S 2.17 Entry regulations and controls

Initiation responsibility: Head of Organisational Section; Head of Site Technical Services

Implementation responsibility: Head of Site Technical Services, employees

Entry into parts of buildings and rooms requiring protection must be controlled (see S 2.6 Granting of site access authorisations). The pertinent measures range from the simple issue of keys through to complicated identification systems including one-by-one checks of persons; in this respect, use of a physical key with lock also constitutes a form of entry control. For entry regulation and control, it is necessary that:

• The area subject to such regulations is clearly defined.

• The number of persons with right of access is reduced to a minimum. These persons should be mutually aware of their permissions in order to be able to recognise unauthorised persons as such.

• Any other persons (visitors) may be allowed to enter only after the need to do so has been previously verified.

• The permissions granted must be documented.

The mere allocation of permissions will not be sufficient if their observance, or infringement, is not monitored. The detailed design of control mechanisms should be based on the principle that simple and practicable solutions are often just as effective as elaborate technology. Examples here are:

• informing and raising the awareness of security issues of authorised persons

• announcement of changes to the permissions granted

• visible carrying of internal identity passes; possibly issue of visitor's passes

• escorting of visitors

• procedural rules when any infringement of rights has been detected

• restriction of unhindered entry for unauthorised persons (e.g. door with a dummy knob, lock for authorised persons provided with a key, bell for visitors)

Various building-related, organisational and personnel-related safeguards are required in connection with access control. Their interaction should be controlled in an access control concept which specifies the general guidelines for protection of the parameter, building and equipment. These include:

• Definition of security zones

Areas to be protected could be grounds, buildings, server rooms, rooms containing peripheral devices, archives, communications facilities and in-house installations. As these areas often have quite different security requirements, it can be appropriate to divide them into different security zones.

• Issue of access authorisations (seeS 2.6 )

• Appointment of a person responsible for access control

This person assigns access authorisations to individual persons in accordance with the principles laid down in the security policy.

• Definition of time dependencies

It must be clarified whether it is necessary to have time limits on access rights. For example, access might be permitted only during working hours, once a day or for a period ending on a fixed date.

• Retention of evidence

Here it is necessary to determine what data should be logged when a protected area is entered and left. It may be necessary here to carefully weigh up the security interests of the system operator against the interests of protecting the privacy of the individual.

• Handling of exception situations

Steps must be taken to ensure among other things that in case of fire the workforce is able to evacuate the endangered zones as quickly as possible.

In addition, the installation of various qualities of badge reader, of walk-through detectors and one-by-one checking facilities may be expedient. For key management, see S 2.14 Key Management.

When operating a computer centre, it is extremely important to protect the core units with strong access control mechanisms. Possession, knowledge and biometric features are all possible means of establishing identification and authentication. A strong access control mechanism must require at least two out of these three characteristics. Today's technology suggests that biometric procedures should not be used as the sole means of access control.

The terminals used for access control must be protected against tampering. They must be arranged so that confidentiality is maintained during data entry. Moreover, all the units that are necessary for data entry should be combined in one device, for example, a keypad for entry of a PIN.

If all the units are not in a single device, data transmission between these devices must be encrypted. If, for example, contactless ID card readers are used, the transmission of data between card and reader must be encrypted.

Additional controls:

• Is there an access control concept?

• Are the access control mechanisms regularly checked for effectiveness?