Issued: August 2004
All of us want to protect ourselves against unwanted events. This guide follows the theory that the physical environments of facilities can be designed and managed in order to reduce the risk of unwanted events. Control of access is one component of a physical security approach designed to reduce such risk. It should not be considered as a means that will eliminate risk, nor should it be considered as the only method to address risk. Instead, it should be viewed as part of an overall risk management strategy.
This document provides information to assist departments in the application of the Readiness Standard and the Operational Security Standard. Described within are the options available for departments to choose from in order to meet the requirements of these two standards for control of access. Control of access in this document includes access to facilities by persons as well as the screening of deliveries.
The Operational Security Standard - Readiness Levels for Federal Government Facilities lists mandatory control of access as a departmental responsibility. Departments are responsible for controlling access to their facilities commencing at their Operations Zones. Access should be provided only to those who are authorized or properly escorted.
Departments should use this guide to select the most appropriate methods and locations where access should be controlled in order to meet the requirements of the readiness and operational standards. This guide should be reviewed in conjunction with a department’s threat and risk assessments in order to design an access control strategy for each facility.
As defined in section 3.2 of the Treasury Board Standard on Physical Security, custodians are responsible for integrating tenant requirements into their base building infrastructure. When departments determine that the most effective method to control access requires modifications to areas outside the tenants’ control, the custodian is responsible for coordinating the measures that the department requires. The department remains responsible for paying for the modifications.
For control of access to be worthwhile it is assumed that there are threats associated with unwanted entry. Theft, for example, could be a threat in an environment with valuable assets and unrestricted access. The assumption is that when access is controlled, the likelihood of theft occurring will be reduced. Other threats, such as the threat of unauthorized disclosure of sensitive information, or the threat of workplace violence, may become less likely as well.
The effectiveness of controlling access depends to some extent on the nature of the threat. For example, access control provides minimal protection from those who have authorized access (an insider threat). It has limited effect at preventing skilled or determined adversaries (deliberate threat) as they will often be able to bypass the controls. It is more effective when the threats are a result of unintentional access to assets (opportunistic threats).
A thorough assessment of the threats at a given facility will reveal what the purpose of the controls at that facility should be.
Access to information and assets should be limited to those who have undergone a screening process to the appropriate security level, and whose duties require such access. Both of these requirements are necessary for controlling access to be effective. The security screening process should not allow a person into an area unless his/her duties require such access.
A significant threat to a department’s assets comes from insiders – i.e. those who have authorized access. Limiting the areas which personnel are authorized to access will reduce the opportunistic threat that these individuals pose. Some areas may contain assets which have a higher degree of risk associated with unauthorized access. To protect against the insider threat, access to these areas should be restricted to as few personnel as possible.
At times, visitors or contractors may have duties in an area, but the appropriate security screening may not be in place. In such cases the visitors may be granted access, but they should be appropriately escorted. Departments should have procedures to follow such as sign-in and issuance of temporary passes when access is provided to visitors.
Control of access is intrinsically linked to the concept of zoning. Zoning involves organizing a facility into distinct areas in order to control access by the public and, to a lesser extent, by personnel. Five zones can be used for this purpose:
The first two of these zones establish access conditions for the three restricted zones. The term "controlled area" may be used to describe any combination of restricted zones; for example, when clusters of restricted zones are separated by Public or Reception Zones. The appendix of the Government Security Policy offers the following definitions of the various zones:
Public Zone - generally surrounds or forms part of a government facility. Examples: the grounds surrounding a building, or public corridors and elevator lobbies in multiple occupancy buildings.
Reception Zone - is typically located at the entry to the facility where initial contact between visitors and the department occurs; this can include areas where services are provided and information is exchanged. Access by visitors may be limited to specific times of the day or for specific reasons.
Operations Zone - must be indicated by a recognizable perimeter, monitored periodically and an area where control of access begins. Examples: typical open office space or an electrical room.
Security Zone - must be indicated by a recognizable perimeter and monitored 24 hours a day and 7 days a week. Example: an area where secret information is processed or stored.
High Security Zone - must be indicated by a perimeter built to the specifications recommended in the TRA, monitored 24 hours a day and 7 days a week, and be an area to which access is controlled and audited. Example: an area where high-risk information is processed by selected personnel.
Note that the foregoing definitions do not preclude the establishment of a temporary Restricted Zone either inside or outside a controlled area. For example, a temporary Security Zone could be established around a seized vessel or truck under continuous guard. It could also be a desk in an open office area that normally functions as an Operations Zone, if the person processing sensitive information and assets there can control access to these.
The minimum requirement is that access is controlled at Operations Zones and higher. Since no two facilities are identical, the locations where Operations Zones begin will also be different from one facility to another. The following examples, however, illustrate some generic facility types.
The building in this example is a single-purpose government building on government land. The Public Zone is the grounds around the building. Although departments may wish to monitor this area, there is no minimum requirement to control access. A Reception Zone is located at the front entry. Within this zone there is a means for the public to make initial contact and exchange information. This may happen at a reception desk, where there will be personnel present to monitor the space. Entry beyond the Reception Zone is required to be restricted to those who have a need to access. There should be a recognizable perimeter such as a doorway or an arrangement of furniture which clearly demarcates the entrance to the Operations Zone. Access should be controlled from this point on. Access should also be controlled at every other point which enters into an Operations or Security Zone.
The building in this example is a multi-storey building in which the government is a tenant on one or more floors. The Public Zone includes the main floor lobby as well as the elevator and corridors on each floor. There is a Reception Zone located adjacent to the Public Zone on one side of the floor. The remaining office areas are Operations Zones.
Control of access is required at all entry points into the Operations Zones. In this example it is possible to enter an Operations Zone from either a Reception Zone or a Public Zone (the corridor). Departments should make it clear to any visitors that entry into an Operations Zone is for authorized personnel only. Typically this is done with signage which should also direct the individual to the location of the Reception Zone.
In addition to meeting this minimum requirement, departments may wish to establish additional levels of secure zones in order to further limit access within a facility. The requirement for Security or High Security Zones within a facility will depend upon the levels of information handled, as well as the specific threats to the department’s assets. Access to these zones should be from lower security zones so that more than one entry point must be passed in order to access a higher security zone.
An entry point is a design feature that channels traffic in such a way that effective control of access is possible at that point. Entry points between zones should be clearly identifiable. The boundary of the zone cannot permit access except at an entry point. The floor plan below illustrates the relationship between zones:
Different means to control access may be appropriate depending on the zone accessed by the entry point. For example, a personal recognition system might be acceptable at an entry to an Operations Zone; however, a biometric system might be selected when entering a High Security Zone. In addition, there should be a corresponding level of personnel screening and physical barriers to support the access control measures.
There is a variety of methods to control access. Each method provides different levels of protection and has different associated costs. Consideration should also be given to the level of inconvenience that each option provides. Staff who are hindered too much in their work by access controls will eventually start circumventing them. The control of access should be as convenient to normal operations as possible.
Common methods of access control include personal recognition, access badges, various physical measures such as doors and locks, and electronic methods such as card access systems. Often a combination of strategies is used in order to increase their effectiveness. The basics of each of these strategies is provided below.
When small numbers of personnel comprise a work group in a particular zone, the ability of each employee to recognize all others and to detect a stranger is a distinct security benefit that can support or modify other access control features.
As the number of personnel increases, employees may be assigned to work at an entry point where they also control access by personal recognition and inform visitors about the rules for circulation and conduct within. Other personnel may be called to the entry point to escort visitors.
Personal recognition systems are effective when the following minimum conditions can be met:
Some advantages of personal recognition systems are:
Some disadvantages of personal recognition systems are:
When the minimum conditions for personal recognition cannot be met, one option is to use access badges. Access badges are worn by people to indicate that they are authorized to access a certain facility or area. To be effective, it should be clear that the badge entitles the badge owner to enter a particular restricted zone, and that the badge is being worn by the person to whom it was issued.
Control staff may be used at an entry point to verify that the person entering the restricted zone is wearing an appropriate badge. Alternatively, the card may be combined with an electronic access control system (see 6.4) to permit access.
Access badges and Identification cards should not be confused. They serve different purposes and have a different appearance. Detailed information about the appearance of cards and badges is described in Security Guide G1-006 - Identification Cards / Access Badges.
An employee’s access badge should have a photo of the person and be worn at all times while the individual is within the restricted access zone. This allows employees to monitor individuals within restricted areas.
Badges may also be issued to visitors or trades persons indicating that the person has been granted a temporary authorization to access an area. Visitors and trades persons should be escorted when in a Security or High Security Zone unless they have passed an appropriate security clearance check.
Some advantages of access badge systems are:
Some disadvantages of access badge systems are:
Mechanical measures to control access involve the use of a physical barrier at an entry point. Examples of barriers include doors, turnstiles and gates. When used for access control, these barriers must be combined with some additional means to permit or deny access. This may be through personnel or guards, or it may be through other, electronic or mechanical means.
The most common mechanical means is the keyed lock. When keyed locks are used for access control, control over who has access to the keys becomes critical. If keys can be easily copied, control of access cannot be guaranteed. Similarly, if a key is lost, lent or stolen, there is a risk of unauthorized access. If the lost key is a master key, then a greater number of access points will be affected. Nonetheless, if proper key control is maintained, keyed mechanical locks may be an effective and inexpensive method to contribute to controlling access.
Combination locks, often in the form of a push button, are an alternative to keyed locks. They are vulnerable in that unauthorized individuals can learn the combinations, and because of this their effectiveness depends on the security awareness of the users. Combinations should not be written down where they can be found by others. Locks should be positioned to minimize the potential for overview. For additional protection, combinations should be frequently changed.
Further information about locking hardware and key control requirements is described in section 7.7.4 of the Treasury Board Operational Standard on Physical Security, as well as in Security Guides G1-007, G1-016 and G1-017. Information about keys for security containers is contained in section 8.4 of the Treasury Board Operational Standard on Physical Security. Information about doors and frames is contained in Security Guide G1-018.
In some situations it may be less expensive and more effective to use electronic systems to control access. Perhaps the most important requirements for electronic systems to be effective are that there is proper physical design as well as good support for the system by the users. Electronic access control systems often include a number of features not found in mechanical or personal recognition systems. Some of these features include:
Typically, with an electronic access control system the user must present a card, code, or some other item - referred to as a key - which the system can identify. Some of the items identified by the system are:
Typically, a keypad is mounted near an entry point. Authorized users type in their entry code to obtain access. The system is relatively inexpensive but often less secure since entry codes are sometimes given out, guessed or overseen.
Electronic access cards are presented to a card reader at an entry point. A database connected to the reader identifies information about the cardholder, including the right to access that particular entry point. Should a card be lost or stolen, the privileges of that card can be easily changed in the database without modification to the entry point or the reader. Currently the most common form of electronic access control, access cards are often used in combination with access badges and personal recognition systems.
Electronic keys store information about access privileges in both the key and the lock. If a key is lost, the locks it was programmed to enter can be reprogrammed and no changes are required to other keys. These systems are usually less expensive and easier to install than card access systems but are less suitable to large operations with a number of users and access points.
With each of the previous systems, it is possible for a user to lose or lend their access code/card/key to an unauthorized user. Biometric devises can ensure that the person requesting entry is not using someone else’s access card or code. It does so by requiring that the person present a physical characteristic to a reader. This may be an eye, a fingerprint, a hand print or a face which can be recognized and authenticated by the system.
Biometric systems are sometimes slow or inconvenient and often more expensive than other systems. They may not work well for all users, since some people have physical characteristics which make it difficult to enrol them in the system. Biometric systems are generally less appropriate for high-traffic areas, and more appropriate when there is a limited number of users and relatively high security requirements to control access.
In addition to the ability to identify who has the right to enter an area, an electronic access control system will also have some means of granting that access. Some of these include:
Electric locks allow a door handle to retract the latch only when authorized.
The strike is the part of door hardware into which the door latch fits. An electronic access control system can allow the door to be opened by releasing the strike without requiring the latch to be retracted.
Some doors are held shut by electronic magnets. The magnet is released when the electronic current is removed from the magnet. Although these are very strong, building code restrictions may limit the use and security offered by this type of lock.
There are a variety of turnstile designs for the access control market. Some offer full-height mechanical features to physically prevent unauthorized access. These are expensive, however, and do not allow people to pass through rapidly. They are sometimes not well accepted by users due to their inconvenience.
Some electronic turnstiles allow people to pass through unimpeded, using a local alarm to indicate if a person has not been properly identified by the system. These turnstiles are more user friendly but require additional monitoring of the access point.
The benefit from the use of turnstiles is the reduction of the opportunity to piggyback. Piggybacking occurs when a bona fide user enters through a door and, while the door is in the open position, another person passes through without being processed through the system. Access control turnstiles are designed to allow only one person to enter at a time.
The movement of material into a facility must be screened in order to identify suspicious items and initiate procedures to manage the associated risk. Items with the following characteristics should be considered suspicious:
In larger facilities, this screening should take place in an appropriately located mailroom. Access to the mailroom should be controlled, and mailroom staff should be trained to screen for suspicious material and to initiate a protocol once a suspicious item has been identified. For additional protection, if identified as a requirement in a TRA, packages may be x-rayed upon reception.
In smaller facilities, awareness of suspicious signs and the appropriate procedures to follow will be the responsibility of every person who may receive incoming material. This awareness should be supported by posters, guides or bulletins designed to ensure continued awareness.
This document has presented an overview of control of access. It is intended to provide guidance to departments by describing the range of options on how to meet the minimum requirements for control of access. Departments should frequently re-evaluate how they are meeting these requirements in conjunction with their ongoing evaluations of threats and risks.
Attached to the body of this document are two appendixes containing best-practice examples of controlling access. They are intended to assist departments to apply the principles laid out in this guide.
The following suggested safeguards are considered to be best practices that departments could employ in order to effectively control access to their facilities.
Arrange work areas so that people going about their day-to-day activities observe the entry points (natural observation). Locate workstations so that natural observation can occur. Where guards are used, ensure that they have unobstructed observation of the entry points. Where natural observation is not possible, consider using cameras.
People who are not entitled to enter will be less likely to attempt to do so when they have a sense that they are being observed. Consider the location of the reception desk in the following two examples:
In example number 1, the reception desk cannot see the door between the Reception Zone and the Operations Zone. An individual could wait for an opportune time to enter and might go unnoticed by the employee at the reception desk.
In example number 2, the reception desk has been relocated to allow for observation of the entry area. An unauthorized individual would feel more conspicuous if he or she tried to wait for an opportune time to enter, and would more likely be noticed from the reception counter.
At large facilities, avoid giving everyone access to the entire facility. Instead, compartmentalize the facility into smaller areas and control the access to each of these areas. Give individuals access privileges only to those areas where they must go in order to do their jobs (the need-to-know principle).This will help create a sense of territoriality within each area and enhance the effectiveness of personal recognition.
A threat that is common to all departments is the threat from within. Employees who become disgruntled or coerced may be willing to compromise the assets of their employer. Compartmentalizing an office can reduce the number of employees who have access to individual assets.
In larger departments, it is usually possible to organize into groups which seldom need to interact with each other to perform their duties. For example, a research and development branch of a department may have no need to interact with a communications branch on a regular basis. Consider the following examples:
In example number 1, the two branches share the entire Operations Zone. In example number 2, the Operations Zone is divided into two areas. In this example, one side would contain the research and development branch, while the other side contains the communications branch. If there is no need for employees of one branch to access another area, consider dividing the area into two compartments with separate control over access to each area.
Provide physical barriers around each separate area to which access is controlled. Identify each area with appropriate signs such as:
Note: Signs should conform to the Federal Identity Program.
An area where there is control of access should be clearly identified and demarcated. The clearest way to demarcate an area is by the use of physical barriers (doors, walls, etc.). This in itself, however, may not be enough to discourage individuals from attempting to enter. The purpose of the barrier should be clear in order for it to be respected. Signage is the most common way to identify an area as having restricted access. Without signage, for example, a person may think of a locked door as an inconvenience when he or she needs to enter, rather than an identifier of a restricted access zone.
In high-rise buildings, it is preferable to place non-sensitive assets on cross-over floors.
Building Code Requirement
Cross-over floors are a fire safety requirement for buildings that are more than six storeys high. The requirement for cross-over floors is addressed in article 220.127.116.11 of the 1995 National Building Code, the relevant details of which are provided here:
Cross-over floors can affect the ability to control access. In some floor plans this is more of a concern than in others. Consider the two examples illustrated below. In example number 1, the stairwells lead to a common corridor. As long as this corridor is a Public Access or Reception Zone, the requirement for cross-over floors will have minimal effect on the control of access to the Operations Zones. In example number 2, however, one of the stairwells opens directly into an Operations Zone. At a cross-over floor it is not permitted to lock the door between the floor area and this stairwell. Anyone who has access to this stairwell will therefore have access to the Operations Zone.
It is strongly recommended that the situation in example number 2 be avoided. If this is not possible, then the following options should be considered. One option is to alarm the door. Although the door may not be locked, it may be alarmed to indicate that someone has entered the Operations Zone from an exit stairwell and that an appropriate response is required. The use of CCTV may also be advantageous here. Another option is to place non-sensitive assets on the cross-over floor. In some cases it may be possible to change the location of the cross-over floor to a different level or to a level occupied by a different tenant. Consider the illustration of a ten-storey building shown below.
In this example, the fifth and ninth floors are shown as cross-over floors. A minimum of two cross-over floors are required in a building of this height; however, there are a number of combinations which can be used to meet building code requirements. These combinations are:
the 10th and 6th floors, 10th and 5th floors,
9th and 6th floors, 9th and 5th floors, 9th and 4th floors,
8th and 6th floors, 8th and 5th floors, and 8th and 4th floors.
Departments should select a combination that provides them with lowest risk.
Require that badges be worn on the chest, allowing the bearer’s picture and face to be readily compared.
Access badges that are upside down or worn on the hip make it difficult to quickly and effectively determine if the photo on the card matches the person wearing it. Employees are reluctant to challenge individuals if they appear to be wearing access cards even though the card may be not readily visible. A policy that requires the badges to be worn around the neck will encourage employees to participate in the control of access procedures.
In order to receive a visitor access badge, require visitors to provide and deposit acceptable photo identification in exchange for the visitor access badge. Require staff members to sign in visitors and be responsible for the visitor access badge. Return identification only upon the return of the visitor access badge.
Unlike an access badge with a photo, visitor’s badges can be used by a number of individuals. In order to ensure that the cards represent a properly cleared visitor, effective control over the number and whereabouts of visitor badges must be maintained. Requiring the visitor to leave a piece of ID and requiring a staff member to sign the person in will encourage the proper return of visitor badges.
When the identity of a visitor is in question, verify it by contacting the visitor’s home organization.
A visitor may request access, claiming that he or she is from a specific organization (e.g. a phone company, maintenance or service company). A phone call to that organization, confirming that the person does indeed work for them and has been sent there, would reduce the likelihood that this person is trying to gain unauthorized entry.
Alternative measures to control access should be available if the electronic controls stop working.
It is likely that at some point any given electronic access control system will malfunction. Government facilities should be designed with this eventuality in mind, and alternative systems should be developed and put in place ahead of time. In some situations, access can be controlled by having security personnel verify individual access badges manually. In other situations, it may be prudent to have hardware installed with mechanical keys which can be used to control access when the electronic system is not functioning.
Ensure that safety requirements are met within a secure perimeter.
In order for access to be effectively controlled, there must not be any “back doors” which could allow people to gain access without using the electronic system. Ensuring this requires careful coordination with the National Building Code requirements for exiting (especially article 18.104.22.168). Devices which are designed to prevent unauthorized people from entering must never restrict the safety requirements of the people inside the building. This can be problematic if a required route to an exit is through a space where access is controlled. Often, this problem occurs when access controls are installed near elevator lobbies. Consider the difference between the following two examples:
In example number 1, a person arriving on the floor from the elevator must pass through an Operations Zone in order to get to the exit. Since a person must always have access to an exit in case of an emergency, it becomes difficult to provide effective control over access while meeting the building code requirements for exiting in this situation. In example number 2, a person arriving by elevator has two means of egress without having to pass through the controlled access points. This is a much easier way to restrict access to an Operations Zone while still maintaining public safety.
Another advantage to example number 2 is that access controls would not be required on the stairwell doors. In example number 1, the exit stairwells might provide a back door to the Operations Zone if that vulnerability was not properly addressed.
Connect the system to an emergency source of electricity.
Power outages can happen anywhere at any time. In order to maintain control of access during a power outage the system should be connected to a backup power source. A battery can provide backup power for interruptions of relatively short duration. Ideally, the system should be connected to an emergency power generator which could allow the electronic access control system to perform throughout any foreseeable power outage.
In addition to meeting the baseline level of security set out in the Government Security Policy, departments must be able to respond to declarations of heightened security levels. These levels and the requirements for each level are described in the Operational Security Standard - Readiness Levels for Federal Government Facilities.
The following are suggested safeguards that departments should consider during periods of increased threat, when the readiness level goes up. These procedures are not requirements of the standard, but rather best practices which should be considered as part of the response to the need for heightened readiness.
At Readiness Level Two, departments should consider the following:
Provide increased vigilance in the application of Level One departmental safeguards used to control access.
In order to meet the minimum requirements of Level One, departments must control access to their Operations, Security and High Security Zones. This document has already discussed various methods of controlling access as well as strategies to ensure that the controls are effective.
During a period for which Readiness Level Two has been declared, departments should provide this control with increased vigilance. Examples of increased vigilance include:
Departments should also increase vigilance in the screening of incoming packages in order to identify suspicious items. Additional training could be provided to staff on how to identify suspicious packages. The procedures to follow once a suspicious item has been received could also be reviewed to ensure that staff are fully aware of their responsibilities.
Departments should prepare emergency plans which they could implement at Levels Three and Four. In preparing these plans, departments should consider the following:
Provide access only to essential personnel.
Departments should consider reducing the number of personnel on site to ensure the safety of as many employees as possible. To accomplish this, departments could identify individuals who must be on site to maintain essential services, and permit only those people to access the facility. Alternative arrangements could be made for all other personnel, such as reporting to another facility, working from home or not reporting to work until notified otherwise.
Restrict access to essential areas only.
In order to provide essential services, all areas of a facility may not be required. In order to increase the safety of the staff, departments may wish to restrict outsider access to certain areas. A loading dock, for example, could be considered non-essential during an emergency. Deliveries could be kept away from the facility and delivery personnel told to return at a later date. Access to the loading area would not be permitted except for security personnel.
Reduce the number of entry points and increase the level of controls at the remaining points.
In facilities with a number of perimeter entry points, the control over access can be improved by eliminating some access points. For example, a facility may have electronic access control installed at a front door as well as a side door adjacent to a parking lot. Access through the side door could be removed, and everyone could be required to enter through the front door. The controls at the front door could then be increased to include increased guard presence and 100 per cent hands-on checks of access badges.
Audit access and egress.
A record should be kept of all incoming and outgoing personnel. In addition to providing information about who has had access to the facility and when they were there, the records would indicate who is in the facility during an emergency.
Change pin codes / combinations on locks which control access.
Combination locks and pin codes are vulnerable to being learned by unauthorized individuals. This threat is reduced when the combination and/or pin code is changed, and carefully given out only to authorized users. When an increased readiness level is declared, this procedure should be repeated to ensure access only by authorized personnel.
Restrict the time periods for which access is provided.
At Readiness Levels One and Two, it may be that providing access to staff outside of normal working hours is an acceptable risk. This should be reviewed at Levels Three and Four, and departments should consider reducing the number of personnel with access privileges outside of the normal working day.