Showing posts with label access control system. Show all posts

Tuesday, October 15, 2024

Risk Assessment & Quality Control Procedure For Access Control System

A security risk assessment plays a critical role in evaluating the vulnerabilities and potential risks associated with access control systems. Our expertise in premises security allows us to assist organizations in identifying, analyzing, and implementing effective security controls to safeguard their assets.

When conducting a risk assessment, several factors come into play, including the size of the organization, its growth rate, available resources, and the nature of its asset portfolio. By conducting a comprehensive security assessment, we help organizations identify their critical assets, assess potential risks, implement mitigating controls, and proactively prevent threats and vulnerabilities.

Industries such as healthcare, finance, and government have specific regulatory requirements, such as HIPAA, PCI-DSS, and Sarbanes-Oxley Audit Standard 5, that mandate security risk assessments. With our expertise, we can ensure that your organization complies with these regulations while enhancing the overall security of your access control systems.

Quality Control Procedure For Access Control System

1.0 SCOPE: .

This procedure applies to all the inspection activities related to monitoring and measurement of products and Processes related for the Installation or testing of subject activity where applicable for the project and Applicable to:

· Method Statement.

· Quality Control Procedure.

· Inspection and Test Plans.

· Risk Assessments

· FORMS.

2.0 PURPOSE:

The purpose of this procedure is to :

o Identify processes / products those are to be installed before using them in intended application.

o Define the methods to verify the quality of products and ensure that products that meet the stated requirements are only used in the intended application.

o Define the responsibilities of concerned personnel related to quality control processes.

3.0 REFERENCES

Project Quality Plan

Material Approvals

4.0 DEFINITIONS:

PQP : Project Quality Plan.

PSP : Project Safety Plan.

QCP : Quality Control Procedure.

HSE : Health, Safety and Environment

MS : Method Statement

ITP : Inspection Test Plan

QA/QC : Quality Assurance / Quality Control Engineer.

SK : Store Keeper

WIR : Work Inspection Request

MIR : Material Inspection Request.

MAR : Material Approval Request

5.0 RESPONSIBILITIES:

5.1 Project Manager

- Project Manager is the overall responsible for the project in terms of work execution, safety, planning & quality. The Project Manager will maintain the planning progress and coordination of works with the main contractor.

- The work progress shall be carried out as per planned program and all the equipment’s required to execute the works shall be available and in good condition as per project planned.

- Specific attention is paid to all safety measures and quality control in coordination with Safety Engineer and QA/QC Engineer and in line with PSP and PQP.

5.2 Construction Manager

- Construction Manager is responsible to supervise and control the work on site.

- Coordinating with QA/QC Engineer and site Team and foremen for all activities on site.

- Control and sign all WIR’s before issuing to Consultant approval.

5.3 Site Engineer

- The method of statement to the system shall be implemented according to the Consultant project specifications and approved shop drawings.

- Provision of all necessary information and distribution of responsibilities to his Construction team.

- The work progress shall be monitored in accordance with the planned work program and he will provide reports to his superiors.

- The constant coordination with the Safety Engineer to ensure that the works are carried out in safe working atmosphere.

- The constant coordination with the QA/QC Engineer for any works to be carried out and initiate for the Inspection for the finished works.

- He will ensure the implementation of any request that might be raised by the Consultant.

- Efficient daily progress shall be obtained for all the equipment and manpower.

- He will engage in the work and check the same against the daily report received from the Foremen.

- The passage of all the revised information to the Foremen and ensure that it’s being carried out properly.

5.4 QA/QC Engineer (MEP):

- The monitoring of executions of works at site and should be as per the approved shop drawings and project specifications.

- Ensure WIRs and MIRs are being raised for activities in timely manner and inspected by the Consultant.

- Check and insure that all activities / work done / completed prior to offer for consultant inspection.

- He will follow and carried out all the relevant tests as per project specifications.

- Obtain the required clearance prior to Consultant’s inspections.

- Should acquire any necessary civil works clearances and coordination.

- Coordinate with site construction team.

- One who will assist the Consultant Engineer / Inspector during inspection.

5.5 Site Foreman

- The carrying-out of work and the proper distribution of all the available resources in coordination with the Site Engineer on a daily basis.

- Daily reports of the works are achieved and coordinated for the future planning with the Site Engineer.

- Incorporate all the QA/QC and Safety requirements as requested by the concerned Engineer.

- Meeting with any type of unforeseen incident or requirement and reporting the same to the Site Engineer immediately.

5.6 Safety Officer

- The implementation of all safety measures in accordance with the HSE plan and that the whole work force is aware of its proper implementation.

- The implementation of safety measures is adequate to maintain a safe working environment on the work activity.

- Inspection of all the site activities and training personnel in accident prevention and its proper reporting to the Construction Manager and the Project Manager.

- The site is maintained in a clean and tidy manner.

- Ensure only trained persons shall operate the power tools.

- Ensure all concerned personals shall use PPE and all other items as required.

- Ensure adequate lighting is provided in the working area at night time.

- Ensure high risk elevated areas are provided are barricade, tape, safety nets and provided with ladders.

- Ensure service area/inspection area openings are provided with barricade, tape, and safety nets.

- Ensure safe access to site work at all times.

5.8 Store Keeper (SK)

- Responsible for overall Store operations in making sure to store the material delivery to the site and keep it in suitable area that will keep the material in safe from rusty and damage.

- One who will acknowledge the receiving of materials at site in coordination with QA/QC and concerned Engineer.

5.9 Emergency Absents

- If QA/QC not available the adequate QA/QC Engineer will be responsible for quality control activities.

- If the P.M. not available the Construcion manager will be resposible for all of his activities.

- If the HSE Engineer not available the adequate HSE Engineer are resposible for safety activities.

- If Engineer not available Construction manager will assign his duties to the concerned supervisor, forman or alternate Engineer.

- Replacing staff, in case of absent, with another designation can be accepted only for a minimum period of days absent otherwise the Contractor shall replace the relevant person with same designation which required approval from CONSULTANT.

6.0 PROCEDURE:

- Check that all the following documentations have been approved by the Consultant to proceed with the installation activities:

· Quality Control Procedure

· Method Statement

· Inspection Test Plan

· Check List

· Risk Assessment

· Shop Drawing Submittals related to work

- Check all the delivered materials are inspected and approved by the Consultant’s Engineer.

- Ensure that the respective work area has been cleared by previous trades for start-up installing the system.

- Ensure that the installation of the material is as per approved shop drawings, approved method statement, Manufacturer’s recommendation, and prevailing quality standards.

- Ensure the following checks are performed during the installation progress:

- Check all materials are as per approved submittal.

- Check all Material are installed as per approved shop drawings.

- Check if coordinated with other services.

- Check installation if it is carried out as per approved method statement.

- Check that the system checked and approved by Consultant.

- Ensure WIRs are issued on time without delay. (Min. 24 Hours notice for site inspection).

- Ensure all inspection is performed as per approved Inspection Test Plan.

- Check ITP, Check List, WIR, and NCR (if any) are signed off and cleared by the Consultant Engineer.

7.0 ATTACHMENTS

7.1 Method Statement

7.2 Inspection and Testing Plan

7.3 Check List for Installations

7.4 Risk Assessment

7.5 Attachments:

7.5.1 Manufacturer recommendations.

7.5.2 Emergency Evacuation Plan.

7.5.3 Technical Details.

Saturday, September 22, 2018

Role of IT in Access Control System

Role of IT in Access Control System

It is a fact that IT is becoming more involved in the physical security world. In a small minority of companies, these two departments are actually merging, although this is a mammoth task fraught with problems, not only in terms of technology, but primarily in terms of culture.

In the access control world, one could say it’s normal for IT to be involved in networking (assuming the access systems make use of the corporate network and/or the IP protocol), but the scope of IT has slowly been creeping into more of the access control functions. In smaller companies, for example, it’s not unusual for the service provider responsible for the company’s IT to also take the responsibilities of physical security.

So how far has IT made inroads into the access control world in general? HID Global broadcast arrange a webinar in October 2018 in which it revealed some new research into the increasing role IT departments and personnel are playing in the physical access control world. The webinar was hosted by HID Global’s Brandon Arcement and Matt Winn. After discussing the findings of the research, they went on to advise physical security operators as to how they can embrace their IT colleagues further, with the goal of improving the holistic security posture of their organisations.

The survey was conducted by The 05 Group, sponsored by HID and was completed in March 2018. As the title of this article notes, the research found that IT departments are now more involved than ever in organisations’ physical access control decisions and implementation, and that trend is set to increase.

The 05 Group surveyed 1 576 individuals from more than a dozen industries, including education (19%), information (16%), government (11%), manufacturing (8%), health services (8%), and security, professional and business services (8%). Of the respondents, 35% were IT managers, 26% were IT directors, 13% were IT staff, 8% were CIO/CTO, and 3% were VPs of technology. The survey also spanned companies of different sizes, with 24% having less than 100 employees, 22% 101-500 employees, 11% have 501-1000 employees, 17% have 1001-5000, 6% have 5001-9999, and 6% have 10 000-24 999 employees. The results therefore cover a broad spectrum of companies and industries.

The numbers tell a story

The research offers a significant amount of data about the role of IT in access control, however the webinar brought out a few pertinent facts (a link to the white paper written by HID from the research is at the end of this article). When asking the organisations being surveyed “Who is primarily responsible for physical access control in your organisation”, the responses were as follows:

• 29% said both IT and physical security.

• 26% said IT only.

• 25% said facility management handles the job.

• 12% said physical security only.

• 8% said the property management company was tasked with access control.

With a quarter of the respondents already saying IT is responsible for access control, and a further 29% saying it is shared between the two departments, it’s clear that the divide between IT and physical security is rapidly vanishing – and in some cases, altogether gone. And this is a trend that will continue; in organisations where IT is not involved in access control, 36% of the respondents said it will be within the next five years.

For those organisations where access control responsibilities are shared, 47% of the respondents report it had been shared within the past five years. Similarly, where IT owns the responsibility, 42% of the companies say they were given this task within the last five years. Once again we see that IT/physical security convergence in the access world is an expanding reality.

We mentioned IT’s influence in access control above in terms of the networking of access systems, however, this is an old function. The webinar showed that both IT professionals as well as physical security professionals see IT being involved in all areas of access control. When it comes to physical security professionals:

• 66% of physical security professionals see IT involved in influencing the decision-making process.

• 48% see IT’s involvement in integrating access and other systems.

• 37% see IT involved in implementation.

• 22% see IT involved in managing the systems.

From the other side of the table, IT professionals have a similar view:

• 76% expect to influence decision making.

• 72% will be involved in integration.

• 59% will be involved in implementation.

• 39% expect to be involved in managing systems.

Not all wine and roses

Of course, as these different cultures work together, there are bound to be some issues. It is in the field of integration where IT sees problems. Half of the IT people surveyed have issues with the lack of integration of access systems with other IT systems. This is an area in which the access control industry could make significant changes in the short-term to ensure their software and hardware can be more easily integrated with existing business management and security systems.

When it comes to new access control systems, the IT school has a few things it wants to see on the vendors’ to-do list. They want improved ease of use (71%), the ability to support or add new technologies (68%), mobile access (59%), and integration with existing security platforms (54%).

It’s also clear from the survey that IT is not all that comfortable with access control technology. Areas such as credential management, decision making with respect to access control systems, how system components work and also individual features within access systems can cause a bit of nervousness among the IT folk. These are areas in which physical security professionals can make their mark, as they are more skilled in dealing with these issues as well as others unique to their industry.

Helping IT in access

The driver behind this convergence is not a technical issue, but is itself a convergence of a number of separate drivers. HID notes the primary drivers are:

• Converged threats that impact both physical and logical infrastructure. If you have a physical vulnerability it puts your logical systems at risk, and vice versa.

• Proliferation of networked devices in the age of IoT (the Internet of Things) which all require both physical and logical security. Interestingly, the webinar held its own real-time survey of the attendees and this topic was selected as having the biggest impact on access control’s shift to IT with half of the audience selecting it.

• Compliance to new regulations, which again rely on both sides of the table.

• Budget consolidation, which we are all suffering through.

• A shift in reporting structures as executives try to get a handle on the seemingly endless threats companies face on all fronts.

When it comes to the role of physical security professionals and how they can assist in the convergence between the two sides and help improve organisational security, 80% of the respondents said they play a role in establishing best practices, while 50% see physical security having a role in preventing unauthorised access in general, and 49% say they can help in achieving compliance. In order to streamline collaboration, the HID webinar suggests, among other issues, that both sides need to work on aligning project priorities and determining responsibilities, and balancing the technical acumen of IT when it comes to access products and management.

A converged example

The webinar went on to provide an example of how the two divisions could work together in an access control installation. When it comes to the physical access control host, HID advises organisations to integrate physical access control systems (PACS) with an IT source of identity such as LDAP. Furthermore, administrators should ensure there is a set policy around regular software updates and patches, while they should also take advantage of IT’s experience (and equipment) to ensure high availability.

When it comes to the controller, HID advises organisations to settle some of the issues raised above by requiring an open controller platform that can be integrated with other technologies and other vendors’ products. Preventing vendor lock-in is a costly lesson IT departments have learned. It also suggests considering an ‘IP-at-the-door’ topology, keeping controller firmware updated to the latest versions, using strong passwords and encrypting communication between controllers and hosts (and using OSDP – Open Supervised Device Protocol – for encrypted reader communications).

Another strong warning was to take care when selecting access credentials as many of the card and fob technologies available are easy to replicate, making it simple for the wrong people to easily gain access. There are secure card technologies out there and these should be used as a standard. A business benefit of these more advanced credentials is that they can also be used for additional business functions, such as secure printing, vending machines and network logon.

The webinar presenters also touched on the benefits of using users’ mobile devices as credential holders. These can offer higher levels of authentication, easier administration and more user convenience that does not come at the expense of the company’s security.

Whether you are on the IT or physical security side, the most important part of the research (depending on your biases) can be seen in the answer to the question “Do you believe that increased collaboration between physical security and IT can improve the overall security of your organisation?” An overwhelming 95% of all the respondents said “yes”.

While the full convergence of physical and logical security is still some way off, people in the access control sector obviously understand that IT and physical security working together is critical to develop a successful security defence strategy for their organisations. In the access control industry this may be easier to achieve, but as noted in the introduction, it is often a question of culture (or ego, to be blunt) that prevents collaboration and results in organisations being vulnerable to the ever-increasing threats they face from well-organised criminal syndicates, as well as unhappy teenagers with too much time on their hands.

End of the article thanks to Mr. Andrew Seldon, for valuable time to us & security sa team.