example, they would number them 7501- 001, 7501-002 and 7501-003. Creating the unique identifier allows the assignment of the specific key to a specific individual. I will caution that some organizations will stamp the key set information as the key unique identifier. For example, AA 1-001, AA 1-002, AAB 2-001 and AAB 2-002. I would not recommend this prac- tice. The belief is that the layperson will not know what this represents, and it provides the security professional with a view of the person’s level of access based on the key identifier. The issue is that patterns can be discerned. We should never make it easier for individuals to decode our key systems. Temporary Key Issues In a large organization, it is sometimes necessary to assign keys to contractors or suppliers. In this instance, it is not only important to create a record of the assign- ment but to also create a reminder for the keys’ eventual return. The primary con- cern is giving a non-affiliated individual access to spaces they no longer need. I had a situation once in which I was heading to a door, and a contractor was kind enough to open the door for me be- fore I could take out my own keys. Ap- parently, the contractor was provided a building master key and had never re- turned it at the end of the specific proj- ect. I was able to correct this issue, but it does highlight the importance of retriev- ing temporary keys. Again, this could be performed with something as simple as an appointment created in a calendar ap- plication or as part of a key management soſtware application. The system used by my organization automatically sends an email out to both the project manager who requested the keys for the contrac- tor as well as to the actual contractor on the expected return date. The system will continue to do so until the key has been returned. This will prevent keys from re- WWW.ALOA.ORG “We should never make it easier for individuals to decode our key systems.” maining in the temporarily authorized individuals’ possession. Auditing We have all heard the famous Ronald Reagan quote “trust, but verify.” Of course, he was speaking about arms agreements, but the same is true in key control. An audit process should be set up to validate that key holders are holding up their end of the agreement to maintain the security of your organization. Create a random audit of the various individu- als who have been issued keys from your system. Even though you will be auditing only a small number of individuals, word will get around the greater population, and it should improve the handling of keys throughout the organization. Return Last, we come to the return of keys. Of- tentimes a “separation” occurs with in- dividuals who have been provided keys. Whether this means they moved on to another position in the organization, cho sen to leave their position or have been let go from the organization, it is critica that keys are returned after any sepa ration. If the individual is moving on to another position, it is likely they wil have different access needs and no lon ger need the access they previously held. True control is providing access only to the areas required for them to fill their responsibilities. If the individual is leaving the organi- zation, you will need the support of the separation manager or human resources department to ensure that, as part of the separation process, the organization’s keys are returned. It is very important that you, as the key control manager, take possession of the keys and update records of their return. We do not want keys float- ing about in someone’s desk drawer or provided to another individual without your direct management of the process. I heard of one situation where a long- time manager, employed more than 30 years, leſt a facility. There were more than 300 keys in this individual’s desk, with various levels of exposure to the facility. Many of the keys were not assigned to this individual but had been collected over the years from contractors. The exposure to the facility had the keys not been recap- tured could have been staggering. This example points strongly to the need to have keys put back under the control of the security professional. Key control is a valuable tool to aid in the security of people and assets. When done properly, it can greatly re- duce the cost associated with property loss and maintenance of your system se- curity. By preventing unauthorized du- plication, tracking the keys, controlling temporary keys, validating key holder responsibility and ensuring the proper return of keys, you can close the loop nthony R. Hicks, CML, MBA, has been a secu- y professional for 36 ars. He has worked as commercial/residential/ nstitutional locksmith, as well as worked in the manufacturing arm of the industry. He is currently the supervi- sor of physical security for Northwestern University. JANUARY 2019 KEYNOTES 15
