Planning Physical Access Control Projects

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

Planning Physical Access Control Projects

Carefully planned and implemented access control projects can provide organizations with appropriate protection at a reasonable cost and with minimum disruption. Poorly planned access control initiatives, on the other hand, can create cost overruns, work delays, frustrated employees, and an unreliable control system. In an effort to help organizations plan, implement, and better manage their physical access control systems, CSO Online recently published "The Physical Access Control Project Planner," which describes the four stages of effective access control projects — planning, procurement, project management, and training and ongoing system management. Internal auditors can use the practices outlined in the document as part of their reviews of access control systems.

Stage 1: Planning

According to CSO, many project planners and users often overlook key access control issues during the planning phase. One key aspect is determining what the system needs to accomplish. To this end, auditors can recommend the project lead determine:

  • Who will oversee the project in all of its phases.
  • Who needs to be involved in the project.
  • Whether the organization's IT department is part of the project planning team.
  • Who will manage the access control database and how.

Stage 2: Procurement

By this stage, organizations should have assigned all key personnel to the project and should start contacting access control vendors. Though most vendors are capable of installing an access control system, choosing the right one can be challenging. Recommendations and questions to keep in mind when selecting an access control system include:

  • Obtaining quotes from at least three vendors.
  • Setting up an initial walk-through that includes all potential vendors.
  • Considering whether the organization needs an open-architecture platform or a proprietary system.

During the procurement stage, the planning team also needs to work with the IT department to choose a system that operates under different network architectures. Questions to ask vendors at this stage include:

  • How many access control projects similar in scope and size have they completed in the past year?
  • Can they provide references pertaining to these projects?
  • Is their system proprietary (i.e., can it only be installed and maintained by certified individuals) or open-architecture (i.e., systems that are interchangeable between companies and a different devices and platforms)?
  • How long will it take to install the system after the contract is signed?
  • Do they have a guaranteed service response time in the event of a problem with the system?
  • What are the financing options?
  • Are there additional maintenance fees?

Stage 3: Project Management

The procurement phase should end with a signed vendor agreement. If this is the case, organizations are ready to install the access control system. To do so, the planning team should have a project schedule in place and prepare all employees for the presence of installation technicians. Items to keep in mind to successfully oversee the access control installation are:

  • Check on required system permits. If final system inspections are required, the appropriate parties should attend each inspection to avoid rescheduling meetings, which can significantly delay the project.
  • Have a well-documented project schedule that is followed by the installing contractor.
  • Take into account the specific work conditions needed for contractors to perform work.
  • Check again the status of the access control database.
  • Proactively address unexpected changes in the installation process.

Stage 4: Training and Ongoing System Management

Once the system is installed, the access control database is programmed, and the organization has signed off on the system's completion, it is time to program the system and put it into daily use. Pointers to help ensure access control systems are set up for reliable and productive use implementing a database management plan, assigning a competent employee to manage the access control software, and getting a dedicated computer to run the access control software.

"Planning for the often unexpected aspects of implementing an access control system benefits your organization directly to the bottom line, maximizing the return on your security investment and ... protecting your employees, data, and assets," the document says.

To read "The Physical Access Control Project Planner," visit the CSO Web site.