Traditional lock and key security is a staple of any physical security plan.
Physical locks are relatively easy to install and cost-effective for the reliable level of security they provide. But if they are deployed without any planning and used without any management the security of your entire organization can be compromised.
A Key Control Program ensures effective distribution and use of keys within an organization. It can:
Unfortunately, there is no one-size-fits-all program that can just be dropped into place at every organization. There are best practices you can follow though, which we’ll cover here. This guide will help you figure out how to design and implement the best possible program for your organization. Important note: This is not a step-by-step recipe. There are too many variables. We recommend first reading this guide top to bottom
Key Control is the two-fold process of securing locations and assets with physical keys and managing who can access those keys. Business key control programs often also include policies and tools for controlling when keys can be issued, tools for tracking keys in use, and strategies to prevent unauthorized key duplication.
No matter the details, the goal of any key control program is to protect and secure valuable locations, assets, and people as efficiently as possible. It’s a core security function in any organization, from small businesses to large enterprises.
For details on the benefits of a key control program, please see:
A large telecom was looking to gather more data on their service fleet. They knew they could run it more efficiently, but they didn’t have the data to support making any specific changes.
KeyTracer integrated with their trucks’ onboard GPS units so usage data was delivered live from the field. On key return, drivers were able to log vehicle fault codes on the key cabinet’s access control panel for mechanics. We also helped them implement rotating key sign outs at certain locations where drivers were prone to picking a favorite truck every shift. Rotating vehicles helped balance mileage and maintenance across the entire fleet.
Forklifts and many other pieces of industrial machinery require certifications to operate. Fines can run pretty steep if audits turn up uncertified use after accidents.
Real Time Networks deployed a license monitoring tool in a KeyTracer system for one of its customers in their warehouse. It tracked expiration dates on certifications entered in employee records for any kind of vehicle—cars, forklifts, etc. Supervisors were notified by email as license expirations approached. And employees were locked out of accessing keys if they let their certifications expire so the business stayed compliant.
A tech company needed to allow one-time key sign outs to temp workers, like their after-hours housekeeping staff. They had industry secrets they needed to protect. Previously, a cleaner had taken a key to a prototype lab, snapped a cellphone pic of an unreleased handheld device, and then leaked it online. This happened because their housekeeping facility keys were just hung on a pegboard. They had no way of identifying which cleaner had done it or even which night it happened.
We deployed a KeyTracer cabinet for them that allowed supervisors to quickly log staff names and timestamps of one-time key sign outs. This kept their cleaners working and accountable.
The management web portal for KeyTracer systems lets you set sign-out curfews on keys. Some of our customers use this feature to tie it to a shift schedule, like 8:00am to 5:00pm, to help ensure staff don’t accidentally take keys home.
Others, like one pharmaceutical manufacturer that we work with, had more unique challenges. They had large, locking freezers holding temperature-sensitive medicine valued at millions of dollars per bag. If the freezers were left open too long the medicine would degrade. We helped them configure key cabinets with 15 minute timers set for their freezer key returns. Staff assigned to check freezers needed to promptly use and return keys or supervisors received an alert. Mission critical work could be carried out with little micromanagement.
Remember, the goal of a key control program is to balance security against efficiency in business operations. And while this balancing act is going to look different in every organization, there are common steps everyone should take planning out their program. The process detailed below is a good starting point to begin planning at your own organization.
There are some decisions unique to door security that need to be made up front.
The first is whether a standard security or high-security lock system will be needed. Standard security locks are less expensive and widely available. Ongoing costs are somewhat lower as well, as there are widely-available options for duplicating keys.
High-security lock systems offer greater security, but at the cost of all three of those qualities. They’re more expensive, available only through certain channels, and by design are more difficult to duplicate and re-key. They offer potentially valuable benefits though:
A mix of high-security and standard locks may of course be viable depending on your facility’s layout and security needs.
This is a good point in planning to decide whether you intend to use an electronic key management system. More on that below, but start thinking about it at this point.
Once you’ve made a decision about which lock system is appropriate for your security goals, compile a thorough list of all locking doors, equipment, and other assets that have keys to be administered. Then record which categories of staff will need access to each locked item. One useful brainstorming approach to cover all of this is to list your Five W’s for each asset: Who accesses What, Where, When, and Why.
This list can then be converted into a Keying Chart. This resembles an organizational chart for your keys as in this example.
You can see that keys are grouped into a hierarchy roughly by their functional areas within your facility. Keys at the bottom of the hierarchy are ‘Change Keys.’ These typically provide access to only a single unit or asset. Above them are ‘Master Keys’ which provide access to all locks within a larger associated area. Above that are ‘Grand Master’ keys which provide near total access to the facility.
One other type of lock and key pair is an ‘Off-master.’ These are keyed separately from the Master Key hierarchy, either for high-security or regulatory reasons. For example, in an Emergency Medical Services (EMS) agency, by law the medical director or registered pharmacists may be the only personnel allowed to have access to the pharmacy. So that set of rooms may require off-master locks.
Electronically controlled doors often also have a keyed lock for emergency access. If you have these in your facility we recommend keying these doors as off-masters or for emergency ‘system failure’ keys only.
It creates an unnecessary security risk if these locks can be accessed by keys routinely carried by staff. In our experience, having these keys in circulation inevitably leads to excessive ‘Forced Door’ false alarms when staff try to bypass the electronic system out of convenience.
The planning phase above helps you systematically organize all relevant information about your key control program before you take any action. Once that full scope is agreed upon by all stakeholders, you can move onto designing how your key control program will work in practice.
This may mean using an electronic key management system, pen-and-paper controls, or a combination of both. For the steps below we will consider how an electronic key management system might be implemented.
Start by taking your keying chart and marking on floor plans of your facility where each locked door and asset is located, or will be installed in the future. Then note where the primary users for each of those keys sit. Then consider the most common routes that they will take through your facility during the work day. This will inform your decision about where you place your key cabinets.
If your key control system is pen, paper, and lock-box-based then this is a simpler matter to sort out. It matters much more when you’re assembling an electronic key management system that will integrate with an existing access control system within your organization.
Many different methods are available for authentication and access control. Some of the more popular ones supported by Real Time Networks solutions are PIN Codes, Proximity (Prox) Cards, Biometrics, Iris Scans, and Smart Phone. You can combine multiple methods for higher levels of security, as business needs require.
A combination of your security team, IT team, physical plant staff, and contractors can now install the necessary locks, key cabinets, and provision keys. What also needs to happen at this stage is the deployment of your key control policy, which will help ensure your new infrastructure is used effectively.
Your key issuing policy should be developed with input from across your organization. From senior leadership, to security management, to operational staff. Final approval should be given by senior leadership, so it’s clear to all personnel that the policy is in-line with the organization’s goals.
Your Key Issuing policy should detail how to record:
Make sure your policy can be consistently applied. In the past, this meant ensuring that log books and authorizing staff were always available near key cabinets. With electronic key management systems these functions are built into the access control panels and the lockers themselves.
Make sure exceptions can be handled in your system. For example, if you have an Accounting employee who works one day a week in a different department, make sure you have a way to authorize one day a week key access for any necessary keys. For example, with an electronic key management system, make sure a supervisor is able to issue manual overrides for that employee.
That said, access should be assigned based around normal business and not based around exceptional circumstances. Productivity will be better long term if the system is built to support normal business operations.
Transaction logs should periodically be audited. The exact frequency will likely depend on individual business security needs and regulatory obligations. Whatever is relevant for your organization should be outlined in your key policy as well.
Deploying an effective key control program is a serious commitment of time, money, and resources. But it’s not an impossible task, and is in fact well worth the effort. A number of valuable resources are available beyond this set of best practices. Some are listed below.
And you can always contact Real Time Networks’ team of key management experts for advice on deploying a program that’s a good fit for your organization.
The National Institute of Standards & Technology has become the de facto technical standards agency for the US government. Any businesses working with or for the US Federal government will need to be familiar with these requirements. The documents linked here might also work well as baseline access control standards for private businesses.
ISO 55000 is an internationally-recognized standard for asset management. It is highly-flexible and suitable for a broad range of use cases and industries. The 55000 Series standard launched in 2014, replacing the earlier PAS 55 standard.