type of doors have been specified. Include which products you’ve decided you want, and where the provider has flexibility to recommend products. Include the types of products you want, and how much flexibility the provider has to recommend. If you want magnetic locks, say so. If you want a specific control software, say so. Let them know how many users you have, how many entrances you have, etc.
The conversations should occur with a consultant early in the planning process for large projects. In this case, include all of the information that you can about the doors, the way wires will be laid out, the way you want the system integrated into existing systems, etc. If the installer doesn’t have all the details they may bid based on worst case scenario and you’ll be paying too much. If they understand the scope, then they can ask for minor adjustments that will make their jobs easier and your budget smaller. For smaller projects, include as much information as you can.
Information provided by Steve White of Vector Security. Learn more about access control technology from Steve White’s interview on My TechDecisions Podcast.