Performance Management Presentation Access Control

1
Performance Management PresentationAccess
Control

• Team Members
• Major Billy Alford, Team Leader
• Bill Brosius, Alex Salah, Cassandra Harris
• ORS
• National Institutes of Health
• 21 January 2004

2
Table of Contents

• Main Presentation
• PM Template . 3
• Customer Perspective... 7
• Internal Business Process Perspective.. 18
• Learning and Growth Perspective 30
• Financial Perspective. 37
• Conclusions 45

3
(No Transcript)
4
Introduction to Access Control

• Reasons
• To protect the people, property, and research of
  the NIH
• To ensure the Safety Security of NIH employees
• NIH research is a National Resource
• NIH is a part of the Public Health Critical
  Infrastructure

5
Link between Access Control and Personnel Security

• One component of Access control is personnel
  security
• Positions are designated at a particular
  Sensitivity Level Non-Sensitive, Public Trust,
  or National Security
• Background investigations are conducted to
  determine whether a person is suitable for
  employment in that position
• NIH Police conducts interim background checks
• 4679 background checks conducted in FY03
• Determination is made on where the individual may
  be granted physical access
• Access controls ensure only those authorized may
  enter
• This presentation will focus only on access
  control
• Personnel security will be addressed during FY04

6
Relationship Among Performance Objectives
7
Customer Perspective
8
Customer Perspective
9
C1a Development of the Access Control Program
and continuation of formal review for approval

• 75 completion of development of the Access
  Control Program
• Program presented to Associate Director of ORS
  for Security and Emergency Response
• Program presented to Associate Director of NIH
  for Research Services
• Program presented to Deputy Director for
  Management of the NIH
• Will measure implementation once full-approval is
  granted

10
C1b. Percent of planned installation of card
readers and access control systems

• 100 completion of the 1-for-1 replacement of
  card readers from previous system in FY03
• 100 completion of improved access controls for
  Select Agent Labs in FY03
• Will track percent installation of planned new
  card readers and access control systems in FY04

11
Customer Perspective
12
C2 Percent of Badges issued to those in need of
an NIH ID

• Provide ID/access badges and appropriate
  authorized access, to those authorized to access
  NIH campuses and facilities
• Those in need
• All NIH personnel (FTEs, Contractors, Fellows,
  etc)
• Others with legitimate business at NIH facilities
  (Patients, Volunteers, Tenants, Guests, Service
  Providers, etc)
• The badge is the access control measure
• Badge provides
• Identification picture ID
• Verification proves holder has authorized
  access

13
C2 Identification Badges Issued-FY03
Note 10,211 badges issued.
14
Customer Perspective (cont.)
15
Customer Scorecard Methodology

• Clarified critical customers in FY03 for Access
  Control
• Lab Directors
• Facility Managers
• Biosafety Officers
• NIH Radiation Safety Officer
• Work to design a method to assess customer needs
  and satisfaction with these customer groups
  during FY04

16
Customer PerspectiveWhat does the data tell you?

• Completed work to develop Access Control Program,
  now need full approval so implementation can be
  tracked
• 100 replacement all old card readers and
  improved access controls for select agents during
  FY03
• Issued over 10,000 badges in FY03
• 44 of badges issued were to contractors

17
Customer PerspectiveWhat actions are planned?

• Gain approval of Access Control Program and begin
  implementation
• Install new card readers and access control
  systems as planned and where requested
• Work with personnel security to ensure legitimacy
  of persons badged
• Develop the Customer Scorecard with OQM, in order
  to assess customer needs for Access Control

18
Internal Business Process Perspective
19
Internal Business Process Perspective
20
IB1a Percent of Access Control Measures
Implemented for Select Agent Lab and Storage

• 100 of Select Agent Labs had access controls
  installed in FY03
• Card readers
• Biometrics

21
IB1b Percent of Access Control Measures
Implemented at Radiological Facilities

• 30 of Radiological laboratories and storage
  facilities had access controls installed in FY03
• Card readers
• Door contacts

22
IB1c Percent of Access Control Measures
Implemented at Sensitive IT Facilities

• Sensitive IT facilities were surveyed in FY03,
  and access control installations began
• Survey is still ongoing population of
  sensitive IT facilities still to be determined
• LAN closets
• Server Rooms
• Computer Rooms

23
IB1d Percent of Access Control Measures
Implemented at Sensitive Mechanical Facilities

• A survey of sensitive mechanical rooms began and
  a pilot program for installing access controls is
  underway
• Survey is ongoing to locate and assess sensitive
  mechanical rooms

24
Internal Business Process Perspective
25
Perimeter Security System (PSS)

• Layered approach to Access Control
• Perimeter Fence, Visitors Center, Commercial
  Vehicle Inspection Station (CVI), West Dr
  Patients Entrance
• Building perimeter doors
• Particular floors or office areas, Labs, and
  particular rooms

26
IB2a Percent completion of the NIH-Bethesda PSS

• 90 completion of physical Perimeter Fence
• 100 completion scheduled for 3rd Quarter FY04
• 100 design completion of Temporary Visitors
  Center
• 35 design completion of Visitors Center
• 50 design completion of Patient Entrance
• 35 design completion of CVI

27
IB2b Number of card readers per layer/component
of PSS

• 345 card readers installed at/in buildings in FY03

28
Internal Business Process PerspectiveWhat does
the data tell you?

• Physical Perimeter Fence will be 100 completed
  in FY04
• Perimeter Security System (PSS) components are
  mostly in the design phase
• The majority of our card readers are for interior
  building spaces

29
Internal Business Process PerspectiveWhat
actions are planned?

• Establish a Temporary Visitors Center to
  centrally process visitors at the Perimeter until
  Visitors Center complex is completed
• Change from Visitor stickers to Andover-capable
  cards
• Begin connectivity of automated access controls
  at Perimeter Fence
• Andover capabilities are planned for all layers
  of the PSS
• Actively identifying sensitive areas for card
  reader installation

30
Learning and Growth Perspective
31
Learning and Growth Perspective
32
LG1 Percent of IDP tasks completed

• Baseline measures need to be established
• IDPs must be created

33
Learning and Growth Perspective
34
LG2 Hours of skill enhancement by technology type

• Baseline measures need to be established
• Technologies must be identified

35
Learning and Growth PerspectiveWhat does the
data tell you?

• Need to identify Baselines for measurements
• Need to identify types of technology with which
  to improve

36
Learning and Growth PerspectiveWhat actions are
planned?

• Baseline team member KSAs and create Individual
  Development Plans (IDP)
• Utilize online Police Training Tool for personal
  KSA building
• Identify technologies and skills necessary for
  Access Control team

37
Financial Perspective
38
Financial Perspective (cont.)
39
F1 Number of Badges Issued

• Unit measure is number of badges issued
• 10,211 badges issued in FY03
• Budget numbers need to be formalized for this
  program before meaningful unit cost can be
  calculated

40
F2 Number of Card Readers installed

• Unit measure is number of card readers installed
• 345 card readers installed in FY03
• Budget numbers need to be formalized for this
  program before meaningful unit cost can be
  calculated

41
F3 Number of automated access events

• 22,026 per day

42
F3 Number of automated access events

• Unit measure is number of automated access events
  per day
• gt 22,000 automated access events/day in FY03
• As automated events increase, monitored events
  should decrease
• Greater use of Andover system will further
  justify the investment
• Budget numbers need to be formalized for this
  program before meaningful unit cost can be
  calculated

43
Financial PerspectiveWhat does the data tell you?

• Over 10,000 badges were issued in FY03
• 345 card readers were installed in FY03
• There were over 22,000 automated access events
  per day in FY03

44
Financial PerspectiveWhat actions are planned?

• Track similar unit measures during FY04 to
  understand change over time
• Develop budget numbers for Access Control Service
  Group
• Initiative to increase automated Access Controls
  in effort to decrease overall security costs

45
Conclusions
46
Conclusions

• Major Findings
• Completed work to develop Access Control Program,
  now need full approval so implementation can be
  tracked
• 100 replacement of old card readers and
  improvement of access controls for select agents
  during FY03
• Physical Perimeter Fence will be 100 completed
  in FY04
• Perimeter Security System (PSS) components are
  mostly in the design phase
• Need to identify baselines for Learning and
  Growth measures
• Issued over 10,000 badges, installed 345 card
  readers, and Andover system experienced over
  22,000 automated access events per day in FY03

47
Conclusions (cont.)

• Initiatives for FY04
• Gain approval of Access Control Program and begin
  implementation
• Install new card readers and access control
  systems as planned and where requested
• Work with personnel security to ensure legitimacy
  of persons badged
• Develop the Customer Scorecard in order to assess
  customer needs for Access Control
• Establish a Temporary Visitors Center to
  centrally process visitors at the Perimeter until
  Visitors Center complex is completed
• Change from Visitor stickers to Andover-capable
  cards
• Begin connectivity of automated access controls
  at Perimeter Fence
• Andover capabilities are planned for all layers
  of the PSS
• Identify sensitive areas for card reader
  installation

48
Conclusions (cont.)

• Initiatives for FY04
• Baseline team member KSAs and create Individual
  Development Plans (IDP)
• Utilize online Police Training Tool for personal
  KSA building
• Identify technologies and skills necessary for
  Access Control team
• Track similar unit measures during FY04 to
  understand change over time
• Develop budget numbers for Access Control Service
  Group
• Initiative to increase automated Access Controls
  in effort to decrease overall security costs