Effective Key Management Procedures

Introduction

Despite the widespread use of electronic card access control systems, most facilities still make extensive use of traditional locks and keys at their facilities. It is still much less expensive to equip a door with a standard lock than it is with any type of electronic access control device. For these reasons, most organizations equip only a small percentage of their doors with electronic access devices, and install traditional locks on the majority of their other doors.

Because traditional locks and keys continue to be widely used, it is important that effective security management procedures be put into place to effectively control them.

Lock System Selection

The first step in effective key management begins with the initial selection of the lock system. The first decision is what type of lock system should be used, a "standard security lock system", or "high-security lock system". A standard security lock system is less expensive, widely available, and offers more flexibility in the way that keys can be duplicated. High-security lock systems offer much greater security but are more expensive, available through fewer channels, and generally require that duplicate keys be obtained only through authorized distributors. (See related article High-Security Locks for more information).

Once the type of lock system has been decided upon, the next decision is to choose a lock manufacturer. In many cases, selecting a lock manufacturer also chooses the type of lock cylinders and key that will be used. For example, a series of locks manufactured by the "XYZ Lock Company" probably comes with XYZ lock cylinders and XYZ keys. Cylinders and keys are generally not interchangeable between brands, so once an organization picks one brand of lock and key, they usually need to stick with it.

(High-security lock systems can be the exception to this rule - high-security lock cylinders can often be installed in locks produced by other manufacturers. This allows locks to be upgraded to use high-security keys without requiring that the lock itself be replaced.)

Lock System Design and Keying

Once a type and brand of lock system has been chosen, the next step is to design the system and to determine how it will be "keyed". This process is normally facilitated by the architectural hardware consultant who is specifying the lock system. The process generally involves creating a matrix that shows all doors in the building, identifying all of the categories of employees that require access through these doors, and establishing which categories of employees need access through each of the doors.

Once this process is completed, the hardware consultant will design the keying system and create keying chart. This chart may be simple or complicated depending on the type of facility and total number of doors to be controlled. An example of a simple keying chart is shown below.

The chart shows three levels of keying. The keys at the lowest level are known as "Change Keys". These keys typically allow access to only a single area or department. For example, in the chart above, the Accounting change key would only allow access into the Accounting Department, and the Human Resources change key would only allow access to the Human Resources department.

The keys at the next level are known as "Master Keys". These keys allow access to all of the areas or departments shown below them on the keying chart. For example, in the chart above, the Administration Master Key would allow access to both the Accounting Department and Human Resources Department.

The key at the top of the chart is known as the "Grand Master Key". This key would typically allow access to all areas and all departments in the facility.

The design of a keying system can be a very complex subject and this article just touches on some of the basics. However, when designing a keying system, the following should be considered:

There is always a trade-off between security and convenience. While it is very convenient for a manager to have a grand master key that opens every door on the premises, consider the damage that would be caused if this key fell into the wrong hands. Also, having such a key lost or stolen would require rekeying the entire facility - a very costly proposition.

When using standard security lock cylinders, master keying makes the lock more susceptible to both "picking" and "bumping".

High-security areas in the facility sometimes should be keyed so that they are not part of the master key system. This is sometimes called keying "off-master". In some cases, this may be mandated by regulatory requirements. For example, regulations in some states say that, in hospitals, only registered pharmacists are allowed access to pharmacy areas - even the top executives of the hospital are not allowed to enter the pharmacy unless a pharmacist is present. However, keying locks off-master should be done sparingly, otherwise you may end up with a complicated and unwieldy key system.

The keying system should be designed to accommodate future growth. For example, if you are constructing one building in a campus that is expected to eventually have three buildings, the keying system should be designed with this in mind.

Using Keys in Conjunction With Electronic Access Control Systems

Doors that are equipped with card readers or other access control devices often have lock cylinders on them to allow them to also be opened with a key.

It is our recommendation that these lock cylinders not be keyed to any key that is routinely carried by employees, including master keys. Having the ability to open an access-controlled door with a key causes false door-forced-open alarms and defeats the accountability feature provided by the access control system. (See related article Solving the False "Door-Forced-Open" Alarm Problem )

We recommend that lock cylinders on access-controlled doors be keyed to a special "emergency key" that is used only in the event of system failure. These keys should be kept in a secure location and only issued in the event of an extended access control system failure.

Determining Who Gets Which Keys

Determining who has access to which areas in the facility is an important decision. Some security or facility managers feel pressure to give keys out to anyone who requests them, regardless of need. This is particularly true when the request is being made by a senior executive or manager.

We recommend the following:

Written policies and procedures for key issuance and management should be developed and approved by the company's senior leadership. Once these policies and procedures have been approved, they should be consistently applied.

Keys should be issued strictly based on job responsibilities and not seen as a symbol of rank within the organization. Not every manager, director or vice president needs to have a grand master key.

Access privileges should be based on normal needs and not exceptions. For example, an employee may be assigned to the Accounting Department and work a majority of his time there, but once or twice per year, he may be called in to work in the Payroll Department. This employee should be assigned a key that works only in the Accounting Department. A key that works in the Payroll Department should be temporarily assigned to the employee only while he is working there and returned when he goes back to his regular job.

Many employees request keys that provide access beyond what they need on a daily basis just so that they can respond “in an emergency”. For example, a nighttime supervisor in the Manufacturing Department may claim he needs a master key for the Administrative Offices so that he can get in case of a fire or a water leak. Again, the rule should be to issue access privileges based only on routine needs, and have a procedure in place to allow special access in an emergency.

Key Authorization and Issuance Procedures

Good key authorization and issuance procedures are an essential part of any effective key management system. The following is recommended:

All requests for keys should be made on a written Key Authorization Form. Electronic forms may be used as an alternative provided that a reliable method is used to authenticate signatures. An example Key Authorization Form is shown below.

Key requests should always be submitted and approved by a second party. In most cases, this will be the employee's supervisor or manager. An employee should never be able to request and approve a key for himself.

Keys that provide access to high-security or hazardous areas should have the approval of the manager that "owns" that area in addition to the employee's supervisor. For example, a request for a maintenance employee to have access to a Lab area might require the approval of both the Maintenance Manager and the Lab Director.

Keys are always issued to individual people, not to departments or companies. For example, if all employees of the IT Department need access to a specific room, each employee should be individually assigned a key. It should never be acceptable for a department head to say "send me up five keys for my people" or to maintain a local stock of unassigned keys that he can hand out at his discretion.

All keys should be stamped with a unique key identifier and serial number. The serial number of each key issued to an employee should be recorded on the Key Authorization Form.

All employees should be required to personally sign for keys when they are issued.

Getting Keys Back from Employees When They Leave

The biggest key management problems that many organizations face involves getting keys back from employees when they leave the organization. Some typical problems include:

Employee quits or is terminated and fails to return keys at the time of their departure.

Employee fails to return to work and is terminated but keys are never retrieved.

Employee leaves company and turns keys in to departmental supervisor or manager. Keys are kept in department and never returned to person responsible for managing the key system.

Employee is promoted or transferred to another department or site and is issued keys for new job but fails to return keys from previous job.

Solving these problems requires close cooperation with your Human Resources (HR) Department. HR is normally involved in every employee resignation, termination or transfer and usually conducts an exit interview with employees on their last day of work. HR should have access to key records so that they know which keys have been issued to each employee. Retrieving the employees keys (as well as access card and other company-owned property) should be an integral part of the exit interview process. When HR receives returned keys, they should be forwarded to the person or department that manage the key system for the organization.

Reporting Lost or Stolen Keys

Employees should be encouraged to report lost or stolen keys immediately. Sometimes, an employee may misplace his or her key and not report it missing right away, thinking that the key may have been left at home or in another place. This can allow several days to transpire between the time a key is first missed and when it is reported lost.

Some organizations charge employees for replacement keys or even make employees pay for all or part of the expense of rekeying locks when a key is lost. In our opinion, this is a poor practice as it often discourages employees from reporting lost or stolen keys. We think it is better for an organization to know that a key has been compromised and bear the expense of rekeying rather than not to know about it at all.

Dealing With Exceptions

Procedures need to be in place to get keys to those who need them under special circumstances. Examples can include employees who temporarily need a key to an area other than their normal workplace, and contractors or service technicians who need keys to work on a specific project.

It is recommended that some type of secure key storage system be used. These can include wall-mounted key cabinets, file cabinets with hanging key files, and drawers used to store keys that have been sealed in small envelopes.

The key storage system should provide the ability to identify and locate each of the keys quickly, and to identify keys which are missing or have not been returned. A written key issuance log should be kept that tracks who each key has been issued to, who approved it, when the key was issued, when it is expected to be returned, and when it was actually returned.

The key issuance log should be periodically audited to identify keys that are missing or which have not been returned at the agreed upon time. Audits should be conducted by the person managing the key system on at least a weekly basis. In addition, independent audits should be conducted by an outside party (such as the security manager) on at least a monthly basis.

To more effectively manage the key storage and issuance process, there are automated key cabinets available. These cabinets store and dispense keys and maintain an electronic record of which key has been issued to who and when. The cabinets also allow alerts to automatically be sent by email when a key isn't returned as expected. Automated cabinets typically require the use of a numeric PIN code in order to remove or return a key. Some cabinets are also capable of using the employee's proximity access card to operate the cabinet and remove a key.

Automatic key cabinets are fairly expensive and not right for everyone, but can be a good choice for larger organizations who sign in and out a large number of keys on a daily basis

Emergency Access

Many fire departments now require that that keys to the building be kept in a fire department key boxes (often called "Knox Boxes") located outside of the building. These key boxes are exclusively for the use of emergency responders and cannot be used by company employees. (See related article Security Vulnerabilities Created by Fire Department Key Boxes )

There are cases where employees may need emergency access into areas where they are not ordinarily allowed. If the facility has security officers on duty 24/7, emergency access to locked areas usually can be provided by the on-duty officer.

For facilities without 24/7 security, the best choice is to use an emergency key box. These key boxes are locked but have a breakable glass front. When emergency access to a key is needed, the glass is broken and the key inside removed. The emergency key box should be kept is an area that is secure but accessible to employees who may need to use it. A tamper switch connected to the building's intrusion alarm or security management system should be provided so that an alarm signal is received anytime a key is removed from the emergency key box.

A written security report should be required anytime that a security officer unlocks a door to provide emergency access or whenever an emergency key box is used.

If you have questions about anything in this article, or need help in planning effective key management procedures for your organization, please contact us.

Like this article?

Visit our Security Tips page for more than 75 additional articles on a variety of topics related to physical security

Did You Know?

Silva Consultants is an independent security consulting firm and does not sell security equipment or products

Need Help?

Silva Consultants can assist you in the design and planning of an effective security program and in the selection of security products and services

Please contact us for further assistance

Thinking about becoming an independent security consultant yourself?

Buy Michael A. Silva's book on Amazon

"Becoming an Independent Security Consultant – A Practical Guide to Starting and Running a Successful Security Consulting Practice"

Published May, 2016