Risk Assessment & Quality Control Procedure For Access Control System

Risk Assessment & Quality Control Procedure For Access Control System 

A security risk assessment plays a critical role in evaluating the vulnerabilities and potential risks associated with access control systems. Our expertise in premises security allows us to assist organizations in identifying, analyzing, and implementing effective security controls to safeguard their assets.

When conducting a risk assessment, several factors come into play, including the size of the organization, its growth rate, available resources, and the nature of its asset portfolio. By conducting a comprehensive security assessment, we help organizations identify their critical assets, assess potential risks, implement mitigating controls, and proactively prevent threats and vulnerabilities.

Industries such as healthcare, finance, and government have specific regulatory requirements, such as HIPAA, PCI-DSS, and Sarbanes-Oxley Audit Standard 5, that mandate security risk assessments. With our expertise, we can ensure that your organization complies with these regulations while enhancing the overall security of your access control systems.

Quality Control Procedure For Access Control System

1.0   SCOPE:                                                                                                                      .

This procedure applies to all the inspection activities related to monitoring and measurement of products and Processes related for the Installation or testing of subject activity where applicable for the project and Applicable to:

 

·        Method Statement.

·        Quality Control Procedure.

·        Inspection and Test Plans.

·        Risk Assessments

·        FORMS.

 

2.0   PURPOSE:

The purpose of this procedure is to :

o   Identify processes / products those are to be installed before using them in intended application.

o   Define the methods to verify the quality of products and ensure that products that meet the stated requirements are only used in the intended application.

o   Define the responsibilities of concerned personnel related to quality control processes.

 

3.0   REFERENCES

 

Project Quality Plan

Material Approvals

4.0   DEFINITIONS:

                           PQP                                      : Project Quality Plan.

               PSP                                      : Project Safety Plan.

               QCP                                     : Quality Control Procedure.

               HSE                                     : Health, Safety and Environment

               MS                                       : Method Statement

               ITP                                       : Inspection Test Plan

               QA/QC                                : Quality Assurance / Quality Control Engineer.

               SK                                        : Store Keeper

               WIR                                     :  Work Inspection Request

               MIR                                     : Material Inspection Request.

               MAR                                    : Material Approval Request

       

 

5.0 RESPONSIBILITIES:

 

5.1 Project Manager

 

-   Project Manager is the overall responsible for the project in terms of work execution, safety, planning & quality. The Project Manager will maintain the planning progress and coordination of works with the main contractor.

 

-   The work progress shall be carried out as per planned program and all the equipment’s required to execute the works shall be available and in good condition as per project planned.

-   Specific attention is paid to all safety measures and quality control in coordination with Safety Engineer and QA/QC Engineer and in line with PSP and PQP.

5.2 Construction Manager

 

-        Construction Manager is responsible to supervise and control the work on site.

-        Coordinating with QA/QC Engineer and site Team and foremen for all activities on site.

-        Control and sign all WIR’s before issuing to Consultant approval.

5.3 Site Engineer

 

-   The method of statement to the system shall be implemented according to the Consultant project specifications and approved shop drawings.

-   Provision of all necessary information and distribution of responsibilities to his Construction team.

-   The work progress shall be monitored in accordance with the planned work program and he will provide reports to his superiors.

-   The constant coordination with the Safety Engineer to ensure that the works are carried out in safe working atmosphere.

-   The constant coordination with the QA/QC Engineer for any works to be carried out and initiate for the Inspection for the finished works.

-   He will ensure the implementation of any request that might be raised by the Consultant.

-   Efficient daily progress shall be obtained for all the equipment and manpower.

-   He will engage in the work and check the same against the daily report received from the Foremen.

-   The passage of all the revised information to the Foremen and ensure that it’s being carried out properly.

5.4 QA/QC Engineer (MEP):

 

-   The monitoring of executions of works at site and should be as per the approved shop drawings and project specifications.

-   Ensure WIRs and MIRs are being raised for activities in timely manner and inspected by the Consultant.

-   Check and insure that all activities / work done / completed prior to offer for consultant inspection.

-   He will follow and carried out all the relevant tests as per project specifications.

-   Obtain the required clearance prior to Consultant’s inspections.

-        Should acquire any necessary civil works clearances and coordination.

-        Coordinate with site construction team.

-        One who will assist the Consultant Engineer / Inspector during inspection.

5.5 Site Foreman

 

-   The carrying-out of work and the proper distribution of all the available resources in coordination with the Site Engineer on a daily basis.

-   Daily reports of the works are achieved and coordinated for the future planning with the Site Engineer.

-   Incorporate all the QA/QC and Safety requirements as requested by the concerned Engineer.

-   Meeting with any type of unforeseen incident or requirement and reporting the same to the Site Engineer immediately.

5.6 Safety Officer

 

-   The implementation of all safety measures in accordance with the HSE plan and that the whole work force is aware of its proper implementation.

-   The implementation of safety measures is adequate to maintain a safe working environment on the work activity.

-   Inspection of all the site activities and training personnel in accident prevention and its proper reporting to the Construction Manager and the Project Manager.

-   The site is maintained in a clean and tidy manner.

-   Ensure only trained persons shall operate the power tools.

-   Ensure all concerned personals shall use PPE and all other items as required.

-   Ensure adequate lighting is provided in the working area at night time.

-   Ensure high risk elevated areas are provided are barricade, tape, safety nets and provided with ladders.

-   Ensure service area/inspection area openings are provided with barricade, tape, and safety nets.

-   Ensure safe access to site work at all times.

5.8   Store Keeper (SK)

 

-   Responsible for overall Store operations in making sure to store the material delivery to the site and keep it in suitable area that will keep the material in safe from rusty and damage.

-   One who will acknowledge the receiving of materials at site in coordination with QA/QC and concerned Engineer.

       5.9   Emergency Absents

 

-   If QA/QC not available the adequate QA/QC Engineer will be responsible for quality control activities.

-   If the P.M. not available the Construcion manager will be resposible for all of his activities.

-   If the HSE Engineer not available the adequate HSE Engineer are resposible for safety activities.

-   If Engineer not available Construction manager will assign his duties to the concerned supervisor, forman or alternate Engineer.

-   Replacing staff, in case of absent, with another designation can be accepted only for a minimum period of days absent otherwise the Contractor shall replace the relevant person with same designation which required approval from CONSULTANT.

      6.0  PROCEDURE:

-   Check that all the following documentations have been approved by the Consultant to proceed with the installation activities:

 

·  Quality Control Procedure     

·  Method Statement                 

·  Inspection Test Plan              

·  Check List                                        

·  Risk Assessment                                           

·  Shop Drawing Submittals related to work

 

-   Check all the delivered materials are inspected and approved by the Consultant’s Engineer.

-   Ensure that the respective work area has been cleared by previous trades for start-up installing the system.

-   Ensure that the installation of the material is as per approved shop drawings, approved method statement, Manufacturer’s recommendation, and prevailing quality standards.

-   Ensure the following checks are performed during the installation progress:

-   Check all materials are as per approved submittal.

-   Check all Material are installed as per approved shop drawings.

-   Check if coordinated with other services.

-   Check installation if it is carried out as per approved method statement.

-   Check that the system checked and approved by Consultant.

-   Ensure WIRs are issued on time without delay. (Min. 24 Hours notice for site inspection).

-   Ensure all inspection is performed as per approved Inspection Test Plan.

-   Check ITP, Check List, WIR, and NCR (if any) are signed off and cleared by the Consultant Engineer.

7.0 ATTACHMENTS

7.1 Method Statement                                   

7.2 Inspection and Testing Plan                                               

7.3 Check List for Installations

7.4 Risk Assessment                                                   

7.5 Attachments:

7.5.1 Manufacturer recommendations.

7.5.2 Emergency Evacuation Plan.

                    7.5.3 Technical Details.

Authentication Vs. Authorization

Authentication and authorization are two fundamental components of information security that are used to safeguard systems (like Access Control) and data (Access Management Software). Authentication is the method by which a user or service’s identity is confirmed. At the same time, authorization determines what actions or resources a user or service is permitted to access after they have been authenticated.

Authentication involves verifying a user’s identity through a username and password, biometric authentication, or other security measures. It ensures that solely permitted individuals or systems can enter a system. Conversely, authorization entails assigning access permissions to particular resources or actions contingent upon the authenticated identity of a user or service.

The two processes work together to ensure the security of a system. If authentication is compromised, an attacker can get unauthorized system access. If authorization is not correctly configured, even authorized users may be granted excessive access privileges that can lead to data breaches. Thus, it is necessary to comprehend the difference between authentication and authorization and to verify that both are effectively configured to ensure system security.

 

What is Authentication (AuthN)?

Authentication, commonly shortened as “AuthN,” refers to verifying a user’s or entity’s identity when they seek entry into a network or system. Essentially, it validates that the user is indeed the individual they assert to be. In other words, it is the process of confirming that the user is who they claim to be. Authentication may entail something a user knows, like a password or PIN; something they have, like a security token; or something they are, like biometric authentication (e.g., fingerprint or facial recognition).

 

Purpose of Authentication

Authentication primarily identifies the user’s identity as an individual or entity attempting to access a system or resource. Authentication ensures that only authorized individuals or entities are granted access to sensitive data, systems, or resources while unauthorized access is prevented. Authentication is crucial in maintaining data and systems’ confidentiality, integrity, and availability. It prevents malicious actors from accessing sensitive information, performing unauthorized actions, or compromising the system’s security.

Authentication helps to establish accountability by ensuring that users are responsible for their actions and cannot hide behind the identities of others. Additionally, it aids in maintaining adherence to regulations and standards mandating secure access to systems and data.

Types of Authentication

Several types of authentication methods are used in information security, including:

·        Password-based Authentication: This is the most common authentication method, where users must enter a username and password to access a system or resource.

·        Multi-factor Authentication (MFA): This method combines two or more authentication factors to verify the user’s identity, for example, a password and a security token, a fingerprint and a PIN, or a smart card and a biometric scan.

·        Biometric Authentication: This method authenticates the user’s identity by leveraging distinctive physical characteristics like fingerprints, facial recognition, or iris scans.

·        Certificate-based Authentication: This method uses digital certificates to verify the user’s identity. The user’s private key is stored on a smart card or other devices, and public key infrastructure (PKI) is used to verify the certificate’s authenticity.

·        Single Sign-on (SSO): This approach permits users to authenticate once and gain access to various systems or resources without the need to re-enter their credentials.

·        Token-based Authentication: This method uses a security token or a one-time password (OTP) to authenticate the user.

 

What is Authorization (AuthZ)?

Authorization, frequently abbreviated as “AuthZ,” involves permitting or denying access to resources or actions depending on the authenticated identity of a user. In other words, authorization determines what actions or resources a user or system can access or perform after completing authentication.

Authorization typically involves assigning permissions or access levels to users or systems based on their roles, responsibilities, or request context. For example, a user with administrative privileges may be granted access to perform tasks that an ordinary user cannot perform.

 

Types of Authorization

Several common types of authorization methods are used in information security, including:

·        Role-Based Access Control (RBAC): This is one of the most commonly used authorization methods, which assigns users or systems access rights based on their roles, responsibilities, or job functions. For example, a manager might possess permission to view sensitive financial reports that regular employees are restricted from accessing.

·        Attribute-Based Access Control (ABAC): This authorization method assigns access rights based on a user’s attributes, such as their location, time of day, device used, or other contextual information. ABAC is a flexible method that allows fine-grained control over access based on specific criteria.

·        Discretionary Access Control (DAC): This authorization method empowers the resource owner to manage its access control. The owner can assign permissions to specific users or groups, and those users or groups can further delegate permissions to others.

·        Mandatory Access Control (MAC): This authorization method assigns access rights based on a security policy enforced by the system rather than the resource owner. MAC is commonly used in high-security environments such as government or military systems.

·        Rule-Based Access Control (RBAC): This authorization method employs a predetermined set of rules to ascertain access privileges. The rules may be based on specific conditions, such as the user’s department, job title, or other criteria.

 

Difference Between Authentication and Authorization

Here are the key differences between authentication and authorization:

Parameters	Authentication	Authorization
Definition	Authentication is a method of validating a user’s or system’s identity.	The process of providing or refusing access to resources or actions based on that identity is known as authorization.
Purpose	Authentication ensures that exclusively authorized users or systems can access a specific resource or execute a particular action.	Authorization specifies the access rights or permissions granted to users or systems for accessing resources or performing actions following authentication.
Objective	The objective of authentication is to confirm a user’s or system’s identity.	Authorization ensures that only authorized users or systems can access sensitive data or perform actions based on their privilege or access rights.
Aim	Authentication focuses on the user or system’s identity.	Authorization focuses on the user or system’s access rights.
Process	Authentication typically involves providing credentials such as a username and password or a security token.	Authorization, assigning permissions or access levels to users or systems based on their roles, responsibilities, or request context.
Risk	The risk of authentication is that an unauthorized user may gain access to a system.	The risk of authorization is that an authorized user may misuse their access privileges.

 

Final Thoughts

Authentication occurs before authorization, as the user or system must first be verified as legitimate before being granted access to resources or actions.

In short, authentication and authorization are two distinct but interrelated processes in information security that serve different purposes and objectives. If you want to gain more knowledge about authentication and authorization, write us ssaintegrate@gmail.com