Identification and access: Policy as authority
By Brian Wood
You may be surprised to find that some large organizations do not have formal policies surrounding the use of identification and access cards. Often there are elements of best practices and guidelines in the corporate culture which help support the basics, such as no piggybacking or lending cards.
By Brian Wood
Security awareness presentations and materials ‘suggest’ or ‘encourage’ employees to always visibly wear their ID card while on the premises. Internal procedures and controls probably exist to limit who can issue cards to whom. However, enforcement and compliance will always be challenged if an actual policy does not exist.
In order to do their jobs properly, security officers should be able to point to a formal administrative document which has been blessed by the appropriate authority. A policy endorsed by the Chief Administrative Officer, which applies to all staff, visitors, contractors on all corporate premises, carries much more authority and acceptance than the verbal instructions of a security director or officer.
A great deal of benchmarking should be done with internal stakeholders as well as externally. Consultations should be held with various groups and draft versions shared for input prior to finalization.
The end result is a comprehensive set of sensible rules for the use of ID/access cards. With the policy in place, the level of compliance is one criterion during a physical security threat risk assessment. Flagrant and widespread misuse of these corporate assets and policies can lead to recommendations for mitigation, including targeted security awareness sessions, enhanced enforcement and penalties such as removal of privileges. Without a policy, these recommendations would rely more on the qualifications and credibility of the report writer, and become subject to challenge by executives who lack security expertise.
Here are a few considerations for the development (or update) of a policy:
Endorsement: The higher the better, preferably from the top (the president, CAO, owner).
Applies To: Consider if the intent is for all employees to be subject to this policy, and take into account relevant operations (visitors, contractors, consultants, public, clients).
Penalties: As a corporate policy, non-compliance should be subject to disciplinary action, up to and including dismissal.
Specifics: These are the actual rules, such as eligibility criteria, card use, do’s and don’ts, expiration periods, processes for enrolment, replacement, update and termination, etc.
Internal Review: Have Legal, Privacy/FOI, labour relations, administrative heads and other relevant stakeholders take a look from their unique perspectives.
Alignment: Make sure the policy is consistent with related materials such as existing signage, forms, intranet content or else update these accordingly.
Communication: launching a new policy or a substantial overhaul needs to be communicated effectively and tailored to specific audiences, including the card issuers, policy enforcers, affected users, management, bargaining agents, administrative staff, etc. There are many vehicles available in large corporations such as the intranet, email blasts, standalone awareness sessions, jumping into the agenda for department meetings, eLearning, Question and Answers, etc. Failure to communicate means failure of the project.
An effective, clear, well-written policy can form one of the cornerstones of an overall security program. Properly executed, it can add credibility to a security group and show due diligence to the corporation as a whole.
Brian Wood, PSP was personally involved in the development and rollout of policies for the City of Toronto and the Government of Ontario (Ministries of Finance and Revenue).