Not sure how to set up a modern security policy? Here are nine steps for creating a comprehensive key control policy in the modern world:
1. Identify Gaps in Your Current Key Control Policy
Before diving into your company’s security key control procedures, it’s worth considering the major weaknesses built into mechanical keys and locks. Three major issues stand out:
- They’re easy to copy.
- They leave no audit trail.
- They work every second of the year.
By identifying these common vulnerabilities, you’ll have a solid jumping-off point for uncovering the gaps in your key control policy.
Do you already suspect that your company has a key control problem? There are several questions you can ask to determine the extent of your risk:
How many keys have been issued by your company?If you can’t answer this basic question with a hard number, controlling access to keys is an issue at your organization.
Do you know who currently holds those keys?This is the same as asking, “Do you know who can open your doors?” If the answer is “no” then there is a hole in your security program.
Can you stop key holders from making copies?It really doesn’t matter how careful you are in distributing keys if you can’t restrict their duplication. Many grocery stores now have self-service key copying machines. If someone can duplicate your keys while picking up bread and milk, you have a problem.
See the Ultimate Guide to Key Control in the Workplace and learn how to create a comprehensive key control policy from planning to execution.
2. Invest in a Patented Key System
The first step toward solving your key control problem is selecting a patented key system. Wondering what makes a patented key system special? Simply put, when your key system is granted a patent, that key’s design is protected. This means it’s illegal to make an unauthorized physical copy of the key.
Of course, this is a big advantage because it discourages key holders from trying to copy the key. However, it goes a step further by giving you the power to legally prosecute anyone who violates the patent.
In contrast, non-patented key systems offer only a vague bluff at key-copying penalties. It’s why “Do Not Duplicate” has become one of the funniest phrases in the industry.
Here are a few groups that manufacture federal patent-protected keying systems:
- ASSA ABLOY
Wondering how to get ahold of these systems? The easiest route is to purchase them through a network of contracted dealers, such as Abloy’s Dealer Network.
3. Create a Master Key System
After you’ve chosen a patented keying system, your locksmith will have the expertise to design a master key system. The system shows which keys will work in particular doors.
Master key systems are beneficial because they give you control over access. They let you designate and restrict access to particular areas or assets. For instance, you can give all keys the ability to unlock the front door, while only giving select keys access the executive suite.
Additionally, your key control system can be complemented by an electronic access control (EAC) system. An EAC system requires a card, fob, fingerprint, or some other credential to open a door. The EAC system allows you to restrict access based on time, date, and credential. It can also provide you with an audit trail of every opening—or attempted opening—of a door. The audit trail is a powerful tool to investigate crime and loss.
Finally, the EAC system allows you to remove a lost, stolen, or inactive credential from your entire system in minutes.
An EAC system can easily cost $3,500 for each protected door, so it’s not usually possible to protect every door. Also, EAC-protected doors often have a mechanical lock acting as an override. For these reasons, even the most sophisticated electronic system does not eliminate the need for effective key control.
4. Rekey Your Facility
Once the master key system has been written, you are ready to rekey. At this stage, your locksmith will spend time at your facility working on every door. Usually, this will entail installing new cores into your existing locks and providing you with cut keys.
Rekeying is important because it’s where your key control policy comes together. That means you should take steps to make sure the wrong employees don’t gain access to the wrong areas. After all, if keys are in the wrong hands, it doesn’t matter how secure your key control system is.
To make sure rekeying goes smoothly, here are some things you should do:
- Map out employee duties and access needs.
- Err on the side of caution when granting access.
- Keep track of who is gaining access where.
5. Create and Distribute a Key Holder Agreement
With a new keying system installed, your key control program has given you a clean start. Now, it’s important that every employee and contractor receiving keys sign a key holder agreement. This document will establish ground rules and set clear expectations for key usage.
6. Conduct Staff Training
Once you’ve set expectations with a key holder agreement, it’s time to conduct training. Key control training should cover all the new policies, expectations, and procedures your organization has set up,
However, if you want training to sink in, be sure to discuss the “why” behind the new security key control procedures. When employees understand how your new program is contributing to everyone’s safety, they’ll be more receptive to policies.
Be sure to cover these areas in your training sessions:
- How to use the new system
- Company safety priorities
- General security do’s and don’ts
- What to do if you lose keys
- Who to contact if you need additional access to an area
7. Make Lost Key and New Access Steps Clear
In general, the clearer your processes are, the less likely employees are to skirt the rules. That’s what makes staff training such an important part of your new security key control procedures.
A good way to start training plans is to create a keying chart. This will map out the hierarchy of your keys, so you’ll know exactly who has access to each level of security.
Next, make sure employees know how to use keys and exactly where they do and don’t have access.
Finally, each employee should learn where he or she can go to request new access. People’s roles will change and your original keying chart may evolve. When employees understand the proper protocol for gaining additional access, they’re less likely to inadvertently break rules and hurt security.
8. Use Trusted Resources During Key Control Planning
As you build out your key control policy, you’ll want as many trusted resources at your disposal as possible. By understanding top technical standards, you can set a foundation for your business’s control standards.
Here are some important resources to consider:
The National Institute of Standards & Technology (NIST) is the go-to technical standards agency for the United States government. It provides must-know information for anyone working with government groups, as well as a solid set of guidelines for private businesses.
This is a flexible, internationally recognized asset management standard. It provides a strong jumping-off point for a wide range of companies and industries.
9. Consider an RFID-Based Key Control System
Once you have a firm grasp of the importance of a sound key control policy, you can take your program a step further with electronic key control systems.
For instance, consider how tech-based programs such as the KeyTracer System work. This system secures keys in a secure electronic cabinet, which means users can’t remove the keys without a code or electronic credential tied to a particular item. Not only does KeyTracer automate the process of distributing keys, but it also maintains control over their movement by alerting you if a key is not returned or if it is removed from your facility.
However, even if you’re using the latest technology, effective key control remains the foundation of a robust physical security program. After all, high-tech layers of a security program—intrusion detection, video analytics, electronic access control—don’t mean much if the wrong people have access to them.
Restore and maintain key security by combining the powers of a well-designed master key system, a comprehensive policy, and a key control cabinet.
Download Best Practices for Physical Key Management
Start building a secure key control program for your organization today.
About the Author
Vice President of Marketing
Jay oversees marketing and strategic partnerships at Real Time Networks and has over three decades of experience in leadership roles in the financial services and technology industries.