Information Security Management is responsible for defining and documenting all access control policies. These polices will identify all physical security measures that need to be taken and which groups of employee should have access to what type of facility. Facilities Management will ensure that these policies are properly enforced. Policies should include:

• Which areas are restricted and to whom
• What access controls will be put in place
• Under what circumstances access will be allowed to specific restricted areas. For example, preventing all access to a Data Centre floor unless an authorized RFC number is typed into a keypad
• How access control will be monitored
• A statement of privacy policies and what information has to be known in order to permit access
• Policies regarding the surveillance of personnel, e.g. what may be recorded, where and whether there are any exceptions.

Most organizations use multiple levels of access control, starting with access to the property, then moving to access to specific areas in the building and then to specific functions, equipment or rooms. Each level of security is enforced using different mechanisms and personnel, thus providing additional security.

All facilities should have a documented, current floor plan which indicates exactly which areas are restricted and which are not. This plan will also indicate which security measures are implemented and where. This will aid in security audits and also for the maintenance of access control equipment.

Access control devices need to be installed on all entrances and exits. The aim of these devices is to ensure that only authorized personnel have access to the restricted area. Although this appears at first glance to be a fairly straightforward subject, there are a number of items that need to be taken into account (See Table F.1).

Access control	Example	Advantages	Disadvantages
Mechanical	Lock and key	Stable and reliable	Requires key control Locks have to be replaced every time someone leaves the organization Can easily be compromised by anyone with knowledge of a few simple techniques
Code access	Mechanical (e.g. a pushbutton device mounted into the door) Electronic (e.g. a keypad used to arm or disarm a security alarm)	Stable, Relatively inexpensive	Someone observing personnel using the device can obtain the code easily Code has to be changed every time someone leaves the organization People tend to write the code down
Electronic access	Key cards	Easy to use Can be used to track personnel's access Can be cancelled or changed centrally to suit changed requirements Can be cancelled even where staff do not return their card	Relatively expensive, although costs have decreased, and often cheaper than using human resources to physically guard each access point Dependent on power availability Can be compromised by people using specialized copying equipment
Biometric	Retinal scanner or Voice analysis	Very reliable mechanism for identifying specific individuals Difficult to forge access More effective at countering social engineering	Dependent on the availability of power Requires more sophisticated access control systems Relatively expensive
Multiple access	Door with a key card. One person opens the door and permits access to any number of people accompanying them.	Easy to move from one place to another, especially where groups are working together	Difficult to control 'Tailgating' Dependent on the security awareness of authorized personnel Extremely vulnerable to social engineering Should not be used in highly secured areas
Single access	Turnstile permits only one person to enter. The same key card can not be used to enter a second person	Easier to control access Prevents social engineering more effectively	Could become a bottleneck at peak hours Requires more intensive surveillance and staffing
Uni-directional access	Revolving door allowing only access or only exit. Typically used in airports where security personnel are only concerned about people entering the airport, but not about those exiting	Good for situations where there is no need to monitor what people take out, but where things they take in could cause significant damage.	Requires more monitoring to ensure that people do not attempt to go through the wrong direction. Typically uni-directional; also implies additional scanning equipment and surveillance
Bi-directional access	Access-controlled door	Good for general access to restricted areas.	People exiting can provide access to unauthorized personnel moving in Could be a bottleneck (e.g. in bi-directional turnstiles people going out have to wait for people coming in)
Active	Requires action by personnel to gain access, e.q. swiping a key card or punching a code.	Easier to control access More secure	Requires personnel to remember a code or to bring a key card
Passive	Passive detector unlocks an exit from inside whenever someone approaches.	Provides safer exit in the event of a fire Does not require key cards for people moving to non-secure areas.	Easy for unauthorized personnel to gain access simply by waiting outside the door Can be triggered from the outside by inserting something under the door and moving it within range of the sensor
Table F.1 Access control devices

As most physical access control mechanisms are not foolproof, it is important to ensure that access can be monitored and controlled. This is done by specialized security staff and by electronic surveillance equipment.

Since security is all about managing the access of people to a facility, it is fitting that people are used to enforce security measures. Larger organizations sometimes provide their own security staff, but most tend to outsource physical access control to specialized companies. This is usually for the following reasons:

• Security guards require specialized training and are usually subject to a different (almost military) disciplinary code from most company employees. This, is often in conflict with the more commercial type of disciplinary code and is best managed by a different set of managers using a different management culture:
• External companies are less likely to be influenced by social engineering situations, as they have specialised training and are unlikely to understand some of the organization's internal nuances that could be used by an experienced social engineer.

Surveillance equipment is used to extend the effectiveness of both the physical access control mechanisms and the security personnel. It is important to note that no surveillance equipment can replace the presence of a trained, aware security guard, merely extend their effectiveness. Examples of commonly used surveillance equipment include:

• Video cameras to monitor key access points and also in less used access points, thus allowing a security guard to monitor several locations at once. These are usually taped and the videos stored for some time before being used again. This is to ensure that if any wrongdoing is discovered, the tapes can be used in the investigation. This means that the quality of images must be good enough to facilitate identification of people, but it also has to be in a format that makes it easy to store vast quantities of visual data.
• Access Event Logs. These typically log every entrance and exit by personnel using electronic access mechanisms.
• Passive detection units to detect the presence of personnel in an area that should not be staffed.
• Alarms that will notify security staff of unauthorized access or exit, often linked to an audible alarm.

No matter how secure the environment, it is dependent on the security awareness of the employees and contractors who work in the facility. Social engineering is still one of the most common breaches of physical security. Social engineering refers to the practice of gaining entry to a facility by using interpersonal and communication skills to convince someone to allow unauthorized access to a building, restricted area, restricted equipment and data; or to cabinets containing confidential documents.

Examples of social engineering include:

• Posing as a legitimate contractor or employee of the organization. The usual technique is to approach security personnel and state that they have forgotten their access card. An Access Log is signed and a visitor's card produced. There is often no real checking of whether the person is a legitimate employee, especially in busy reception areas.
• Posing as someone who has a reason to gain unauthorized access to the facility, e.g. a utilities worker or fire inspector.
• An ex-employee or contractor approaching people with whom they are familiar to allow them access.
• 'Tailgating', where a person simply follows an authorized employee through an entrance that they have opened.

Social engineering is best countered by enforcing strict compliance with access control procedures, continuing education programmes, regular briefings of security personnel and stringent audits.

A growing number of companies offer services to test the rigour of access control with people who specialize in using social engineering techniques.

---