blog-header

Securing Keys, Assets & People - News, Tech and Trends Blog

9 Steps to Create a Comprehensive Key Control Policy

Feb 21, 2020

Today’s environment calls for heightened security and a comprehensive, holistic key control policy. The purpose of a key control policy is to keep property, and people private, safe, and secure. It should give your organization control over access to spaces and assets.

Not sure how to set up a modern security policy? Here are nine steps for creating a comprehensive key control policy in the modern world:

  1. Identify gaps in your current key control policy.
  2. Invest in a patented key system.
  3. Create a master key system.
  4. Rekey your facility.
  5. Create and distribute a key holder agreement.
  6. Conduct staff training.
  7. Make lost key and new access steps clear.
  8. Use trusted resources during key control planning.
  9. Consider an RFID-based key control system.

1. Identify Gaps in Your Current Key Control Policy

Before diving into your company’s security key control procedures, it’s worth considering the major weaknesses built into mechanical keys and locks. Three major issues stand out:

  1. They’re easy to copy.
  2. They leave no audit trail.
  3. They work every second of the year.

By identifying these common vulnerabilities, you’ll have a solid jumping-off point for uncovering the gaps in your key control policy.

Do you already suspect that your company has a key control problem? There are several questions you can ask to determine the extent of your risk: 

  • How many keys have been issued by your company? If you can’t answer this basic question with a hard number, controlling access to keys is an issue at your organization.
  • Do you know who currently holds those keys? This is the same as asking, “Do you know who can open your doors?” If the answer is “no” then there is a hole in your security program. 
  • Can you stop key holders from making copies? It really doesn’t matter how careful you are in distributing keys if you can’t restrict their duplication. Many grocery stores now have self-service key copying machines. If someone can duplicate your keys while picking up bread and milk, you have a problem.

Download Best Practices for Physical Key Management to begin building a secure  key control program for your organization →

2. Invest in a Patented Key System 

The first step toward solving your key control problem is selecting a patented key system. Wondering what makes a patented key system special? Simply put, when your key system is granted a patent, that key’s design is protected. This means it’s illegal to make an unauthorized physical copy of the key. 

Of course, this is a big advantage because it discourages key holders from trying to copy the key. However, it goes a step further by giving you the power to legally prosecute anyone who violates the patent. 

In contrast, non-patented key systems offer only a vague bluff at key-copying penalties. It’s why “Do Not Duplicate” has become one of the funniest phrases in the industry.  

Where Non-Patented Keys Fall Short

Most keys can be duplicated at local hardware stores because anyone can purchase the blank, or uncut, key. Stamping “Do Not Duplicate” on the key doesn’t actually prevent duplication. If the blank is readily available, someone will be willing to cut that key for you. And when the key doesn’t have patent protection, they’ve done nothing illegal. Unless the manufacturer can strictly control the distribution of key blanks, your policy will have no teeth.

How Patented Keys Work

Manufacturers control the sale and manufacture of key blanks by applying for and being granted a Federal Utility Patent. A utility patent protects by federal law the way an invention works. Once a design patent is issued, it is illegal for a third party to produce a key that will work in the manufacturer’s lock. The only locksmith that should have access to the patented key is the one under contract with the manufacturer. High-security lock manufacturers can and do audit the keys that contracted locksmiths cut to ensure compliance with all control policies.

When working with a reputable locksmith, you as the owner of the keying system can provide the names of the people allowed to request duplicate keys. The locksmith should have a system of verifying identification and recording the details of every key they cut. You have every right as a consumer to ask your locksmith to explain how they ensure that only authorized individuals receive your keys.

Here are a few groups that manufacture federal patent-protected keying systems:

  • Medeco 
  • ASSA ABLOY
  • Schlage
  • BEST 
  • Mul-T-Lock 

Wondering how to get ahold of these systems? The easiest route is to purchase them through a network of contracted dealers, such as Abloy’s Dealer Network.

3. Create a Master Key System

After you’ve chosen a patented keying system, your locksmith will have the expertise to design a master key system. The system shows which keys will work in particular doors. 

Master key systems are beneficial because they give you control over access. They let you designate and restrict access to particular areas or assets. For instance, you can give all keys the ability to unlock the front door, while only giving select keys access the executive suite.

Additionally, your key control system can be complemented by an electronic access control (EAC) system. An EAC system requires a card, fob, fingerprint, or some other credential to open a door. The EAC system allows you to restrict access based on time, date, and credential. It can also provide you with an audit trail of every opening—or attempted opening—of a door. The audit trail is a powerful tool to investigate crime and loss. 

Finally, the EAC system allows you to remove a lost, stolen, or inactive credential from your entire system in minutes.

An EAC system can easily cost $3,500 for each protected door, so it’s not usually possible to protect every door. Also, EAC-protected doors often have a mechanical lock acting as an override. For these reasons, even the most sophisticated electronic system does not eliminate the need for effective key control.

4. Rekey Your Facility

Once the master key system has been written, you are ready to rekey. At this stage, your locksmith will spend time at your facility working on every door. Usually, this will entail installing new cores into your existing locks and providing you with cut keys.

Rekeying is important because it’s where your key control policy comes together. That means you should take steps to make sure the wrong employees don’t gain access to the wrong areas. After all, if keys are in the wrong hands, it doesn’t matter how secure your key control system is. 

To make sure rekeying goes smoothly, here are some things you should do:

  • Map out employee duties and access needs.
  • Err on the side of caution when granting access.
  • Keep track of who is gaining access where.

5. Create and Distribute a Key Holder Agreement

With a new keying system installed, your key control program has given you a clean start. Now, it’s important that every employee and contractor receiving keys sign a key holder agreement. This document will establish ground rules and set clear expectations for key usage.

Advantages of a Key Holder Agreement

You want your whole organization working toward a safer environment. Key holder agreements help employees understand the responsibilities of key holders and exactly what they should or shouldn’t do. For instance, it may explain that keys may not be loaned and lost keys must be reported immediately. 

In addition, it should make clear that all keys must be surrendered upon termination of employment or contract. This keeps spaces secure long after individual relationships fizzle.

What to Include in Your Key Holder Agreement

Not sure where to start? Your key holder agreement should include these important components:

  • Liability section for restricted space damages
  • Discourage sharing or duplication
  • Replacement fees
  • Termination procedures 

6. Conduct Staff Training

Once you’ve set expectations with a key holder agreement, it’s time to conduct training. Key control training should cover all the new policies, expectations, and procedures your organization has set up,

However, if you want training to sink in, be sure to discuss the “why” behind the new security key control procedures. When employees understand how your new program is contributing to everyone’s safety, they’ll be more receptive to policies. 

Be sure to cover these areas in your training sessions:

  • How to use the new system
  • Company safety priorities
  • General security do’s and don’ts
  • What to do if you lose keys
  • Who to contact if you need additional access to an area

7. Make Lost Key and New Access Steps Clear

In general, the clearer your processes are, the less likely employees are to skirt the rules. That’s what makes staff training such an important part of your new security key control procedures.

A good way to start training plans is to create a keying chart. This will map out the hierarchy of your keys, so you’ll know exactly who has access to each level of security. 

Next, make sure employees know how to use keys and exactly where they do and don’t have access.

Finally, each employee should learn where he or she can go to request new access. People’s roles will change and your original keying chart may evolve. When employees understand the proper protocol for gaining additional access, they’re less likely to inadvertently break rules and hurt security. 

8. Use Trusted Resources During Key Control Planning

As you build out your key control policy, you’ll want as many trusted resources at your disposal as possible. By understanding top technical standards, you can set a foundation for your business’s control standards.

Here are some important resources to consider:

  • NIST Physical Access Control Standards: The National Institute of Standards & Technology (NIST) is the go-to technical standards agency for the United States government. It provides must-know information for anyone working with government groups, as well as a solid set of guidelines for private businesses.
  • ISO 55000 Information: This is a flexible, internationally recognized asset management standard. It provides a strong jumping-off point for a wide range of companies and industries.

9. Consider an RFID-Based Key Control System

Once you have a firm grasp of the importance of a sound key control policy, you can take your program a step further with electronic key control systems. 

For instance, consider how tech-based programs such as the KeyTracer System work. This system secures keys in a secure electronic cabinet, which means users can’t remove the keys without a code or electronic credential tied to a particular item. Not only does KeyTracer automate the process of distributing keys, but it also maintains control over their movement by alerting you if a key is not returned or if it is removed from your facility.

However, even if you’re using the latest technology, effective key control remains the foundation of a robust physical security program. After all, high-tech layers of a security program—intrusion detection, video analytics, electronic access control—don’t mean much if the wrong people have access to them. 

Restore and maintain key security by combining the powers of a well-designed master key system, a comprehensive policy, and a key control cabinet.


Interested in learning more about key control and the latest best practices? Read our guide, Best Practices for Physical Key Management, to learn more.

Best Practices for Physical Key Management

 

Topics: Key Control

Shannon Arnold

Written by Shannon Arnold

Shannon Arnold is the VP of Marketing and Strategic Partnerships at Real Time Networks.