Richard Jenkins, Chief Executive, National Security Inspectorate (NSI) explains,
Be it office space, student accommodation, private apartment or house, security in private and public space is of increasing concern. To address this, intruder alarms, CCTV systems and building access control, provide management of space allowing access to bonafide occupants and visitors, whilst watching for breaches in security.
Specifying to Standards
The variety of solutions on offer range from the relatively straightforward to the highly sophisticated. Whatever the situation, the same questions of need and operability apply. It is not just hardware that needs to be fit-for-purpose, system design, application and use are also key. It is natural to think about hardware, but intelligent application and high quality installation are critical success factors. So where does one start to look for a security solution?
Any buyer needs to be confident in their provider working to high industry standards, and with the capability to assess risks and needs which the situation demands. A useful short cut in provider selection is consideration of prospective provider’s certification or approval credentials.
As a certification body specialising in the security and fire safety sector, NSI has an active book of over 1800 approved companies, all of whom are obliged to work to the relevant NSI scopes and codes of practice. For installers of systems this means taking into account British Standards as well as industry best practice. For example, the NSI Code of Practice (NCP) 109 for the “design, installation and maintenance of access control systems” draws attention to the Equality Act 2010, British Standard BS 7273-4 for fire protection and BS 7671 for electrical installations. It requires installers to ensure that each access control system access point is assigned one of four risk ‘classes’ according to the level of security required: Class I (low risk), Class II (low to medium risk), Class III (medium to high risk0, and Class IV (high risk). All NSI NACOSS Gold approved companies work to this code of practice and are equipped to advise on the most appropriate system for the building/premises being managed.
As part of the design and specification process, NSI approved installers undertake a risk assessment. This is a review of the assessed threat, points of higher exposure and expected people flows being managed. It considers means of escape in the event of a fire or security incident, and the need for recognition technology. Recognition technologies (credentials) fall into three categories, (1) something known to the user such as a PIN code, (2) something carried by the user such as a token, a fob or a card, or (3) some unique identifier such as a biometric e.g. a fingerprint or retina recognition, or a user’s unique rhythm when using a keyboard.
Along with identified risks and recognition needs, the number of access points to be secured and monitored by video surveillance and remote monitoring are factored in to the design. These include any variation in risk classification for access points, e.g. in and outside working hours, during daylight and hours of darkness, at weekends, or during other open, closed periods.
Record-keeping and data security are also a key element of access control. Typically individual ‘log-in’ and permissions are a point of risk. Failsafe system controls and procedures ensure recognition log-ins are up to date, with new visitors, employees or students added, and permissions for leavers withdrawn in a timely fashion. This is basic risk management. Inevitably, access control systems store personal data: it must be secure, and data protection requirements (including GDPR) must be embraced by the data controller (the owner/client organisation) and data processor(s).
Codes of Practice, such as the one written by NSI, are designed to:
- Demonstrate the credentials of specialist security providers to buyers and users
- Help ensure good practice by providers and operators in managing security risk.
- Provide a framework to assist specifiers, installers and users in establishing risk, needs and requirements.
- Assist specifiers and users in determining the appropriate level of security and sophistication required for a given application. (Often ‘simple’ makes sense.)
- Assist system designers in meeting specifier or user requirements.
The successful operation of access control systems is built on clear collaboration between specifiers, users and installers. Security can only be achieved with carefully developed and clearly understood specifications and usability in practice. Design, then must include the ‘hardware’ and equally important dynamic risk assessment, knowledge of preferred modes of operation, management and maintenance. Working with approved installers competent in end-to-end delivery of the solution means peace of mind for specifier and user alike in delivering secure environments.