S 1.80 Access control system and authorisation management

Initiation responsibility: Top Management

Implementation responsibility: Building Services Manager, Head of Organisation

Protection against unauthorised access to a building, building parts with required protection, or rooms should often support several protection objectives. This is not only to ensure protection of both the property of the institution and of the employees, but also to ensure protection at work, protection of know-how and possibly also protection of persons. Furthermore, the proof of reasonable issuing of access authorisations and control of usage of these authorisations will also be required if fulfilment of contractual or legal requirements is to be proven ("compliance"). The institution's requirements regarding the access control system should be documented with sufficient detail.

Mechanical locking systems with keys and group keys will become problematic if rapid reaction is required after loss of keys or if change of use requires rapid modification within the building. That is why IT-supported access control systems (ACS), as defined in the standard DIN EN 50133-1 / VDE 0830-8-1 "Alarm systems - Access control systems for use in security applications", are used at many locations.

Such a system consists of various basic elements that are combined in layers. An access control server administrates the central databank, i.e. data of persons to which authorisations are issued, as well as the rules (who, when, where) that apply to and for organisation of authorisations. The access control servers are connected to the control units. The IT net transfers the authorisation profiles for the connected doors, gates and barriers from the server to these units. All decisions for control of the connected doors etc. are made in this decentralised unit. Thus, door control is also possible without connection to the central server. The control unit has integrated data memories that record all movement data.

The control units are connected to sensors (reading units), actuators (e.g. controlling elements, door openers, double-door systems) and detectors.

Identification (and partially also authentication) of the users is made by ID cards or tokens that are read by reading units. In general, these elements are denominated identification carriers. The ID cards should be uniform and should include well legible identifiers (e.g. name and department). This facilitates direct identification of unauthorised persons in protected areas.

The ID card holder is granted authorised access by holding the ID card onto a reader unit. The reader unit forwards the card's ID to its control unit. If the control unit identifies the card as being authorised for accessing this door, the actuator will be triggered and the door will open.

In areas with increased protection requirements a two-factor authentication should be performed. In such case, verification of possession (e.g. the authorised chip card) will be supplemented by verification of knowledge (e.g. entry of a PIN code) or verification of a biometric feature of the card holder.

Additionally, an access control system can be used to organise issuing of authorisations, issuing of identification carriers as well as allocation of conventional keys. Special authorisations such as parking permits for employees and short-time visitor cards should be managed by this system. Furthermore, logging of usage of the whole access control system is concentrated on the server.

The scope of services of an access control system that is also used to manage mechanical keys should support all processes described in S 2.14 Key management.

An access control system allows easy verification at any time of the persons who have access authorisation to safety-critical areas of the building and which cards are used for opening doors and at what time. It is also easy to cancel or change any authorisations of persons when changing the field of duties or leaving the institution. It is not necessary to request return of an object, e.g. to collect a key; it will be sufficient to cancel the corresponding rights inherent to a certain card

It must always be ensured that the decision on the issuing of access authorisations lies with the person responsible for the corresponding building section. The administrator of the access control system is correspondingly responsible for correct realisation of the instructions, but not for issuing the access rights themselves.

Due to the comprehensive possibilities of logging and evaluation (such as movement data of employees) the introduction of such a system should be coordinated with the data protection officer and the workers' council in due time.

Planning of an access control system must address the individual requirements of an institution. The interfaces of such a system, e.g. with doors and for video monitoring, must be specifically designed and implemented for the pursued protection objective, and special problems such as control and monitoring of escape doors must be solved. Furthermore, the dependency on a supplier results in the risk of facing limitations regarding possible changes or extensions of the system. When making a new purchase or changing large parts of an access control system, a professional planner should be consulted.

Review questions:

© Federal Office for Information Security. All rights reserved.