Access Control Requirements Gathering Session 1

• The business requirements will form the basis of future projects and will determine the eventual scope.

• If a ‘need’ is not raised as a requirement, the project will not know that the system must perform an action- therefore it will not be included within the scope of the project or included within the end solution.

• The requirements will be base-lined at the end of the Initiate Phase. Any requirements submitted after this date will not be accepted without a change request and associated funding (where applicable).

• The identified business stakeholders are responsible for ensuring that all requirements are raised during the Initiate Requirements gathering process.

The Importance of Requirement Gathering

• Review each area of Access Control functionality.

• Prepare a set of draft Access Control BUSINESS requirements for each of the functional areas.

• Agree a priority for each draft requirement.

• Agree next steps, actions and areas for further investigation.

Workshop 1 Objectives

Defining the Threat- Review

• What threats are present?

• What are the drivers for an access control system? i.e. controlling visitor numbers, protecting people, protecting assets, anti-tailgating, anti-pass back, etc?

• Who and what are we trying to protect?

Defining the Nature of the Threat- Discussion

Areas of Concern

• What general areas need to be controlled?- areas, rooms, locations etc?

• What exceptions exist?- i.e. Fire Exits etc?

• What areas require enhanced access control?- i.e. Equipment Rooms, Data Centres etc

• Why do these areas need to be controlled? What is the related threat?

• What is the level of risk associated with these areas?

• What is the function of installing control in these areas?

Areas of Concern (General)- Discussion

• What vulnerable points exist for each area to be controlled?- doors, windows, air conditioning shafts, conduits etc

• What points should have access control?

• Should access be controlled on a location by location basis or should access be controlled to area ‘types’?

Areas of Concern (Specific)- Discussion

Health & Safety

• Are there any legal requirements? Health & Safety or Disability & Discrimination Act?

• How should access control act in case of an emergency?- i.e. release on emergency?• What is the definition of an emergency?

• What fire officer requirements exist?

• What provisions should be granted to the blue light services?

• What are the requirements for disabled access?

• When will the access system be operation? 247/ 365 or night time only?

Health & Safety- Discussion

Type of Access Control

• Should the system be automatic or manned?

• What types of barriers should be used for each of the areas in scope?- door locks, arm barriers, vehicle block devices etc?

• What types of additional barriers should be used for the priority locations?- electronic keys, finger print scanning?

• What type of verification measures should be used? Electronic key card, IRIS scan, Finger print recognition, ID codes, keys etc.

• What should the user do when access is denied? Should an intercom system be present?

Types of Access Control- Discussion

• How often will the access control be used in each of the areas?

• What level of security should be in place?• If the power drops what should happen?• Anti-Tamper mechanisms?

Technical Details Discussion

Operational Considerations

• How will access control be managed?- customer, Staff, Disabled Visitors/ Staff, Contractors etc?

• What information will be captured against each person granted access? Name, address, role, date given, expiry date etc?

• What period should access be granted for?

• What types of protected access should be provided?

• How will deliveries be controlled?

• Where will data entry and monitoring of alarm activity take place?

• How will data for entry or modification be gathered?

• How will security clearance be processed?

Operational Issues- Discussion

Integration to Other Systems

• Should there be integration between the Access Control System and other systems? i.e. CCTV system?

• What information should pass between the systems?

Integration Discussion

Management Information, Reporting & Maintenance

• What information should the system capture?• Successful access- user ID, time, location etc.?• Unsuccessful access- user ID, time, location, number of attempts etc.?

• Should information be captured and available to view in real time? i.e. should it be possible to identify where an individual is located at all time?

• What reports should be available from the system?

• Should the system automatically alert based on event triggers? If so, what events should trigger alerts and how should the system alert?

• What should the system do in the event of a breach? – i.e. a door is forced?

Management Information & Reporting Discussion

• What should the system do in the event that an access control point fails in the following scenarios:• Access point looses power• Access point fails- i.e. reader not able to read card• Access point operational but input not detected- i.e. an issue with the card.• Access point breached?

Support & Maintenance Discussion

Any Questions?