ABCs Of Access Control

We asked Laura Quick, retail facilities manager at Omaha Steaks, and InstaKey Security Systems' Director of Marketing, Cita Doyle, to share their expertise on managing access control in retail environments.

Explain the need for a key management system.
Quick: Without a central key management program, stores and districts are left to their own devices. If stores and districts are doing their own thing, there is no way to control the expenses associated with rekeying, and there are obvious security gaps. Before we implemented a key management program at Omaha Steaks, our security audits would often reveal that the key situation was out of control. On more than one occasion, I had to turn to local locksmiths to duplicate keys that were clearly marked "do not duplicate." They willingly obliged, trusting a simple explanation that I was a manager.

In the event we did need to switch out lock cores due to missing keys, our expenses were high. If a master key went missing, we could face $20,000 in expenses to change out the locks the master key opened.

What are some attributes of a well-executed key management program?
Doyle: InstaKey's rekeyable cores allow retailers to rekey for a single core up to 9 times without calling on a locksmith or adding new hardware. This technology helps retailers manage the expense associated with mitigating risk when keys are lost or stolen.

With this approach, key management can also be isolated to various levels in an organization. For instance, if necessary, the technology allows district or regional managers' master keys to be rekeyed without the need to swap out the keys of store-level employees. Master keys and store key levels are independent, which allows cost controls and program flexibility.
Quick: Given the varying levels of access control granted in an organization of our size, flexibility is a primary concern. Multisite retailers need to avoid wholesale change outs of keys and cores whenever there's a potential security issue. We have a multilevel approach to key management at the store, headquarters, and vendor level.

Stores maintain a key log when keys are issued. That key log is turned in to headquarters monthly and audited against a web-based key management and control application called SecurityRecords.com, which InstaKey maintains on its website. Each time a hire is made or a key is assigned, we enter the employee, their access code, and the key number onto the InstaKey site. Once that key is entered in the log, it's never removed. The employee and the access code associated with that employee might change, however, with employee turnover.

What steps should be taken when a key is lost?
Quick: It's important for us to maintain product integrity and brand reputation, so when there's a potential security issue, we take it very seriously. Every store has a rekey kit, which contains a step change key that rekeys the lock by reconfiguring the core pinning. We rekey the core, and then issue a new set of keys via InstaKey to appropriate employees. The store manager updates the key logs and sends an email to InstaKey for another rekey kit. We specify how quickly we require the keys and rekey kit.

If an employee leaves and the key comes back to us on their departure, we don't change the locks because the keys cannot be duplicated [key blanks are not available on the open market]. However, if an employee who is leaving returns a key and that key is not reissued within two weeks, the key is destroyed. The store manager never has more than one extra key on hand. We have some stores that have never had to rekey and one that has had to rekey seven times.  Because of InstaKey we have not had to change out a core in over five years.

How does technology assist the management of a key-based access program?
Doyle: By linking non-duplicable keyways and individually serialized keys in the SecurityRecords.com on-line software from InstaKey, management can account for each key cut for each of its locations. This on-line key management capability can also be decentralized between departments or regional staff as management specifies, providing controlled access as needed. This decentralization permits improved time efficiency and overall program costs as locksmiths and facilities, operations, and security personnel can all use the same system with approved access to necessary information.

Whether tracking a specific key, conducting a security audit, or investigating an event at a particular location, the SecurityRecords.com software can provide the necessary information to know what keys any individual should have, what locations they should be able to access, and who should be able to access each unique location.

Quick: Headquarters-level securities and facilities personnel have access to the InstaKey key management software, which provides intelligence on our key management. I can go in to that system and type in a key serial number, and it will tell me who is responsible for that key. If a key turns up without a clear owner, I can find out who's responsible for it. I can search keys by store number or individual, and I can get a complete key issuance history. I can also go in by master key serial number or manager name and find out which stores those keys and managers have access to.

Each district also has its own master key. If we reconfigure our districts, the cores can be rekeyed three times on the master keys before having to switch them out. When we open new stores or redistrict, we can take the cores out of the old stores and swap them out at no additional cost.

Visibility into key responsibility helps us manage incidents, as well. We had a robbery, and we knew a key was used to gain entry. We knew it had to be a current employee, because our compliance department interviewed local locksmiths and found that none had blanks to recreate keys. We investigated, the police questioned employees, and in the end, the incident was resolved and the loss was recaptured.