Creating an Access Policy: A Delicate Balancing Act

Following a spree of school shootings across the nation, the state of Idaho dispatched inspectors to see how easily they could gain unauthorized entry to some 80 campuses. In almost every case, the inspectors were able to get in through points other than the main entrance. On average, the inspectors wandered around campus for 10 minutes before anyone inquired about them being there, and a quarter of the time no one stopped them at all.

With the increase in workplace violence, lone shooters and other security risks, there is a growing debate about access control. Organizations are trying to find the delicate balance between making customers and visitors feel welcome and keeping a facility safe.

“The best access control is as transparent as possible to the user but impossible for a criminal to exploit,” says Nick Thompson, head of Patrol Services International, a private security firm in Bend, Ore.

An important thing to keep in mind is that security and access control have to be measured against the threat and consequences of a breach. In some cases, an access control system requires the most stringent safeguards, such as biometric fingerprint readers. In other cases, it might be enough to place planters in an obstructive way that requires visitors to go to the front desk. “Visible overkill on security measures tends to rub folks the wrong way,” Thompson says. “Balance is key.”

In developing an access control system, it’s critical to think through all the possible ways that people can enter a facility, as the Idaho study demonstrates. Another key element is thinking through the scope of the installation. A system designed for a single facility will have different considerations than one designed for multiple facilities that employees need access to.

Human Element Is Weakest Link


Companies are looking to new technology advances to bolster their access control and address some of the issues. For example, the first wave of “mobile access control,” where people use their smartphones instead of a card or key to enter areas, has begun.


One sector with some of the most stringent access control policies is hospitals. Concerned about patient and employee safety, many hospitals are abandoning their former open-door policies. In a recent survey of security professionals in several industries, hospitals expressed the greatest confidence in their access-control technology, with more than two-thirds rating it as good or excellent. By comparison, less than half of universities and K-12 schools gave their access-control technology the same high grades.

For years, hospitals have had visitors sign paper logs at the front desk. Now, many hospitals are using registration systems that can screen visitors, provide them with a badge and track their movements around the facility. This can help ensure visitors are directed to the right locations and prevent unauthorized people from getting into high-risk areas such as pediatric wards.

A burgeoning trend in access control is integrating the technology with other security systems, such as video surveillance. In a survey of hospitals, 16 percent said they require visitors to show photo identification at check-in, and another 12 percent have the ability to capture videos of visitors when they are checking into the facility.

Access control requires close coordination between security and other departments, such as human resources. If the security department doesn’t know that an employee has been terminated or a vendor has been removed from the authorized supplier list, the best access-control systems won’t know they aren’t supposed to be able to come in.

“Where I’ve seen security managers get into trouble is with procedures,” Thompson says. “Creating proper access levels, keeping current with employee records and testing the integrity of the system are critical to maintaining controls that work. You have to take access control seriously. If you become lax, that’s when someone will find a hole and compromise the system.”