Security professionals build their security plans around compliance to a number of industry-specific regulations. Whether an organization is required to adhere to the standards of PCI, NERC, HIPAA, or FSMA, the concerns are the same. How does a company balance the added costs necessary to comply with the regulations, with the high fines and lost time that comes with not complying? Security compliance isn’t a cut and dry topic. Regulations, as written, are to interpretation; when it comes to security entrances, it’s all in the “eye of the beholder.” A security manager may think he has the necessary precautions in place, but after a breach has occurred, would a court of law agree that the company did everything possible to prevent it? In several cases, the answer has been “no” and hefty fines were imposed.
For example, electric utilities are subject to NERC CIP 14 5-6, which works to ensure the reliability of the North American power system. After a recent audit, NERC levied a fine of $1.7 million on a company when it found a number of violations, including three perimeter doors that had been altered so they didn’t lock “so people could enter without the burden of security,” among other issues.
Restricting Physical Access
While compliance regulations can include a wide variety of requirements, one regulation that is of major concern to the security manager is the requirement to restrict physical access to the building. Several regulation standards call out tailgating as a clear violation of compliance. It is nearly impossible to prevent employees from presenting a credential at a swinging door and then holding it open for others to enter. Security entrances introduce the most effective way to restrict physical access by mitigating tailgating.
Security Entrances: A Variety of Assurance Levels
Security entrances allow organizations to comply with a variety of industry-specific regulations focused on mitigating unauthorized entry. But, with so many different models available, how does each entrance measure up when it comes to regulatory compliance? We’ve arranged entrance types according to their security level and provided you with a “Compliance Grade” as well, to provide a rating on a product in isolation. Combining products of different levels, from low to high, in a facility is an excellent way to harden a facility and improve the organization’s risk posture, but that is a subject for a different blog. Let’s take a look…
Non-Compliant Crowd Control
Tripod or waist-high turnstiles serve the purpose of funneling large groups of people from one point to another, such as crowds at sporting events, museums and aquariums. Because they are half-height turnstiles, tripods can be easily defeated by crawling under or jumping over, and there are no sensors to alert staff that a breach has occurred.
Deterrent but Defeatable
Full height turnstiles provide a strong visual deterrent against intrusion. They are moderately priced and require low maintenance. However, these types of entrances are vulnerable to climb over attempts and piggybacking (two people to enter in a single compartment during a single rotation). In addition, once breached, full height turnstiles don’t generate an alarm to alert nearby staff. Because of these vulnerabilities, security managers often use full height turnstiles at a building perimeter while implementing additional entrances within the building.
Detection Reliant on Supervision
Optical turnstiles employ sensor technology to accurately detect tailgating attempts. They sound an alarm when a breach is detected and guard staff must respond immediately. Optical turnstiles are a popular solution in corporate lobbies because security staff are nearby to assist visitors and contractors. Yet, it is important to note that manned staff can be overwhelmed during busy periods, distracted and if it is a large facility, experience “alarm fatigue,” causing complacency. Bottom line: a determined intruder could find a way in.
Prevention with a Quick ROI
There are two entrance solutions that fit into the tailgating “prevention” category: security revolving doors and security portals. Let’s explore how they differ as related to regulatory compliance:
Security revolving doors, by design, mitigate intrusion by preventing tailgating and piggybacking without the need for security staff supervision. These solutions are utilized in high traffic, employee-only areas. Though they have a relatively high capital cost, the reduction or redeployment of manned security allows organizations to achieve a quick return on investment – even creating “green money” in the budget after the door pays for itself. Where a security revolving door falls short is its inability to support true two-factor authentication. Both a credential and biometric identity must be presented in front of the door, which means there is a chance that an unauthorized individual could proceed ahead of the authorized user.
Security mantrap portals operate much like a security revolving door; they use technology in the ceiling to prevent tailgating and piggybacking and do not require guard supervision. Used in lower traffic applications, like data centers and vault rooms, security portals excel in their ability to support the intent of two-factor authentication. Portals support a two-step authorization process that no other entrance is capable of: (1) authorization on the outside of the portal and (2) secondary identity verification inside the portal. Typically, an access control credential system is used at the exterior of the door and a biometric technology for the interior. This process ensures that only the right person can get to the secure area each time and allows an organization to comply with regulations to the best of its ability.
The entry is clearly an essential component for complying with industry regulations. The more a security professional is educated on the types of security entrances available, the better equipped they’ll be to create an effective, adherent physical security plan that stands up to interpretation. Each type of security entrance has pros and cons in terms of security compliance, throughput and metrics. As mentioned earlier, security is most effective when deployed in layers within a building. For assistance in designing your entrance plan, please reach out to one of our entry experts at firstname.lastname@example.org.