How to Develop Effective Key Control Policies
Do you have enforceable and up-to-date key control policies? With so much attention paid to high-tech threats, it’s easy to forget that those little metal keys can make you pretty vulnerable, too.
Think about how many doors in your facility are accessed via mechanical keys. Do your entry doors require only a key to open? What about file or server rooms? Do you have expensive inventory or supplies protected by lock and key?
Mechanical keys tell no tales. If inventory or supplies go missing, you may have no way to determine who unlocked the door. Worse yet, most keys can be duplicated without your permission. So you may have no idea how many people are opening your doors.
Assess the Risk
Here are a few questions to ask:
- Do you know how many keys your company has issued?
- Do you know who currently holds those keys?
- Can you control who duplicates your keys?
If you answered ‘no’ to any of those questions, then you have holes in your security program that you need to plug.
Solve the Problem
Here are some steps you can follow to develop effective key control policies:
- Start with a patented keying system
- Design a master key system
- Re-key your facility
- Sign out new keys
Start With a Patented Keying System
Most keys can be duplicated at local hardware stores because anyone can purchase the blank – or uncut – key. Asking your locksmith to stamp “Do Not Duplicate” on the key is meaningless if the distribution of blanks is not strictly controlled by the manufacturer.
The only way that a manufacturer can hope to control the sale of their key blanks is by receiving a Utility Patent: A Utility Patent applies to the way an invention works, as opposed to a Design Patent, which only applies to the way an invention looks.
Once a patent is issued, it is illegal for a third party to produce a key that will work in the patented lock. As a result, the only vendors that have access to the blanks are locksmiths who are under contract with the manufacturer. So if an unscrupulous employee tries to copy a patented key, they can’t just stop by the local hardware store.
When working with a reputable locksmith, provide them with a list of individuals who are authorized to purchase duplicate keys for you. The locksmith should have a system of verifying identification and recording the details of every key they cut.
When selecting a locksmith, ask them to show you how they ensure that only authorized individuals receive keys. Medeco, ASSA, Schlage, and others manufacture patent-protected locks that are sold through locksmith networks. You can visit their respective websites to learn more about their products and search for local dealers.
Design a Master Key System
After you’ve settled on a patented keying system, you will need to sit down with your locksmith to design a master key system. The system dictates which keys will work in which doors. For instance, you may want to give all key holders the ability to unlock the front door, while only the CIO and IT Manager will have access to the server room. Be especially careful with your grand master key; this is the key that will operate every lock in your facility. If this key is ever lost or stolen, you will have to re-key the entire facility in order to maintain security.
Businesses with high employee turnover may want to consider a locking system that utilizes interchangeable cores. The core is the part of the lock that you insert the key into. If a key is lost, or if an employee leaves without returning their key, you can remove the core and insert a new one in a matter of minutes. This will prevent the lost or stolen key from working on your locks, and you will not have to wait for a locksmith to come to your site.
Re-Key Your Facility
Once the master key system has been designed to your satisfaction, you are ready to re-key. This will most likely involve installing new cores into your existing locks. Again, this is a job for a professional locksmith.
Sign Out Keys
With a new keying system installed, you are now ready to sign out keys. Every individual that receives a key should sign a key holder agreement. The agreement should state that keys must not be loaned out, and lost keys must be reported immediately. In addition, make it clear that all keys must be surrendered on termination of employment. In some cases, you may want to withhold the final paycheck until all keys have been accounted for. Software packages such as Key Wizard and Key Tracker will help automate the tracking process and generate key holder agreements.
For Further Study
Back in 1968, Medeco Security Locks virtually invented the concept of key control. They have produced a very helpful guide to developing and managing key control policies that you can download. You may also want to enter “key control policies” into your favorite search engine. You will find examples of published policies that you can learn from before developing your own.