Security Access Control Requirements Gathering Pack
Access Control Requirements Gathering
• The business requirements will form the basis of future projects and will determine the
• If a ‘need’ is not raised as a requirement, the project will not know that the system must
perform an action- therefore it will not be included within the scope of the project or
included within the end solution.
• The requirements will be base-lined at the end of the Initiate Phase. Any requirements
submitted after this date will not be accepted without a change request and associated
funding (where applicable).
• The identified business stakeholders are responsible for ensuring that all requirements are
raised during the Initiate Requirements gathering process.
The Importance of Requirement Gathering
• Review each area of Access Control functionality.
• Prepare a set of draft Access Control BUSINESS requirements for each of the functional
• Agree a priority for each draft requirement.
• Agree next steps, actions and areas for further investigation.
Workshop 1 Objectives
• What threats are present?
• What are the drivers for an access control system? i.e. controlling visitor
numbers, protecting people, protecting assets, anti-tailgating, anti-pass back, etc?
• Who and what are we trying to protect?
Defining the Nature of the Threat- Discussion
• What general areas need to be controlled?- areas, rooms, locations etc?
• What exceptions exist?- i.e. Fire Exits etc?
• What areas require enhanced access control?- i.e. Equipment Rooms, Data Centres etc
• Why do these areas need to be controlled? What is the related threat?
• What is the level of risk associated with these areas?
• What is the function of installing control in these areas?
Areas of Concern (General)- Discussion
• What vulnerable points exist for each area to be controlled?- doors, windows, air
conditioning shafts, conduits etc
• What points should have access control?
• Should access be controlled on a location by location basis or should access be controlled
to area ‘types’?
Areas of Concern (Specific)- Discussion
• Are there any legal requirements? Health & Safety or Disability & Discrimination Act?
• How should access control act in case of an emergency?- i.e. release on emergency?
• What is the definition of an emergency?
• What fire officer requirements exist?
• What provisions should be granted to the blue light services?
• What are the requirements for disabled access?
• When will the access system be operation? 247/ 365 or night time only?
Health & Safety- Discussion
• Should the system be automatic or manned?
• What types of barriers should be used for each of the areas in scope?- door locks, arm
barriers, vehicle block devices etc?
• What types of additional barriers should be used for the priority locations?- electronic
keys, finger print scanning?
• What type of verification measures should be used? Electronic key card, IRIS scan, Finger
print recognition, ID codes, keys etc.
• What should the user do when access is denied? Should an intercom system be present?
Types of Access Control- Discussion
• How often will the access control be used in each of the areas?
• What level of security should be in place?
• If the power drops what should happen?
• Anti-Tamper mechanisms?
Technical Details Discussion
• How will access control be managed?- customer, Staff, Disabled Visitors/ Staff, Contractors
• What information will be captured against each person granted access?
Name, address, role, date given, expiry date etc?
• What period should access be granted for?
• What types of protected access should be provided?
• How will deliveries be controlled?
• Where will data entry and monitoring of alarm activity take place?
• How will data for entry or modification be gathered?
• How will security clearance be processed?
Operational Issues- Discussion
• What information should the system capture?
• Successful access- user ID, time, location etc.?
• Unsuccessful access- user ID, time, location, number of attempts etc.?
• Should information be captured and available to view in real time? i.e. should it be possible
to identify where an individual is located at all time?
• What reports should be available from the system?
• Should the system automatically alert based on event triggers? If so, what events should
trigger alerts and how should the system alert?
• What should the system do in the event of a breach? – i.e. a door is forced?
Management Information & Reporting Discussion
• What should the system do in the event that an access control point fails in the following
• Access point looses power
• Access point fails- i.e. reader not able to read card
• Access point operational but input not detected- i.e. an issue with the card.
• Access point breached?
Support & Maintenance Discussion