When Security Means Business.

Good protection proved critical to profits at Communication Concepts, Inc. (CCI), a twenty-five-year old direct mail and marketing firm whose clients made better security at the facility a condition of doing business. Communication Concepts, Inc., (CCI) had always relied on mechanical locks to secure its facility. There were no security officers or electronic security systems the company never saw a need for them. But when two of its clients insisted that CCI increase its security measures as a condition of doing business, the company saw an opportunity not only to keep its customers happy but also to better protect its personnel and other assets. Three months and $250,000 later, the company had an electronic access control system and CCTV surveillance capability that has dramatically improved security and boosted business. CCI was founded twenty-five years ago in Ivyland, Pennsylvania, about thirty miles north of Philadelphia. The company has slowly grown over the years and now occupies seven buildings on about ten acres in an industrial park. The company's main business is to handle direct mail promotional campaigns for a variety of clients, including banks, retailers, and credit card companies. From its 80,000-square-foot lettershop, employees collate promotional materials, insert them in envelopes, and deliver them to the on-site U.S. Post Office for mailing. In all, CCI mails about 400 million packages of all sizes each year for corporate clients. In 1997, two of these clients asked CCI to improve its security. Although CCI had never had a breach of security, the clients felt that mechanical keys were no longer safe enough to protect the many sensitive documents that clients give to CCI as a routine part of business (for example, banks often hire CCI to mail out financial statements to account holders). The company responded immediately, appointing the facility and operations manager to a project team to develop a plan for access control and surveillance. SYSTEM REQUIREMENTS. CCI had a large, permanent staff of 650 employees, plus it frequently used temporary employees from employment agencies. It also had high turnover. These factors combined to make key control difficult. The project team, therefore, agreed that, though the old mechanical locks had worked well over the years, the company now required an electronic access control system. An electronic system would allow the company to remove unauthorized cardholders from the database without having to rekey an entire facility. The company also wanted an electronic access control system that could be integrated with its time and attendance system, which was scheduled to be upgraded. Having a dual system would make it easier for the company to manage both functions, while allowing employees to carry only one card. CCI also wanted a system that could be controlled from a single location. With seven buildings, the company did not want individual control stations in each building requiring someone to make multiple computer entries when changes were required, such as deleting an employee from the card database. In addition, CCI wanted a security system that could communicate over the telephone lines already in place. All of the system components also had to be Year 2000-compliant. Another initial requirement for the system was that it use proximity technology for the access card and that it be integrated with a photo ID badging station. Proximity cards tend to last longer than badges that are continually swiped through a reader. In addition, the company had already selected proximity technology for the upgrade of its time and attendance system. By using the same technology, the two systems could share one database. FEATURES. CCI met with four vendors, examined their access control products, and eventually took bids from each. The access control and video badging system offered by Hirsch Electronics was selected. The system, which was installed by Access Security Corporation of Warminster, Pennsylvania, is run from a password-protected central computer located at the company's human resource (HR) department. Authorized personnel in HR and the facility manager are responsible for administering it. They make employee ID badges, program the system for access privileges, and maintain the database. Card readers have been installed on about forty doors in the seven buildings, including both exterior and interior doors. Another forty-one doors were not equipped with card readers, although they are monitored through the access control system. These doors are locked at all times with mechanical locks, but have been equipped with magnetic contacts that will sound an alarm both at the door and the central station whenever one of these doors is opened. Card readers are wired to a control panel in the individual buildings, with each control panel connected to the central computer via the company's existing fiber optic and copper wire telephone lines. The control panels are located in secure utility closets. Each panel can handle up to eight doors, with multiple panels used in buildings with more than eight doors. The panels keep an independent audit trail of each transaction and are capable of running the access control system for their building if the main computer goes down. This setup allowed the company to centralize access control. Any changes that must be made - such as voiding someone from the system - an only be done from the central PC. Employees need a card to access all buildings as well as interior doors to most departments. Human resources and maintenance, which are both located in the same building (along with several other departments), are the exceptions. Although all employees need an access card to enter the building, the doors to human resources and maintenance are unlocked during regular business hours. This approach was taken because of the high traffic to both departments. The company felt it was important to maintain an open atmosphere. In addition, management thought it would be more convenient to keep the maintenance department open because the crew is always coming and going. Equipment theft is not a problem in maintenance since at least one employee is in the office throughout the day. The access control software was originally programmed to automatically unlock the front doors to these departments in the morning and lock them again in the early evening. However, the company realized that this system could present a serious security risk on days when the facility was not open for business, such as during a holiday. To safeguard against having unlocked doors in the human resources and maintenance departments when the facility was unoccupied, the computer has been programmed with what has been called the "first-man-in" rule. Under this system, the doors to these departments remain locked until a valid badge is presented to the door at the start of a business day (Monday through Friday). The computer then automatically locks the doors at the end of the business day. In addition, because these departments sometimes close early or are shut down temporarily (such as for a large staff meeting in another building), the company has created a "disable" and "enable" badge. In cases in which all HR personnel must leave their department during regular office hours, the office can be locked with the disable badge. The doors remain locked until an employee uses the enable badge to unlock them. HR employees can enter the department during these times, but they will need their access cards to do so. Other employees cannot access the department at these times. (The first-man-in rule does not apply when the disable card has been used.) The disable and enable cards are kept in a secure location and can only be used by the supervisor on duty. The system keeps an audit trail that records the time and day they were used. The sales department, which is in a separate building from HR and maintenance, has special access control arrangements as well. To enter the building, employees and customers must walk through two glass doors. The front door is programmed to unlock automatically during regular business hours, but the second (interior) door remains locked. A receptionist is stationed in the lobby with a clear view of the doors. Visitors can enter through the first set of doors to get out of inclement weather. The receptionist can then press a button and release the inside door to grant them entry. Only those who are recognized by the receptionist or who have an appointment are granted entry. Employees use their ID cards to gain entry. The reader is outside both sets of doors. Since the outside door is already open during normal business hours, only the inside door is unlocked by the system. During nonbusiness hours, an employee presents his or her card to the reader and the outside door unlocks for five seconds. The inside door also unlocks, allowing fifteen seconds. Card technology. Cards are issued by the human resource department. However, instead of placing employee photographs and information directly onto a proximity card, the company makes a digital photograph of an employee and, along with the employee's name and other corporate information, prints the photo onto a thin PVC badge with an adhesive back. The PVC card, which has no technology on it, is then attached to the front of a proximity card. This method turned out to be less expensive than printing photographs directly onto a proximity card. To print employee data directly onto a proximity card, CCI would have had to purchase a particular badge, costing $6.95 per card. The proximity cards chosen instead cost only $3.50 per card, plus $1.10 for each self-stick PVC badge. The company can reuse the proximity card after an employee leaves. HR simply removes the PVC photo ID badge from the proximity card. The card is voided from the system, reconfigured with a new code, and issued to another employee with a new PVC photo badge attached to it. This approach also saves money when cards are misprinted. If an ID badge has a mistake, the company need only throw away the PVC ID card - not the entire proximity card. To further cut down on cost, the company has established a fee for replacement cards. Before receiving their ID badges, employees sign an agreement that requires them to pay $10 to replace a lost card. The policy has resulted in fewer lost badges. Loading dock doors. CCI has fifty-six loading docks throughout its seven buildings, each secured with a locked overhead door and an alarm. The company wanted to use electronic access control on the loading dock doors but felt that it would be too expensive to install a card reader on each one. Instead, the company purchased Hirsch's Scramble Pad. With this system (which was integrated with the card access system), one digital keypad is used to control access to a group of several doors. For example, one building has fourteen garage doors in a row, all controlled by one keypad. Each door is secured and monitored with a magnetic contact that is wired to an access control panel. To open a specific door for deliveries, an employee enters a personal five-digit passcode into the keypad (also wired to the panel) along with the number of the door to be opened. The appropriate contact is shunted and the alarm is disarmed for thirty minutes, enough time to unload a truck. The main PC maintains a record of who opened a loading dock door and when. The keypad offers an additional security feature. Instead of having numbered push buttons in numerical order on the face of the keypad, the numbers appear on an LED touchscreen on the front of the keypad. Before an employee can enter a passcode, he or she must activate the keypad by pushing a "start" button. The start button scrambles the numbers on the screen so that they are in a different order each time, preventing an unauthorized person from guessing an employee's passcode by watching the pattern of how the number was entered. The keypad system also allows the human resource department or facility manager to disarm the alarms and locks at certain loading docks during designated hours of the day. These docks have a high volume of deliveries but do not require high security. The company decided, therefore, that it was better to have them open at all times during regular business hours. Reports. From the main computer, the facility manager and authorized personnel from the human resource department can run reports detailing the activity within the system.This feature has been especially important in helping the company keep track of false alarms. Each month, the facility manager runs a report on all alarms for each building. The reports are given to building managers, who are responsible for eliminating or decreasing the number of false alarms. Other reports are run to determine when certain events took place. These include reports on how many people accessed a particular door on a given month and how many people were denied access to certain doors. By analyzing this data, management can assess how the system is working, which may lead in the future to additional security measures or programming refinements. Maintenance. Although CCI entered into a service agreement with the installer, Access Security, for general maintenance of the access control system, the company wanted to be able to replace and fix some of the components - specially the electronic locks - if they broke down. To that end, the maintenance department was given two spare electric strikes and trained on how to replace electronic locks. Also, to make it easier to replace strikes, all of the wire connections were installed with quick-disconnect terminals, which allows any qualified maintenance person to reconnect the wires without having to strip and crimp them. DOOR ALARMS. As mentioned earlier, forty-one doors were not equipped with card readers. These doors were to be alarmed at all times, and exit from them was prohibited. Limiting the number of readers to the minimum needed saved significantly on costs. (Alarms cost about $200 per door, while a card reader and electronic lock run about $3,000.) While some of these doors had been used in the past, most were not main throughways. For example, several simply led out to a grassy field. Under the new configuration, when anyone exited through an unauthorized door, multiple alarms throughout the building would sound, requiring management to respond. During the first two months of this system, there were many false alarms, as staff were accustomed to leaving through any door. The facility manager solved the problem by putting yellow caution tape across the doors that had the most false alarms. This made everyone aware that the doors were off-limits. After several months, the tape was removed - and the false alarms stopped. CCTV. With the access control system in place, CCI has begun installing a black-and-white CCTV surveillance system. There are currently twenty-two cameras monitoring two buildings, with plans to expand the system to cover all of the buildings over the next few years. The cameras monitor the building perimeters and have a view of most of the loading dock doors and the regular doors that have access card readers. The company is considering the use of cameras inside the buildings as well. Each camera is wired to the central station over fiber optic connections. Images are recorded continuously onto T160 tapes; only three videocassettes are needed to record an entire week. By securing its facilities, CCI has also secured two important clients and given itself a competitive edge in the marketplace. CCI's business is not security. But as its management has now learned, security can be a critical component of any business - whatever a company's core mission might be. Daniel Cogan is vice president of Access Security Corporation, Warminster, Pennsylvania, where he is responsible for system design and integration. He has worked in public law enforcement or private security for more than twenty years. He is a member of ASIS.