Security Access Control Requirements Gathering Pack


Published on

This is a pack that I create to gather business requirements for a new Security Access Control system. It inlcudes basic questions that you should ask when completing an initial scoping exercise.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Access Control Requirements Gathering Pack

  1. 1. Access Control Requirements Gathering Session 1
  2. 2. • The business requirements will form the basis of future projects and will determine the eventual scope. • If a ‘need’ is not raised as a requirement, the project will not know that the system must perform an action- therefore it will not be included within the scope of the project or included within the end solution. • The requirements will be base-lined at the end of the Initiate Phase. Any requirements submitted after this date will not be accepted without a change request and associated funding (where applicable). • The identified business stakeholders are responsible for ensuring that all requirements are raised during the Initiate Requirements gathering process. The Importance of Requirement Gathering
  3. 3. • Review each area of Access Control functionality. • Prepare a set of draft Access Control BUSINESS requirements for each of the functional areas. • Agree a priority for each draft requirement. • Agree next steps, actions and areas for further investigation. Workshop 1 Objectives
  4. 4. Defining the Threat- Review
  5. 5. • What threats are present? • What are the drivers for an access control system? i.e. controlling visitor numbers, protecting people, protecting assets, anti-tailgating, anti-pass back, etc? • Who and what are we trying to protect? Defining the Nature of the Threat- Discussion
  6. 6. Areas of Concern
  7. 7. • What general areas need to be controlled?- areas, rooms, locations etc? • What exceptions exist?- i.e. Fire Exits etc? • What areas require enhanced access control?- i.e. Equipment Rooms, Data Centres etc • Why do these areas need to be controlled? What is the related threat? • What is the level of risk associated with these areas? • What is the function of installing control in these areas? Areas of Concern (General)- Discussion
  8. 8. • What vulnerable points exist for each area to be controlled?- doors, windows, air conditioning shafts, conduits etc • What points should have access control? • Should access be controlled on a location by location basis or should access be controlled to area ‘types’? Areas of Concern (Specific)- Discussion
  9. 9. Health & Safety
  10. 10. • Are there any legal requirements? Health & Safety or Disability & Discrimination Act? • How should access control act in case of an emergency?- i.e. release on emergency? • What is the definition of an emergency? • What fire officer requirements exist? • What provisions should be granted to the blue light services? • What are the requirements for disabled access? • When will the access system be operation? 247/ 365 or night time only? Health & Safety- Discussion
  11. 11. Type of Access Control
  12. 12. • Should the system be automatic or manned? • What types of barriers should be used for each of the areas in scope?- door locks, arm barriers, vehicle block devices etc? • What types of additional barriers should be used for the priority locations?- electronic keys, finger print scanning? • What type of verification measures should be used? Electronic key card, IRIS scan, Finger print recognition, ID codes, keys etc. • What should the user do when access is denied? Should an intercom system be present? Types of Access Control- Discussion
  13. 13. • How often will the access control be used in each of the areas? • What level of security should be in place? • If the power drops what should happen? • Anti-Tamper mechanisms? Technical Details Discussion
  14. 14. Operational Considerations
  15. 15. • How will access control be managed?- customer, Staff, Disabled Visitors/ Staff, Contractors etc? • What information will be captured against each person granted access? Name, address, role, date given, expiry date etc? • What period should access be granted for? • What types of protected access should be provided? • How will deliveries be controlled? • Where will data entry and monitoring of alarm activity take place? • How will data for entry or modification be gathered? • How will security clearance be processed? Operational Issues- Discussion
  16. 16. Integration to Other Systems
  17. 17. • Should there be integration between the Access Control System and other systems? i.e. CCTV system? • What information should pass between the systems? Integration Discussion
  18. 18. Management Information, Reporting & Maintenance
  19. 19. • What information should the system capture? • Successful access- user ID, time, location etc.? • Unsuccessful access- user ID, time, location, number of attempts etc.? • Should information be captured and available to view in real time? i.e. should it be possible to identify where an individual is located at all time? • What reports should be available from the system? • Should the system automatically alert based on event triggers? If so, what events should trigger alerts and how should the system alert? • What should the system do in the event of a breach? – i.e. a door is forced? Management Information & Reporting Discussion
  20. 20. • What should the system do in the event that an access control point fails in the following scenarios: • Access point looses power • Access point fails- i.e. reader not able to read card • Access point operational but input not detected- i.e. an issue with the card. • Access point breached? Support & Maintenance Discussion
  21. 21. Any Questions?