THE ART OF ACCESS CONTROL By W. Barry Nixon, SPHR Access control is to workplace violence prevention as a fire extinguisher is to preventing a fire. No business that is serious about providing a safe and secure work environment would dare be caught without either. The whole point of effective access control is to keep the bad guys out, or at least give an early alert so help can be called. This sometimes gets lost in the shuffle of “high tech mania” and “let‟s get the latest gadget.” A truly effective access program is based on one part common sense; another part strategic thinking and business strategy alignment; some organizational cultural tinkering; throw in some policies and of course, some technology. Common Sense: As Voltaire once quipped, “common sense is not so common.” Access controls should allow an organization to consciously control access to their facilities, which simply put, means all ways of accessing the facility should be controlled. Most firms tend to do a good job at the obvious places where high volumes of people enter the facility, such as the front door, etc. However, much more attention needs to be given to that door that is propped open in the middle of the day or late at night to let some air in the facility. Trust me; it is not only your employees who know that this is an easy way into your facility.
My company conducts Site Vulnerability or Risk Assessments and a standard part of our assessment is to come to the facility unannounced. In ten years of doing assessments I am still surprised by the high number of facilities that we are able to get into. My favorite one is to come around 10:00 p.m., when the janitorial crew is cleaning up. We often find a door propped open with no one in sight. Easy pickings, I am in.
The point here is that Security personnel need to regularly conduct risk assessments by showing up unannounced and finding what we find – a lot of violations of their security procedures or practices that are contrary to effective access control. Strategic Thinking and Business Alignment: Security and access control need to be aligned with the organization‟s business strategy. For example, if you are a public entity you must have public access to your facility whereas if you are a top secret skunk works operation, you must carefully scrutinize every person‟s entrée through several layers of security.
Organizational Culture:
Security professionals too often focus on creating draconian policies and procedures to direct people‟s behavior when it is well established that a much more powerful way to control behavior is through the creation of an overarching set of principles that are embedded in the culture to create self and peer control. Lou Gerstner, former CEO, IBM, put it best when he said, “I have learned . . .the importance of articulating a set of principles that drive people‟s behavior and actions. And that‟s a much more powerful leadership tool than a bunch of procedures and guidelines.”
An area where this is directly applicable is the concept of creating a security conscious work environment where every employee becomes an extension of the security department because they understand the nature of the issues the firm faces and the impact that their behavior can have. You will never achieve this level of commitment and behavior by creating more and/or better policies.
Policies:
Congratulations! You have just completed the creation of a masterful set of access control policies and procedures. Warning – if your policies are not integrated and in alignment with safety, human resource and of course, legal requirements you have wasted a lot of time.
Also, make sure you work closely with the training folks to bring your policies to the masses in a way that they not only learn what the correct procedures and guidelines are, but more importantly in a way that they will be remembered or easily accessed as a reminder. For a policy to be effective, it must be communicated, understood and followed. It is your job to make sure this happens. Technology: There is no shortage of technology tools to choose from in today‟s security conscious environment. The key is to match the technology to your organization‟s needs and to remember that „form follows function.‟ First, be very clear on the function and outcome you are trying to achieve and then choose technological solutions that fit this. Don‟t be fooled into believing that the technology can drive the business where it needs to go and eventually the business will catch up, as this rarely works.
In the end, an effective access control program is one that is well thought out based on the business realities of the organization; a program that appropriately aligns with the overall business strategy of creating a safe and secure work environment.
About The Author: W. Barry Nixon, SPHR, is the Executive Director, the National Institute for Prevention of Workplace Violence, Inc., a company focused on assisting organizations to effectively implement programs to prevent workplace violence. He is the author of „Background Screening and Investigations: Managing Risk in the Hiring Process,‟ „Zero Tolerance is Not Enough: How to Really Implement Workplace Violence Prevention‟ as well as numerous articles. He is also the creator of the Ultimate Workplace Violence Policymaker Software which makes it easy for companies to create a comprehensive workplace violence prevention policy in about an hour. He is an internationally recognized expert in workplace violence prevention and background screening and was recently recognized as being one of the Most Influential People in Security by Security Magazine. Mr. Nixon also teaches human resource management, organization development and management courses at several local universities. His Web Site is www.Workplaceviolence911.com and he can be reached via email at Barry@wvp911.com