BEST PRACTICES FOR KEY MANAGEMENT “THE SECURITY locked? Or locked that is normally unlocked? Consider making extra effort to watch the area. It may be the first sign of some form of keying attack such as the Dayton Method or a Disassembly Attack. If nothing else, document such incidents. The pattern may help later in determining what happened if problems arise. 11. Create effective key issue, tracking and return policies. If you do not know ex- actly who has keys to every area of the sys- tem, the system has no controls. It is vital that every key is individually tracked from issue to return and properly documented at every stage. Permit no exceptions. Get authority vested at the highest levels in support of the policies to avoid internal power struggles. Keys should be authorized in writing by a person’s supervisor and the signature veri- fied before any key is issued. Verification is necessary, because oſten a person might have access to the authorization forms and simply scribble a signature. Not being handwriting experts, almost any signature will usually be accepted as genuine, even — astound- ingly — ones with a different name than the authorizing person. In many cases, it will not be a supervisor who actually issues the key authorization, but an executive secretary or departmental secretary with the approval of the supervi- sor. This is generally considered adequate protection procedurally, as long as it is prop- erly verified. But be certain who is verifying it. Oſten schools allow students to answer phones, so it could be someone who is merely a peer or associate of the potential keyholder. Each key request is checked to be cer- tain it is only for rooms that the person is assigned to. A person should not be issued a master key “just because it is the only key that is shown for the room the individual is to enter.” If necessary, the lock should be re- keyed prior to key issue to accommodate the request. Generally the authorizing de- partment agrees to pay for the re-keying or 48 KEYNOTES JANUARY 2015 PROVIDED BY EVERY MASTER KEY SYSTEM IS DIRECTLY RELATED TO THE USE OF PROPER RECORD-KEEPING TECHNIQUES AND STANDARDS.” declines to issue that person a key. Every key is stamped with a blind code and is individually assigned. There are many options for key stamping. Key stamping is a vital part of key manage- ment because you cannot track them without a number. But if that number tells the cuts, it makes it too easy for someone who has not been issued a key to an area to modify theirs to operate that area. Blind coding is the best practice, although many factories still implement the SKCS for key marking. SKCS was developed as an aid in system layout by Tom Hennessy. It was not intended to be a key marking system, and while it is better than some alternatives such as direct digit or sequential number- ing, it is not very secure and oſten telegraphs more information than is ideal. An annual key audit should be performed to determine if every employee still has the key(s) that he or she signed for. Keys that are needed only for short-term should be handled with short-term distri- bution policies and procedures, rather than becoming lost in the long-term issue records. Every key must be signed for, with lan- guage to discourage or prevent duplication, lending, etc. Rather than simply stating it is unlawful to duplicate the keys you are issued, consider warnings that are more honest such as: “Attempts to duplicate this key violate the security and well-being of the institution, and may result in civil penalties under law, as well as resulting in potential banishment from the institution.” Bulk issue equals no key tracking capabil- ity and no personal responsibility. A com- mon error in key management systems is to record all the keys that are issued to regular full-time employees, but when keys are need- ed by non-employees, either the employee signs for many keys, or the keys are simply given out without being signed for. Both of these leave the system very vulnerable. The policy should require the immediate return of unnecessary keys. It is not uncommon for employees who are transferred to another area to attempt to retain the old keys “so they can visit their friends there.” If that is a legitimate need, it should be signed off on by both the old and new supervisors. It is not uncommon for retirees to want to keep their keys. In some cases it may tem- porarily be for a legitimate need, such as in Universities where the retired professor may still come back and voluntarily teach classes or otherwise offer support to the depart- ment. The problem is in determining when that need ends. It should be closely moni- tored and the supervisor for the department checked with regularly for verification (at a minimum annually). 12. No one is exempt. Having authority for the policies come from the highest pos- sible level is vital. Without it, some areas and some personnel will consider themselves or their department more important than the policies, and at that point the entire system is at risk. It is even necessary that the dead be re- sponsible for following policies. No one wants to bother a grieving family to ask for the keys assigned to the deceased to be returned immediately, but without it your risk factor has grown exponentially. Family members overcome with grief may deliber- ately mishandle keys or give or sell them to WWW.ALOA.ORG
