Physical keys may not be high tech, but they’re a reliable and cost-effective way for businesses to secure their facilities. Good key management practices can save businesses time and money by eliminating key loss, preventing theft, and improving efficiency.

Better key management practices may have helped a hospital in the U.K. last year, when a worker stole an unmonitored master key and carried out a series of burglaries. After he was caught, the hospital had to spend nearly £130,000 ($170.000) on a rekeying project to replace every door lock on its campus.

How do you stay proactive to prevent costly security breaches? The answer is better key control. 

What Is Key Control?

We can define key control as the methods that security professionals use to secure keys and regulate who has access to them. Business key control programs can include a variety of policies and equipment depending on the exact threats a business cares about. For example, one business may care more about tracking how keys are issued, and another may care more about preventing unauthorized key duplications.

No matter the details, every key control program needs to achieve the same goal of protecting the business’s locations, assets, and people. You may think this means that designing an effective key control program is an overwhelming task, but it doesn’t have to be.

Five Steps for Defining a Key Control Program

The goal of a key control program is to strike a balance between security and convenience while managing access to every key you have. This quick guide walks you through the basics of designing a key control program that achieves the right balance for your business.

1. Inventory your assets

Start by taking stock of everything that needs to be secured by a key in your workplace. This includes doors, but make sure to also inventory cabinets, lockers, and other smaller containers that require access control. Record all of these items in a master key list and then store that in a secure location, such as an encrypted key management database.

2. Determine access rights

Go down your list of assets and record which individuals or work groups need access to each item. To borrow an idea from cybersecurity, we recommend that you work from the principle of least privilege. Staff should have the least access to keys necessary to complete their day-to-day tasks. Treat exceptions as exceptions.

3. Determine how and where keys will be distributed

Once your access list is complete, consider how you’ll distribute keys within your facility. Remember, you're balancing security with efficiency, so depending on the size and layout of your buildings, you may need more than one hub for key distribution.

4. Decide which tools you need to enforce your key control program

We don’t define key control according to any specific tool or technology; the right tool will vary depending on the specific size and scope of your facility and the number of keys you manage. Some businesses can get away with having a single lockbox at someone’s desk. Others need an electronic key management system.

No matter which system you end up using make sure never to label keys. You’re just making an attacker’s job easier. Instead use tag numbers that authorized staff can look up in your secured master list, or let an electronic management system track everything for you.

At this stage, you should know enough about your key control needs to determine whether you need the help of management software to run your key control program. Key management software can automate many advanced tasks, such as rapid user provisioning and regulatory reporting, which is required in many industries, including gaming. It can also automatically notify supervisors of late key returns and assign temporary access to contractors or other personnel.

5. Document key control policies

For a key control program to work, everyone in your business needs to follow the same security practices. This means your policies need to be clearly documented and easily accessible. 

At a minimum, you should have a key issuing policy that details everything that needs to be tracked and recorded when keys are signed out and returned. Other policies might include a key duplication policy, an access change policy, or others depending on a particular business’s needs.

Of course, no set of policies will be able to cover every possible work situation. A contractor or temporary employee may need access to a key, or a regular employee may need emergency access to a key that isn’t on their access list. Make sure to document how exceptions like these should be handled.

Implement Better Key Control: It’s Worth the Effort

Now you know about key control, and you know the five basic steps for defining a key control program that works. It may take time and effort to design a program that runs well, but it is worth it. Good key control can help every business improve its security and productivity.

To learn more about designing key control programs, check out Real Time Networks’ detailed guide, Best Practices for Physical Key Management.