A well planned access control project provides appropriate protection at a reasonable cost with minimum disruption. And if it's poorly run? Expect cost overruns, permitting delays, and a very, very annoyed workforce. An experienced system designer's guide to avoiding common access control errors. This primer provides fundamental information on the planning, implementation, and ongoing management of physical access control systems. Looking especially at the full cycle of implementation from the end-user’s standpoint, the article highlights important and often unforeseen issues that frequently accompany access control projects. Planning for these common issues frequently translates into saved time, resources, and investment, whereas a lack of awareness can lead cost overruns, lost time, and ultimately an unreliable system.Access control projects should occur in four stages:PlanningProcurement Project ManagementTraining and Ongoing System Management Stage One: Planning Here are the aspects of planning that project planners and end-users often overlook.To begin the planning stage start by asking the fundamental question:HIPAA, SOX, FIPS-201 or numerous others? Or did your organization recently have an incident that an access control system may have prevented?“What am I looking to accomplish with this system?”Are you a security manager looking to protect your facility from intruders? Or a human resources manager looking to integrate your time and attendance system with access control? Or looking to achieve regulatory compliance with Security projects are frequently reactive. I receive many calls from businesses seeking to implement security systems resulting from a singular and isolated incident. Before making the final decision to implement access control be sure you have weighed the cost/benefits ratio for your organization. Seeking solutions that employ access control requires significant resource coordination. A properly planned and implemented access control system can significantly mitigate risk and potentially improve efficiencies to the bottom line—unless the system is either overkill or insufficient for the specific needs it is intended to address. Planning Stage Project Improvement Questions and Considerations:1. Who will oversee the project in all of its phases? Access control project require coordinated efforts of numerous individuals and departments. An individual knowledgeable about your facility layout will play a critical role. This person will need to conduct walk-throughs with the access control system integrator and should be familiar with your fire alarm system, electrical systems and general building systems. In specialized environments, other individuals must also take part in the walkthrough, such as building management personnel in leased environments or the Human Resources department when integration with time and attendance systems is on tap. A missed walkthrough by a crucial individual or department can easily cost weeks of time to reschedule. Trying to delegate out the necessary walk-throughs, interactions with contractors, contract negotiations, project oversight, and planning is a frequent and big mistake. Even in small office environments, access control projects will touch many departments and systems: building/facilities, the fire alarm system, various contractors, human resources and a host of other examples. These aspects of the project should be handled by an individual or by a coordinated team if practical. Poor project oversight will result in misinformation and wasted time.2. Who will need to be involved? Note: For key employees, involvement will extend through the later stages of the project. Understanding and communicating these requirements now will help set their expectations and will help you schedule necessary meetings, inspections and sign-offs down the road.3. One crucial party often overlooked is the organization’s information technology department. All access control systems reside at minimum on a PC, and almost always transmit data across the network, even in smaller environments. Consult with the IT group during the planning stage and schedule their involvement during the later system implementation phase.4. The fire alarm system is oftentimes particularly challenging to successful access control implementations. Building codes from the National Fire Prevention Association such as NFPA 72 and NFPA 101 Life Safety Code must be consulted during the planning stages of an access control project. These codes often (but not always) require that an access control system be connected to the Fire Alarm Control Panel (FACP). From the planning perspective this FACP connection is frequently a major issue. If your FACP is leased, part of a larger building fire alarm system, a proprietary system, or otherwise “locked”, you will need to coordinate the unlocking of this panel with whichever 3rd party has ownership of that system. Your local AHJ (Authority Having Jurisdiction) has the final say on your access control system. Normally the role of AHJ is designated by the fire alarm department serving your facility. Other jurisdictions may have a Codes Department official designated to perform the role of AHJ. Be sure that your security contractors have experience working with this individual. As permits are often required for low-voltage work be sure to coordinate with your contractor on who will pull the permits. It is crucial to have these pulled well before your installation kicks off. Be sure to continually monitor the permit process; I have seen numerous job hold-ups due to the contracting party or contractor not performing due diligence on the permit process. Lastly, know that fire alarm codes are a highly organic subject matter. While the codes are vigorous and detailed, systems, buildings, code interpretations and AHJ’s will influence the installation of your system. This knowledge is especially helpful if you are managing a diverse array of facilities. Be sure local project managers have a firm grasp of the above issues.5. Do you have enough copies of your blueprints? Blueprints are oftentimes the bane of an access control project. Have your facility blueprints available in duplicate copies, enough for all your bidders and other parties to work with. Blueprints usually take a long time to obtain and typically need to be sent out to a third party capable for quality copies. Without blueprints your contractors will be making pencil sketches of your facility, you won’t have anything formal to submit (if required) to the AHJ, and you willnot have an accurate layout of your system for future use. 6. Who will manage the access control database (and how)? In the planning stage you should put together your list of employees who will need access to the facility. You should give particular thought to the organizing of this database. Almost all access control systems will have a very granular ability to manage your employees’ ability to pass through the various controlled doors in your facility. It is practical to set up employees’ facility access in accordance with their schedules, and also take holidays into account. Whatever schedules your facility operates under should be taken into account. Also consider temporary employees, janitorial services, and any other non-employees who may need access to your facility. Having as much detail as you can available during the planning stage will save significant time later when you program the system. If you are switching to a new access control system, be sure to save the databases in existing systems for the transition. Some contractors may even program your database prior to installation; this can be a major time saver! Why not have your cards and users programmed in and ready the system to go online as soon as it’s powered up?Stage Two: Procurement By now you should have assigned all key personnel attached to the project, consulted with the relevant building codes mentioned above, obtained and made copies of your blueprints.Now you are ready to begin making contact with access control vendors.Good vendors are hard to find. There are security companies of every size and scale, from global to local, available to install your access control system. Though most all of them are capable of installing your system, honing in on the “right” one is more difficult. Procurement Stage Pointers and Questions:1. A good starting point is to obtain quotations from at least three vendors.2. I also encourage you to set up an initial walkthrough inclusive of all your potential vendors. By doing this you’ll be more likely to get quotations from your vendors with minimum differences. Comparing disparate scopes of work is confusing and not usually viable from a financial analysis standpoint. Differing equipment, software features, and system interpretations by vendors can quickly dismantle the ability to compare your quotations. Try to find three vendors who can provide quotations on the same system. By standardizing on a particular system you’ll eliminate much of the difficulty of analyzing the hardware aspect of your bid.3. In deciding on a standard system, you should consider whether you want to select from an open-architecture platform, or a proprietary system. This is especially relevant if you plan to use a single platform to manage multiple facilities. Certain geographical areas may not have suitable support for a proprietary system. This is another good time to liaison with your IT personnel, who may need a system that can operate under varying network architectures. Here are some other helpful vendor qualifying questions you can ask during the procurement stage:A. How many access control projects similar in scope and size have you completed in the past year? Can you provide references from these clients?B. Is your system proprietary (meaning it can only be installed and maintained by certified individuals), or open-architecture (usually interchangeable between companies, and between a wider variety of devices and platforms?) C. If we signed a contract today for the installation of the access control system, how long will it be until you can begin the installation? — Companies can often have backlogs extending for 6-8 weeks, or have to order parts which can create an equally long wait time for installation. Look for a vendor who will commit to a specific installation date, and take note of how long it takes vendors to respond to this request.D. Does the vendor have a guaranteed service response time in the event of a problem with the system? (24-hour or same day is ideal). Also, ask whether you’ll be calling a local representative or a corporate call center environment for service requests and other inquiries. Will your local representative be available for help after the system goes online? How long has he or she worked for the company? Take note how long it takes you to receive responses to phone and email messages from your potential vendors. If they are slow during the sales phase, they’re likely to be slow when it comes to service.E. What are the financing options? Look for a company that offers purchase, rental, and third party lease options. Specify that you want all three options presented in your quotations. Involve your organization’s finance individuals during procurement. Tax implications, setting up net payment arrangements, depreciation of equipment, and contract reviews are all important financial aspects of the access control system that need to be accounted for during the procurement stage. Once a final vendor is selected, be sure to take the time to set up interaction between your finance department and the vendor’s billing issues frequently eat up time and make everyone unhappy, but can often be avoided with a few minutes of due diligence during the planning stage.F. Be sure to ask your vendors for a maintenance agreement quotation. Generally, maintenance agreements cover the loss of equipment due to general failure. Be sure to ask what the manufacturer’s warranty is for all the equipment being installed. Some manufacturers offer one- to three-year warranties on their equipment—but systems integrators may or may not honor those warranties. Be sure to get it in writing! Look for a company that honors or exceeds the manufacturer’s warranty, and ideally covers both the materials and the time a technician spends at your site. Ask the vendor to provide an hourly maintenance price as well. If your manufacturer’s warranty is for several years it may be financially advantageous to pay the integrator by the individual service call, rather than via a recurring maintenance fee. Stage Three: Project Management The procurement phase (if you handle it correctly) ends when you have signed an agreement with a vendor. Now you are ready to start project management of the installation process. You should have a project schedule in place, making sure to send it to the necessary individuals in your organization (most of whom you already involved in the planning stage). It’s a good idea to prepare all employees for the presence of installation technicians, as they will likely be running cabling throughout your facility, using power tools, and otherwise marking a definite presence in your building. Cutting door strikes and mounting access control hardware often requires that doors and areas of your facility will be out of use for significant time periods. Keep close contact with the lead technician on the job, as he or she will best know the daily work schedule and can help you to prepare whichever employees and work spaces will be affected during the installation process. Here are some other pointers that will help you successfully oversee your access control installation:1. This is a good time to again check on the required permits for your system. Also, if inspections of the final system are required, be sure that the appropriate parties will attend scheduling inspections between employees, contractors, and inspectors can be difficult and can result in failed inspections and loss of time. Calling everyone on the day of the inspection is a good idea. It may seem like overkill, but these meetings get missed far too often to risk another round of scheduling.2. Be sure to have a well documented project schedule that is followed by your installing contractor. Many contractors will take it for granted that they can pull off of your job if they have a more pressing issue, or are waiting for a part to come in. Unless you are flexible with your installation schedule be sure to be very specific about a project schedule. 3. If your facility or company requires specific conditions for contractors to perform work, be sure to take these into account. Many facilities have long training procedures, clothing requirements such as hard hats, goggles, steel-toed boots and numerous others. I have seen many job kickoffs go immediately south when the installation crew showed up on site and was informed they were non-compliant in one of the above requirements.4. Check again on the status of the access control database — Be sure that you liaison with the contractor well before the installation is completed to make sure you have gathered the information you need to successfully program the system.5. Be proactive when it comes to unexpected changes in the installation process. As a security system designer, I know that if I can account for every part and labor unit of an individual job and reduce my margin of error between estimated job cost and final cost to 1% that I am an excellent planner. As I’ve mentioned throughout, Access Control projects and buildings are organic. Be prepared in your budget and internal processes for the possibility of additional job expenses. If something comes up in the middle of an installation and you need five days to work out getting a Job Rider processed, you may lose five days of productivity and be forced to pull the installation team off the job. Have your contractor provide you with a blank and voided Rider so your appropriate finance and legal individuals can review it, and quickly approve one if needed.Stage Four: Training and Ongoing System Management Your system installation is usually defined as complete when the access control database has been programmed, and you have signed off on the system, certifying it as complete. During this time you will be programming the system and putting it into daily use. Some pointers to help ensure your access control system is setup for reliable and productive use: 1. If possible, start your training by participating in the initial programming of the access control database. Often I see end-users skip this opportunity. You’ll have a much stronger familiarity with your access control software if you help build the database. Remember, access control software is sophisticated, even if you have only a handful of employees you’re still going to use numerous functions, and have to update the software as employees, schedules, and other events take place. 2. Put in place a database management plan. If you are going to have access control, use it! Take the time to learn to archive your data. Most access control programs can offload their event history to various remote media. Having an accurate and granular audit trail of the events your access system records adds resilience to your organization. 3. Assign a competent employee to manage the access control software. Don’t make the mistake of thinking that access control systems run themselves once they are online. While this is true to a certain degree, your system will need a significant amount of almost daily interaction. Issuing cards to new employees, possibly badging them, adding and deleting users, changing schedules and software glitches are all frequent occurrences. Try to select an employee who is reliable, computer savvy, and ideally knows the physical aspects of the system.4. Get a dedicated computer. If you are planning on pulling that computer out of the closet to run your access control software, you might be unhappy with the results. A computer that meets the minimum specifications of your access control software may still function poorly. While it will seem overpriced, most access control platforms offer preconfigured computers. The advantage of preconfigured systems is that the computer’s operating system is set-up in an ideal state for the access control software to properly function. Also, the physical parts of the system are usually uniform, so repair and replacement is more reliable. And finally, a preconfigured system allows the installing company to preload your ACDB, as mentioned above. Utilizing the pointers and questions of the above access control project stages will enable you to minimize many common issues, reducing project time and cost. Thinking about and planning for the often unexpected aspects of implementing an access control system benefits your organization directly to the bottom line, maximizing the return on your security investment and increasing resiliency, protecting your employees, data, and assets. ##Jason Cowling has designed and implemented converged security systems for a wide variety of government and private-sector organizations, and has designed enterprise-level access control systems, biometrics, Matrixed CCTV systems, video servers and video analytics, burglar alarm, fire alarm, barrier gates, turnstiles, metal detection, safes and vaults, and building management systems. Send feedback to Editor Derek Slater at dslater@cxo.com. Related content news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Government Government news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security news Immersive Labs adds custom 'workforce exercising' for each organizational role With the new workforce exercising capability, CISOs will be able to see each role’s cybersecurity readiness, risk areas, and exercise progress. By Shweta Sharma Sep 27, 2023 3 mins Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe