The Easy Way to Better Key Control

Traditional lock and key security is a staple of any physical security plan.
Physical locks are relatively easy to install and cost-effective for the reliable level of security they provide. But if they are deployed without any planning and used without any management the security of your entire organization can be compromised.

A Key Control Program ensures effective distribution and use of keys within an organization. It can:

  • Better manage risk
  • Reduce theft and equipment loss
  • Ensure regulatory compliance

Unfortunately, there is no one-size-fits-all program that can just be dropped into place at every organization. There are best practices you can follow though, which we’ll cover here. This guide will help you figure out how to design and implement the best possible program for your organization. Important note: This is not a step-by-step recipe. There are too many variables. We recommend first reading this guide top to bottom

key-control-cabinet

DOWNLOAD A PDF VERSION OF THIS GUIDE BY FILLING OUT THIS FORM, OR KEEP SCROLLING TO READ.

White-paper_Key-Management

Get a copy sent directly to your inbox!

KeyTracer-key-management

An Overview of Key Control

Key Control is the two-fold process of securing locations and assets with physical keys and managing who can access those keys. Business key control programs often also include policies and tools for controlling when keys can be issued, tools for tracking keys in use, and strategies to prevent unauthorized key duplication.

No matter the details, the goal of any key control program is to protect and secure valuable locations, assets, and people as efficiently as possible. It’s a core security function in any organization, from small businesses to large enterprises.

Benefits of Better Key Control

A comprehensive key control program can deliver a lot of value.

Key Benefits

  • Improved Operations: You get tighter control over work that happens in your facility. Keys are always accounted for and available when needed.
  • Better Risk Management: The tracking and auditing processes built into a key control program give you actionable intelligence on risks to your business and they support better regulatory compliance.
  • Loss Prevention: Regular transaction monitoring and improved accountability help ensure a complete ‘chain of custody’ for locations and assets secured by your keys.
  • Cost Reduction: A key control program ensures more effective use of your organization’s equipment. Work happens on time. Productivity stays high. Re-keying costs are reduced.
  • Encourages Accountability: Training personnel to pay better attention to who has which keys, and when, will carry over to support a broader security-minded workplace culture.
  • Builds Your Reputation: Demonstrating to stakeholders and customers that you have a clear and effective strategy for managing your facility and assets improves their confidence in your organization, strengthening your business relationships.

For details on the benefits of a key control program, please see:

The Benefits of Implementing a Key Management System

large-key-cabinets

Some Inspiration

A reliable key control program supports a whole range of workflows. Here are some examples from customers using Real Time Networks’ KeyTracer key management systems.

Collecting Actionable Fleet Data

A large telecom was looking to gather more data on their service fleet. They knew they could run it more efficiently, but they didn’t have the data to support making any specific changes.

KeyTracer integrated with their trucks’ onboard GPS units so usage data was delivered live from the field. On key return, drivers were able to log vehicle fault codes on the key cabinet’s access control panel for mechanics. We also helped them implement rotating key sign outs at certain locations where drivers were prone to picking a favorite truck every shift. Rotating vehicles helped balance mileage and maintenance across the entire fleet.

Managing Forklift Certifications

Forklifts and many other pieces of industrial machinery require certifications to operate. Fines can run pretty steep if audits turn up uncertified use after accidents.

Real Time Networks deployed a license monitoring tool in a KeyTracer system for one of its customers in their warehouse. It tracked expiration dates on certifications entered in employee records for any kind of vehicle—cars, forklifts, etc. Supervisors were notified by email as license expirations approached. And employees were locked out of accessing keys if they let their certifications expire so the business stayed compliant.

Forklift-key-management

Tracking Contractors in Your Facility

A tech company needed to allow one-time key sign outs to temp workers, like their after-hours housekeeping staff. They had industry secrets they needed to protect. Previously, a cleaner had taken a key to a prototype lab, snapped a cellphone pic of an unreleased handheld device, and then leaked it online. This happened because their housekeeping facility keys were just hung on a pegboard. They had no way of identifying which cleaner had done it or even which night it happened.

We deployed a KeyTracer cabinet for them that allowed supervisors to quickly log staff names and timestamps of one-time key sign outs. This kept their cleaners working and accountable.

Using Key Curfews to Protect Valuable Pharmaceuticals

The management web portal for KeyTracer systems lets you set sign-out curfews on keys. Some of our customers use this feature to tie it to a shift schedule, like 8:00am to 5:00pm, to help ensure staff don’t accidentally take keys home.

Others, like one pharmaceutical manufacturer that we work with, had more unique challenges. They had large, locking freezers holding temperature-sensitive medicine valued at millions of dollars per bag. If the freezers were left open too long the medicine would degrade. We helped them configure key cabinets with 15 minute timers set for their freezer key returns. Staff assigned to check freezers needed to promptly use and return keys or supervisors received an alert. Mission critical work could be carried out with little micromanagement.

How to Plan

Remember, the goal of a key control program is to balance security against efficiency in business operations. And while this balancing act is going to look different in every organization, there are common steps everyone should take planning out their program. The process detailed below is a good starting point to begin planning at your own organization.

1. Assess Door Security Needs

There are some decisions unique to door security that need to be made up front.

The first is whether a standard security or high-security lock system will be needed. Standard security locks are less expensive and widely available. Ongoing costs are somewhat lower as well, as there are widely-available options for duplicating keys.

High-security lock systems offer greater security, but at the cost of all three of those qualities. They’re more expensive, available only through certain channels, and by design are more difficult to duplicate and re-key. They offer potentially valuable benefits though:

  • Pick Resistance: High-security locks have embedded mechanisms that make them highly resistant to picking. While there are skilled locksmiths that can pick almost any commercially available lock that is under controlled conditions, most high-security locks on the market easily resist picking by criminal threats in the field.
  • Bump Resistance: Bump keys are locksmithing tools specially cut to bypass the pin and tumbler mechanisms of standard security locks. By design, high-security locks are not vulnerable to bump keys.
  • Drill Resistance: High-security locks also usually have hardened metal bodies, or protective cases around their pins that make them resistant to drilling. Similar to picking, while no lock is “drill proof,” high-security locks will slow down drilling to the point where it is often not a viable attack for criminals in the field.
  • Restricted Key Design: Certified vendors use specialty equipment to duplicate high-security keys. Blank keys and key design plans are highly restricted.

A mix of high-security and standard locks may of course be viable depending on your facility’s layout and security needs.

2. Create Your Keying Chart

Once you’ve made a decision about which lock system is appropriate for your security goals, compile a thorough list of all locking doors, equipment, and other assets that have keys to be administered. Then record which categories of staff will need access to each locked item. One useful brainstorming approach to cover all of this is to list your Five W’s for each asset: Who accesses What, Where, When, and Why.

This list can then be converted into a Keying Chart. This resembles an organizational chart for your keys as in this example.

keying-chart

You can see that keys are grouped into a hierarchy roughly by their functional areas within your facility. Keys at the bottom of the hierarchy are ‘Change Keys.’ These typically provide access to only a single unit or asset. Above them are ‘Master Keys’ which provide access to all locks within a larger associated area. Above that are ‘Grand Master’ keys which provide near total access to the facility.

One other type of lock and key pair is an ‘Off-master.’ These are keyed separately from the Master Key hierarchy, either for high-security or regulatory reasons. For example, in an Emergency Medical Services (EMS) agency, by law the medical director or registered pharmacists may be the only personnel allowed to have access to the pharmacy. So that set of rooms may require off-master locks.

3. Special Consideration: Working with Electronic Access Control

Electronically controlled doors often also have a keyed lock for emergency access. If you have these in your facility we recommend keying these doors as off-masters or for emergency ‘system failure’ keys only.

It creates an unnecessary security risk if these locks can be accessed by keys routinely carried by staff. In our experience, having these keys in circulation inevitably leads to excessive ‘Forced Door’ false alarms when staff try to bypass the electronic system out of convenience.

How to Design

The planning phase above helps you systematically organize all relevant information about your key control program before you take any action. Once that full scope is agreed upon by all stakeholders, you can move onto designing how your key control program will work in practice.

This may mean using an electronic key management system, pen-and-paper controls, or a combination of both. For the steps below we will consider how an electronic key management system might be implemented.

1. Plan Your Installation Locations

Start by taking your keying chart and marking on floor plans of your facility where each locked door and asset is located, or will be installed in the future. Then note where the primary users for each of those keys sit. Then consider the most common routes that they will take through your facility during the work day. This will inform your decision about where you place your key cabinets.

2. Determine Cabinet Access Control Methods

If your key control system is pen, paper, and lock-box-based then this is a simpler matter to sort out. It matters much more when you’re assembling an electronic key management system that will integrate with an existing access control system within your organization.

Many different methods are available for authentication and access control. Some of the more popular ones supported by Real Time Networks solutions are PIN Codes, Proximity (Prox) Cards, Biometrics, Iris Scans, and Smart Phone. You can combine multiple methods for higher levels of security, as business needs require.

How to Implement

A combination of your security team, IT team, physical plant staff, and contractors can now install the necessary locks, key cabinets, and provision keys. What also needs to happen at this stage is the deployment of your key control policy, which will help ensure your new infrastructure is used effectively.

Your key issuing policy should be developed with input from across your organization. From senior leadership, to security management, to operational staff. Final approval should be given by senior leadership, so it’s clear to all personnel that the policy is in-line with the organization’s goals.

Your Key Issuing policy should detail how to record:

  • Authorizing new users and their access
  • Authorizing new supervising staff and their administrative capabilities
  • The time, location, and nature of an access request
  • The specific key issued
  • The time, location, and nature of a key return

Make sure your policy can be consistently applied. In the past, this meant ensuring that log books and authorizing staff were always available near key cabinets. With electronic key management systems these functions are built into the access control panels and the lockers themselves.

Make sure exceptions can be handled in your system. For example, if you have an Accounting employee who works one day a week in a different department, make sure you have a way to authorize one day a week key access for any necessary keys. For example, with an electronic key management system, make sure a supervisor is able to issue manual overrides for that employee.

That said, access should be assigned based around normal business and not based around exceptional circumstances. Productivity will be better long term if the system is built to support normal business operations.

Transaction logs should periodically be audited. The exact frequency will likely depend on individual business security needs and regulatory obligations. Whatever is relevant for your organization should be outlined in your key policy as well.

Final Thoughts

Deploying an effective key control program is a serious commitment of time, money, and resources. But it’s not an impossible task, and is in fact well worth the effort. A number of valuable resources are available beyond this set of best practices. Some are listed below.

And you can always contact Real Time Networks’ team of key management experts for advice on deploying a program that’s a good fit for your organization.

External Resources

NIST Physical Access Control Standards

The National Institute of Standards & Technology has become the de facto technical standards agency for the US government. Any businesses working with or for the US Federal government will need to be familiar with these requirements. The documents linked here might also work well as baseline access control standards for private businesses.

ISO 55000 Information

ISO 55000 is an internationally-recognized standard for asset management. It is highly-flexible and suitable for a broad range of use cases and industries. The 55000 Series standard launched in 2014, replacing the earlier PAS 55 standard.

Useful Aids from Real Time Networks

Whitepaper-Best-key-management-system

10-Step Purchasing Checklist for Key Management 

Another good starting point resource.

6-Step-security-system-purchasing-guide

6-Step Security System Purchasing Process

A comprehensive guide for defining your purchasing goals and evaluating the cost-effectiveness of various systems.

Contact Real Time Network’s today to deploy the best key control program for your organization.