S 2.17 Entry regulations and controls

Initiation responsibility: Head of Organisation, Building Services Manager

Implementation responsibility: Building Services Manager, Employee, Planner

Entry into parts of buildings and rooms requiring protection must be controlled (see S 2.6 Granting of site access authorisations). The pertinent safeguards range from the simple issue of keys through to complicated identification systems including one-by-one checks of persons; in this respect, use of a physical key with lock also constitutes a form of entry control. For entry regulation and control, it is necessary that:

• The area subject to such regulations is clearly defined.
• The number of persons with right of access is reduced to a minimum. These persons should be mutually aware of their permissions in order to be able to recognise unauthorised persons as such.
• Any other persons (visitors) may be allowed to enter only after the need to do so has been previously verified.
• The permissions granted must be documented.

The mere allocation of permissions will not be sufficient if their observance, or infringement, is not monitored. The detailed design of control mechanisms should be based on the principle that simple and practicable solutions are often just as effective as elaborate technology. Examples of this include:

• Informing and raising the awareness of security issues of authorised persons.
• Announcement of changes to the permissions granted.
• Visible carrying of internal identity passes, together with issue of visitor's passes.
• Escorting of visitors.
• Procedural rules when any infringement of rights has been detected.
• Restriction of unhindered entry for unauthorised persons (e.g. door with a dummy knob, lock for authorised persons provided with a key, bell for visitors).

Various building-related, organisational and personnel-related safeguards are required in connection with access control. Their interaction should be controlled in an access control concept which specifies the general guidelines for protection of the perimeter, building and equipment. This includes the following safeguards:

• Definition of security zones
  
  Areas to be protected could be grounds, buildings, server rooms, rooms containing peripheral devices, archives, communications facilities and in-house installations. As these areas often have quite different security requirements, it can be appropriate to divide them into different security zones (see S 1.79 Formation of security zones).
• Issue of access authorisations (see S 2.6 Issue of access authorisations)
• Appointment of a person responsible for access control
  
  This person assigns access authorisations to individual persons in accordance with the principles laid down in the security strategy.
• Definition of time dependencies
  
  It must be clarified whether it is necessary to have time limits on access rights. For example, access might be permitted only during working hours, once a day or for a period ending on a fixed date.
• Retention of evidence
  
  Here it is necessary to determine what data should be logged when a protected area is entered and left. It may be necessary here to carefully weigh up the security interests of the system operator against the interests of protecting the privacy of the individual.
• Handling of exceptional situations
  
  Also in exceptional cases it must be ensured that no unauthorised persons may enter the building or the property. However, the highest priority is to ensure that in case of fire all persons are able to evacuate the endangered zones as quickly as possible.

In addition, the installation of various qualities of badge reader, of walk-through detectors and one-by-one checking facilities may be expedient. For key management, see S 2.14 Key Management.

The use of an IT-supported system for authorisation management is recommended to realise a more comprehensive concept, to maintain flexibility during use, and to ensure transparency and verifiability (see S 1.80 Access control system and authorisation management).

The terminals used for access control must be protected against tampering. They must be arranged so that confidentiality is maintained during data entry. Moreover, all the units that are necessary for data entry should be combined in one device, for example, a keypad for entry of a PIN.

If all the units are not in a single device, data transmission between these devices must be encrypted. If, for example, contactless ID card readers are used, the transmission of data between card and reader must be encrypted.

Effectiveness of all technical and organisational safeguards must be checked continuously during operation. It is recommended to perform regular checks especially with the known problematic sites regarding any possibilities to by-pass access control, e.g. in delivery or smoker zones.

Review questions:

• Is access to building parts and rooms requiring protection controlled?
• Is there a concept for access control?
• Are the access control measures checked regularly for effectiveness?