security access control requirements gathering pack
DESCRIPTION
This is a pack that I create to gather business requirements for a new Security Access Control system. It inlcudes basic questions that you should ask when completing an initial scoping exercise.TRANSCRIPT
Access Control Requirements Gathering Session 1
• The business requirements will form the basis of future projects and will determine the eventual scope.
• If a ‘need’ is not raised as a requirement, the project will not know that the system must perform an action- therefore it will not be included within the scope of the project or included within the end solution.
• The requirements will be base-lined at the end of the Initiate Phase. Any requirements submitted after this date will not be accepted without a change request and associated funding (where applicable).
• The identified business stakeholders are responsible for ensuring that all requirements are raised during the Initiate Requirements gathering process.
The Importance of Requirement Gathering
• Review each area of Access Control functionality.
• Prepare a set of draft Access Control BUSINESS requirements for each of the functional areas.
• Agree a priority for each draft requirement.
• Agree next steps, actions and areas for further investigation.
Workshop 1 Objectives
Defining the Threat- Review
• What threats are present?
• What are the drivers for an access control system? i.e. controlling visitor numbers, protecting people, protecting assets, anti-tailgating, anti-pass back, etc?
• Who and what are we trying to protect?
Defining the Nature of the Threat- Discussion
Areas of Concern
• What general areas need to be controlled?- areas, rooms, locations etc?
• What exceptions exist?- i.e. Fire Exits etc?
• What areas require enhanced access control?- i.e. Equipment Rooms, Data Centres etc
• Why do these areas need to be controlled? What is the related threat?
• What is the level of risk associated with these areas?
• What is the function of installing control in these areas?
Areas of Concern (General)- Discussion
• What vulnerable points exist for each area to be controlled?- doors, windows, air conditioning shafts, conduits etc
• What points should have access control?
• Should access be controlled on a location by location basis or should access be controlled to area ‘types’?
Areas of Concern (Specific)- Discussion
Health & Safety
• Are there any legal requirements? Health & Safety or Disability & Discrimination Act?
• How should access control act in case of an emergency?- i.e. release on emergency?• What is the definition of an emergency?
• What fire officer requirements exist?
• What provisions should be granted to the blue light services?
• What are the requirements for disabled access?
• When will the access system be operation? 247/ 365 or night time only?
Health & Safety- Discussion
Type of Access Control
• Should the system be automatic or manned?
• What types of barriers should be used for each of the areas in scope?- door locks, arm barriers, vehicle block devices etc?
• What types of additional barriers should be used for the priority locations?- electronic keys, finger print scanning?
• What type of verification measures should be used? Electronic key card, IRIS scan, Finger print recognition, ID codes, keys etc.
• What should the user do when access is denied? Should an intercom system be present?
Types of Access Control- Discussion
• How often will the access control be used in each of the areas?
• What level of security should be in place?• If the power drops what should happen?• Anti-Tamper mechanisms?
Technical Details Discussion
Operational Considerations
• How will access control be managed?- customer, Staff, Disabled Visitors/ Staff, Contractors etc?
• What information will be captured against each person granted access? Name, address, role, date given, expiry date etc?
• What period should access be granted for?
• What types of protected access should be provided?
• How will deliveries be controlled?
• Where will data entry and monitoring of alarm activity take place?
• How will data for entry or modification be gathered?
• How will security clearance be processed?
Operational Issues- Discussion
Integration to Other Systems
• Should there be integration between the Access Control System and other systems? i.e. CCTV system?
• What information should pass between the systems?
Integration Discussion
Management Information, Reporting & Maintenance
• What information should the system capture?• Successful access- user ID, time, location etc.?• Unsuccessful access- user ID, time, location, number of attempts etc.?
• Should information be captured and available to view in real time? i.e. should it be possible to identify where an individual is located at all time?
• What reports should be available from the system?
• Should the system automatically alert based on event triggers? If so, what events should trigger alerts and how should the system alert?
• What should the system do in the event of a breach? – i.e. a door is forced?
Management Information & Reporting Discussion
• What should the system do in the event that an access control point fails in the following scenarios:• Access point looses power• Access point fails- i.e. reader not able to read card• Access point operational but input not detected- i.e. an issue with the card.• Access point breached?
Support & Maintenance Discussion
Any Questions?