Access control is an essential part of physical security that keeps buildings, people, and information safe. But even the fanciest camera software, biometric scanners, and visitor management systems are completely useless if the people using them don’t have any standards to follow.

Having an access control policy is the only way to effectively secure a property using your security officers and all of that fancy tech. This article will go over the basics of access control policies and what role you should play in helping your clients create them. In order to do that, you’ll need to know:

• What is access control?
• Why do you need an access control policy?
• 4 basic access control policy components

What is access control?

Access control is a security function that determines which people should have access to specific physical areas or information. There are two types of access control: physical and logical.

Physical access control includes things like turnstiles, barricades, key card entry, doors and locks, and even security guards. Basically anything that would prevent someone from going somewhere they’re not supposed to.

Logical access control is information based. It includes things like passwords, two-factor authentication, and any other systems that focus on protecting digital information like employee records or tax files.

Physical access control is almost always your first line of defense. If you can stop a bad actor from reaching a computer in the first place, it will be much harder for them to access or steal digital information.

Why do you need an access control policy?

An access control policy gives you, your security guards and your clients clear direction to help keep people and property safe. It will establish who is responsible for what roles as it relates to access control on a property.

When you and your client work together to form this policy, it can help to maintain trust and accountability. They will know what standard you hold you and your guards to, and you know what they will expect of their employees in helping maintain good access control practices.

4 basic access control policy components

Keep in mind that this is not an all-inclusive list of what should be included in your access control policy. But these 4 components should give you a good place to start when building access control policy.

1. Access Groups

The first step to creating an access control policy is to look at the different groups of people that will be interacting with the property. Generally you can split this into two groups: employees and visitors.

In many cases, not all employees will have identical access to the entire property. This is what’s called a tiered access control policy.

You’ll need to work with your client to determine which employees are allowed where. In a simple scenario, you might need to determine which areas are for employees only. In a more complex situation, There might be entrances, rooms, or entire floors that should only be accessible to a specific group of employees.

Visitor management can get very tricky depending on what types of visitors are coming to the property. Typically, there are three common types of visitors you’ll want to consider:

• Contractors
• One-time/short term visitors
• Recurring visitors (i.e. cleaning crews, delivery drivers)

The access control policy should cover the specific access each type of visitor should have. You can also detail how visitor lists should be created and what type of documentation or identification is required.

When determining access groups, an important thing to consider is access times. In many cases, your security guards and maybe a cleaning crew will be the only people that are on a property overnight. But plenty of facilities have graveyard workers as well.

Whatever the case may be, make sure you clearly understand the appropriate times for all of the different access groups to be on the property.

2. Compliance

If your security services are helping your client protect any kind of data, physical access control has to consider compliance standards. And odds are most of your clients will have some kind of data that needs protecting.

Data protection can include things like employee records, business tax information and customer contact lists. There are tons of different compliance standards out there, but these 5 cover a lot bases and are a great place to start:

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Payment Card Industry Data Security Standard (PCI)
• International Organization for Standardization (ISO)
• American Institute of of CPA’s Service Organization Control (SOC 2)
• General Data Privacy Regulation (GDPR)

But what exactly does an access control policy need to include regarding compliance? As a general rule, part of the policy should show the steps taken to protect data from unauthorized users. The access control policy should include all steps taken to prevent this - both physical and digital.

3. Training

If the right people aren’t trained on how to actually enforce the access control policy, there’s no point of having one. Not only should your security guards be trained on what aspects of the policy they are responsible for, but the appropriate people in your client’s organization should be trained as well.

There are two areas important to train on: standard operating procedures and security technology.

Private security operations rely on standard operating procedures to run effectively. It’s no different regarding access control. For your security guards, effective access control starts with effective access management.

Remember, access control isn’t just about managing key card access and patrolling special authorization zones. Your security guards should know how they are expected to assess people and situations as they approach the property as well as what to do once they're on site.

If you do have to use any access control technology, it’s important that everyone is properly trained on how to properly use and interact with them.

It’s possible that not every single person needs to be trained on the entire policy, but that is something you will need to work out with your client. In addition to figuring out who should be trained, you should establish how often training needs to happen.

4. Implementation

Once the access control policy has been written, the next step is making sure that it is implemented effectively.

One of the best ways to do that is to make the policy as actionable as possible. After your guards are trained on the policy, they should have a very clear understanding of the steps they need to take day-to-day to make sure it’s enforced.

By using a guard management software, you can set tasks, sequenced guard tours, and pass down notes that will allow guards to easily enforce every aspect of the access control policy.  

Accountability between you and your client can also go a long way to ensuring the access control policy is being implemented well. Set regular check-in meetings with your client to review the current policy, discuss any incidents that violated policy, and make any necessary changes.

This check-in meeting is a great opportunity for you to position yourself as the security expert and gain trust with your client. If you can offer sound advice and strategies based on your experience and data you’ve collected, they will be much more likely to listen to you in other areas.

Closing

When it comes to putting together an access control policy - either on your own or with a client, it’s important to consider all of the aspects that affect access control on a property. Access groups, compliance, training, and implementation all play a part in a well-rounded plan that will keep people, property, and information as safe as possible.