On Monday, an employee reports that there is one monitor missing from the shipment of new monitors that was received the previous Friday. The quantity was verified at delivery by the shipping company and two of your employees. The interior door to the loading dock was locked on Friday evening and was still locked on Monday morning. The roll-up loading dock doors usually remain unlocked and open during the day for convenience, but they were also locked on Friday evening and were still locked on Monday morning. There are no security cameras in this area, and there is no alarm system. The roll-up loading dock doors are secured with a padlock, and only three employees have the key. The interior door is secured with a cipher lock that also accepts a physical key. How can you determine who has access to this room?
Do you have a sound key control program in place? If you do not know the location of every key, then there is no way to determine who has access to a particular location.
For the roll-up loading dock doors, there are at least two possibilities. The doors are secured with a padlock, but the doors are routinely left open during the day for convenience. During the day, the padlock is left open and unlocked when hanging on the hasp. First, has an outside padlock been substituted for the company padlock? This would allow the thief to return, open the padlock, commit theft, and then lock the door with the company padlock. Second, does the padlock have a unique keyway? A key for a common padlock could be obtained from a locksmith.
For the interior door, there are also several possibilities. First, since the door is secured with a cipher lock, is the combination written on the door frame or another nearby location? If the combination has not been changed recently, it may be known by employees or other personnel who should not have access to the room. Do keys for other rooms also provide access to this room? In one case, we have seen a client that created submaster keys for individual rooms, which inadvertently provided access to all other rooms in that area. Have all keys to this room been returned by employees who no longer need access? An employee who has been transferred or terminated may still have a key. How many master or grand master keys exist for the facility, and who has access to these keys? We have seen cases where the master key was lost or stolen and the loss was not reported immediately.
RMA conducts an assessment of key control as part of our standard Security Threat Assessment or Vulnerability Assessment. In the past 20 years, we have seen a wide variety of lock and key issues. It is crucial for a company to have a key control program in place that defines the policies and procedures to follow when granting access.
Although not comprehensive or complete, consider the following questions.
- Has one person been designated to manage the key control process?
- Are locks and keys to all buildings and entrances supervised and controlled by the key control officer?
- Is there a process for determining and assigning access levels and authorization for personnel?
- Are unused keys or cards secured in a locked cabinet or container and is access to this storage controlled?
- Are records of key or card issuance and return current and accurate?
- Are keys or cards collected from employees upon termination, transfer, or change in access status?
- Are periodic audits conducted to determine the ownership of all keys and cards as well as the access levels needed and possessed by individuals?
The cost of putting a key control program into place is far less than the cost of rekeying an entire facility.
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.