Physical security
-
Specific security measures
- Using NZSIS-approved products
- Perimeter access controls
- Building construction
- Alarm systems
- Individual alarm options
- Access control systems
- Alarm system and other building management systems interoperability
- Locks, key systems, and doors
- Closed-circuit television
- Security lighting
- Security containers and cabinets
- Secure rooms, safes, and vaults
- Visitor control
- Receptionists and guards
- Other physical security measures
PHY026
Access control systems
Use access control systems to prevent unauthorised access.
An access control system is a measure or group of measures designed to:
- allow authorised personnel, vehicles, and equipment to pass through protective barriers
- prevent unauthorised access.
Achieving access control
Access control can be achieved in several ways. The most common ways are:
- using psychological or symbolic barriers — for example, Crime Prevention Through Environmental Design (CPTED)
- positioning security staff at entry and exit points
- positioning security staff at central points and having them monitor and control entry and exit points using intercoms, videophones, CCTV cameras, and similar devices
- installing mechanical locking devices operated by keys or codes
- using electronic access control systems (EACS).
Validating identity using authentication factors
Access control systems should provide identity validation using authentication factors about:
- what you have — keys, identity (ID) cards, and passes
- what you know — personal identification numbers (PINs)
- who you are — visual recognition, biometrics, and so on.
Using dual authentication
Dual authentication requires the use of two authentication factors.
Your organisation must use dual authentication to control access to zone 5 areas.
You should use also use dual authentication when your risk assessment identifies a significant risk of unauthorised access.
Using EACS
Your organisation must use EACS when there are no other suitable identity verification and access control measures in place.
EACS can be used along with other personnel and vehicle access control measures.
Get expert help
Your organisation should:
- seek specialist advice before selecting EACS
- use a designer or installer recommended by the manufacturer to design and commission EACS.
Follow good practice
Your organisation must verify the identity of every potential cardholder before you issue them with access cards for your EACS.
You must also audit regularly to check who has access to your EACS. You need to find out who still needs access, and disable or remove access for people who no longer need it or have left your organisation.
You can use sectionalised EACS to control access to specific areas in your facility. The sections of EACS are normally the same as the sections of your alarm systems, but they may have extra operational access control points not covered by your individual alarm sections.
EACS should typically start at zone 2 perimeters, but may be used in zone 1 (for example, to control access to car parking).
Keep your EACS software and hardware up to date. Ensure your software is updated to address known vulnerabilities. Consider updating EACS cards and readers as they age and become vulnerable to new threats.
Relevant standards
CAN/ULC-S319 - Electronic Access Control Systems
Meet the highest threat and risk level
When you implement EACS to cover a whole facility (on their own or with other access control measures), design them to meet the highest perceived threat and risk level.
If you use multiple EACS along with other access control measures, design each system to meet the highest perceived threat and risk level in the areas covered by the system.
Using anti-passback controls in high security areas
When you use anti-passback controls, cardholders can’t pass their cards to another person to use and tailgaters can’t get through. This control system is valuable for preventing unauthorised access to highly secure environments.
Anti-passback establishes a specific sequence in which access cards have to be used for the system to grant access.
Anti-passback controls may also be achieved by linking access control to various other access systems, such as information systems and other physical access controls.
Using a two-person access system to protect highly valuable information and physical assets
Some EACS can be enabled to only allow access to areas when two people are present and will activate an alarm if one leaves the area. This feature is known as a ‘no-lone-zone’. It requires two authorised people to access and exit a designated area.
Consider using a two-person access system when you need to protect very highly or extremely valuable information and physical assets.
Implementing an identity card system
Identity (ID) cards allow you to quickly recognise people who work for your organisation.
You must use ID cards in all facilities with security zones 3 to 5.
You should issue ID cards to all people who have regular access to your facilities and meet your personnel security requirements.
Establish high-quality processes first
To build an ID system of high integrity, you need robust processes for verifying identities, and for registering, enrolling, issuing, and auditing ID cards. Consider conducting a privacy impact assessment.
Verify all identities
Before you issue an ID card, you must verify the person’s identity.
You should sight each person’s:
- government-issued credentials with photographic or biometric identity features and a signature
- evidence of other identity verification documentation
- evidence of residential address.
For examples of each form of evidence, go to Proof of identity
If your organisation already has information that verifies a person's identity, you can streamline the process. However, make sure the potential ID cardholder provides government-issued credentials with a photo and a signature.
Verify security clearance holders
When an ID card will grant access to areas requiring a security clearance, or indicate that the holder has a security clearance, you must independently verify the details of their clearance (including when it expires or is due for revalidation) before you issue an ID card.
Follow good practice
Your ID cards should:
- be worn and clearly displayed at all times in your premises
- be uniquely identifiable
- include a return address for lost cards
- not identify the facility to which the card gives access
- not be worn outside your premises
- be audited regularly in line with your risk assessment.
Within a zone 2 or higher area, remember to protect your:
- card making equipment
- spare, blank, or returned cards.
You can include other information on ID cards to improve your control of access, such as names, photographs, and colours.
Using EACS access cards as ID card is not recommended, particularly in high security or high-risk areas.
Page last modified: 2/10/2018