We know already that physical security is essential for business continuity, and that an access control system is key to ensuring a secure working environment. Living through a global pandemic these last few years, many of us have already witnessed first-hand just how important it is to manage the flow of people coming in and out of our business sites.
But do you also have a detailed, documented physical access control policy? And how often is it updated?
“Organizations planning to implement an access control system should consider three abstractions: access control policies, models, and mechanisms.” — The National Institute of Standards and Technology (NIST)
1. So, what is a physical access control policy?
It’s a document setting out who has access to which locations in your organisation (such as sites, buildings and rooms), and under what circumstances. It also describes how these access rights must be managed.
Typically, it’s used in conjunction with technology, such as a physical access control system and a visitor management system. And the access control model you follow will determine some of the important detail in your access control policy.
Jeroen van Dormolen, Service Owner – Enterprise Professional Services, at Nedap Security Management has this to share about key touchpoints in communication: “As part of the implementation process, we ask organisations how they foresee their access control management. And then it’s an iterative process to make sure their expectations and actual use cases are aligned.”
2. Why do you need a physical access control policy?
To create a safe, secure environment, you need to address all three elements of the security triangle – system, procedures, and humans. Hopefully, you’ve chosen a good access control system like AEOS, and you’ve appointed the right people to your security team and trained them well.
A physical access control policy takes care of the third element of the triangle by ensuring people know the procedures to follow when using your system(s). This is crucial. Even with the very best access control technology, your risks are likely to increase if people aren’t clear on how they must use it.
Also, remember that physical security isn’t just about protecting people, places and physical assets – it helps protect digital assets too. Because, once people have access to your physical locations, it’s easier for them to access your network, files, data, intellectual property and more.
As Linda Howson, Research and Development Engineer – Future Security Solutions, at Nedap Security Management explains, “An access control policy is just one piece of an organisation’s security strategy. Many aspects from the strategy may be used as input to create or modify the access control policy, such as risk assessments, vulnerability assessments, site surveys, and the collation and analysis of security metrics.”
Indeed, we should look at the access control policy as one piece of the bigger puzzle of an organization’s whole security strategy. It is, however, a key piece that requires many stakeholders and management collaboration.
3. What should you include in your policy?
Every physical access control policy is different, but they often include sections such as the ones described below (For a real life example, see this access control policy from the University of South Alabama):
This explains the goals of your physical access control policy. Although the fundamental objective is to manage access to physical spaces, the reasons why you want to control access will be specific to you. You might, for example, want to prevent theft of stock, damage to your equipment or entry to hazardous sites – all of which could affect your business continuity in various ways.
Whatever your goals, spell them out clearly, so people understand the broader potential consequences of not following your access control policy.
If people aren’t sure of your policy’s scope, they may assume they don’t need to follow it. This section should specify who your physical access control policy applies to – for example, employees, visitors, contractors and customers – and which locations it relates to. It might, for example, cover headquarters, factories, warehouses and retail outlets.
Set out here who’s responsible for what in relation to your access control policy. One team might be responsible for writing and updating it, while another’s responsible for implementing it. One person might maintain your access control system while another manages the security team using it.
Never give one person full responsibility for your access control policy – then they’re not in a position to break the rules alone, whether intentionally or not.
Policies & procedures
This is where the detail is included to explain the individual policies and procedures that combine to create your overall physical access control policy.
You might want to describe, for example:
– How authorisations for employees, visitors and contractors should be set up and managed.
– Who is and isn’t allowed into certain locations.
– What types of identification are needed to gain access to each area.
“A solid access control policy should have clear classifications of who has access to what and where, and some form of a zoning model. The zoning model should prescribe what it means to go from one zone to another.”— Jeroen van Dormolen, Service Owner – Enterprise Professional Services, at Nedap Security Management
Audit controls & management
To check your access control policy is being followed, you’ll need to run regular audits. This section should describe when and how these audits will take place.
Your access control policy will also need ongoing management and updating to ensure it remains effective. So include the detail of how you’ll do that here.
Sometimes entitled ‘Adherence’, this section explains the sanctions people will receive if they don’t follow your access control policy. Some people need a deterrent to prevent them cutting corners or overriding policies, so be clear on the consequences for them personally if they break the rules.
And, to avoid people forgetting the rules, provide regular training on the details included in your access control policy.
Policy version history
Your access control policy should be a living document that’s reviewed after each risk assessment (ideally twice a year). And especially if there are significant changes in your company.
Include a record of when your policy was audited and updated. You could, for example, include a table such as this:
This not only helps you keep track, it reinforces that this is an important document that people can trust and must follow.
4. Best practices for building your access control policy
Involve the right people when you’re doing the ground
When creating your physical access control policy, and ensuring it’s adhered to, involve people who truly understand your access control needs and risks. This might, for example, include people from your security management, facilities management and IT teams, as well as other stakeholders such as senior directors.
Remember, there’s lots of work to do before you begin writing your physical access control policy.
Get the basics right
Thinkcurity recommends focusing on four key components when beginning to build your access control policy: access groups, compliance, training and implementation.
Keep it up to date
Once your access control policy goes live, make sure it remains a living document that remains up to date, functional and easily implemented.
Want to know more about physical access control policies?
We’d love to help, so get in touch.