Note: This is the first part of a two-part series from Ray Bernard. Next month he will discuss Guidelines and evolving access control systems in addition to other issues.
Q: Is there a standard or common convention for naming doors in an access control system?
A: There is no single standard, or even a set of standards, given the great variety of building and room types. Guideline documents published online can serve as a starting point for developing what you need.
The approaches for numbering and labelling for building areas, rooms and doors are numerous, and vary from very simple to very complex. Primary considerations stem from the uses of area and door labels and identifiers. There are typically several stakeholders and use cases, such as:
- Architects, Design Engineers and Consultants. Architectural design documents, which serve design and construction needs, must identify occupiable and non-occupiable buildings, areas, rooms and doors.
- Occupants and Visitors. Way finding by building occupants and visitors.
- Lock and Key Management. Door and storage cabinet physical lock and key management.
- Physical Security Planning. Critical assets and the areas containing them must be identified by name, and the means of physically and procedurally controlling access to them must be implemented.
- HVAC Controls: Area names, room numbers, suites within rooms and other thermostat-controlled room areas.
- Fire and Police Emergency Responders. Fire team needs for identifying doors and the areas they provide access to, and internal or external paths to specific areas.
- SOCs and Central Stations. Security operations centers and alarm central stations need to determine the city, building and location within a building an alarm refers to. How many buildings on a multi-building campus have a Front Lobby Entrance or North Fire Exit?
- E911 Dispatchable Location. Ray Baum’s Act requires organizations to ensure that every 911 conveys a dispatchable location, which is defined as "the street address of the calling party, and additional information such as room number, floor number, or similar information necessary to adequately identify the location of the calling party." There can be state-level requirements to consider as well.
Data Silos Grow Over Time
Given the number of stakeholders for whom accurate use of area, room and door naming is important, it makes sense to apply corporate data governance and data stewardship practices to establish a “single source of truth” (SSOT) for such data. But that’s hard to do early on in a building’s life because all the data stakeholders are involved yet, and all data needs can’t yet be established.
Since stakeholder involvement occurs sequentially and not simultaneously, what typically happens is that one stakeholder grabs some data from another stakeholder, and then fixes the naming gaps or shortcomings in its copy to suit its needs. Thus, various versions of the data exist in functional area siloes, evolving independently of the other versions of the data. That’s what makes establishing an SSOT for such data so difficult. The involvement of IT, and those with data governance responsibilities should be involved, and data stewardship responsibilities established.
Criticality of Data
Names for buildings, areas rooms and doors amount to a very small set of data considering the size of other data sets in the organization, and thus – at least theoretically – shortcomings should be more easily addressed than for other data sets. Because most stakeholders are unaware of the regulatory requirements involved (such as for 911 and e911 compliance) and the high consequences of critical emergency response errors, it’s hard for them to put a high priority on fixing the naming shortcomings. Everyday business-critical functions just don’t depend on this data.
Fixing This Small But Important Data Set
The work of fixing this relatively small data set is often not well-received. The costs involved in fixing door plaques or signs and the various conflicting data sets can seem out of proportion to the benefits because the regulatory requirements and the critical uses of some of the data are not commonly known to all stakeholders. Thus, the work of correcting the data can seem like needless disruption to some of the stakeholders.
That’s why, in large organizations, it usually takes high-level sponsorship to make it okay for stakeholders to put a high enough priority on the work. Additionally, insightful briefings, performed in a well-thought-out sequence over time, can appropriately emphasize the potential impacts of the emergency response failures that could result. When stakeholders understand the risks involved when they realize that the actual effort is small and the time frame for involvement is relatively short compared to other types of data initiatives, the needed level of stakeholder participation can usually be achieved.
First, the data should be captured digitally, its discrepancies reconciled, and its shortcomings in terms of each stakeholder need rectifying. That creates a qualified SSOT data set. The second, is working out what data gets distributed to whom, and how.
It is okay for individual stakeholders to possess and utilize only a portion of the SSOT data – but these data sets must always be based on the primary (i.e. SSOT) records. Any needed changes must be made in the SSOT data set and propagated out to stakeholders as needed.
About the author:Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders.He is the author of the Elsevier book Security Technology Convergence Insightsavailable on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and is a member of the ASIS communities for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.
© 2022 RBCS