Recognition requirements
The control of access is a person related application which assigns access rights to individual users or a group of users. The correct recognition of the users is the primary function of the electronic access control system, therefore the selection of user credentials shall be in accordance with the grade (security level) wanted:
the electronic access control systems shall provide recognition in accordance with Table 4;
the electronic access control systems shall compare each memorized information with stored credentials to accept or deny users’ identity claim;the access control unit shall include a real-time clock with the accuracy of ±10 s a week and capable of adjusting to daylight saving time and leap year, and of managing national time zones as indicated in Table 4. In addition, when multiple access control units are used, the clocks for Grade 3 and Grade 4 equipment shall be synchronized with the master clock at least once every 24 h;
Grade 2, Grade 3 and Grade 4 electronic access control units shall provide a unique identity to each authorized user;
the access control unit shall provide a minimum number of user access levels as per Table 4;
the access control unit shall provide a minimum number of system-programmable time periods as per Table 4;
the time resolution shall include day of week, hour and minute of the day;
in addition to item 7) above, the time resolution for Grade 3 and Grade 4 equipment shall include day of the month, month, and year;
the access control unit shall provide a minimum number of system-programmable holidays as per Table 4.
Table 4 - Recognition requirements (1 of 2)
|
Recognition requirements |
Grade assignment |
||||
|
1 |
2 |
3 |
4 |
||
|
A - Access levels |
|||||
|
1 |
The built-in real time clock shall have an accuracy of + 10 seconds a week and be capable of adjusting to daylight saving time, leap year |
OP |
M |
M |
M |
|
2 |
The system shall be capable of managing multiple time zones |
OP |
OP |
OP |
OP |
|
3 |
For systems with multiple interconnected control units, the clocks shall be synchronized with the master clock or other reliable synchronization source, at least once every 24 h |
OP |
OP |
M |
M |
|
4 |
Synchronize the master clock of the system to the official time |
OP |
OP |
OP |
M |
|
5 |
Real time clock shall be kept for the indicated minimum period of time in case of total power loss (except for loss of data retention battery) |
OP |
24 h |
120 h |
120 h |
|
6 |
Minimum number of user access levels |
1 |
8 |
16 |
64 |
|
7 |
Minimum number of configurable time periods |
0 |
4 |
8 |
16 |
|
8 |
Minimum resolution for time within access level includes day of week, hour and minute of day |
N/A |
M |
M |
M |
|
9 |
Minimum resolution for time within access level includes day of month, month and year |
N/A |
OP |
OP |
M |
|
10 |
System shall be capable to handle a number of configurable days (e g. statutory holidays, special business days and non-business days) |
N/A |
2 |
16 |
24 |
|
11 |
System should be capable of assigning access rights to a group of credentials |
OP |
OP |
OP |
OP |
|
12 |
System should be capable of changing access rights to a group of credentials in response to emergency conditions |
OP |
OP |
OP |
OP |
Table 4 (2 of 2)
|
Recognition requirements |
Grade assignment |
||||
|
1 |
2 |
3 |
4 |
||
|
В - Equipment and methods of recognition |
|||||
|
13 |
The system shall assign unique identity to each authorized user |
OP |
M |
M |
M |
|
14 |
The system shall use memorized information only |
OP* |
OP* |
NP |
NP |
|
15 |
The system shall use biometrics alone or in combination with other recognition methods |
OP* |
OP* |
OP* |
OP* |
|
16 |
The system shall use token |
OP* |
OP* ■ |
OP* |
OP* |
|
17 |
The system shall use memorized information and token |
OP* |
OP* |
OP* |
OP* |
|
18 |
Access shall be denied after each attempt to gain access using a valid token with invalid memorized information, and after a predetermined number of unsuccessful attempts the access rights forthat token shall be suspended for a pre-set duration. The number of attempts can be configurable. Where it is not configurable the number of attempts shall be limited to 5 |
OP |
M |
M |
M |
|
19 |
Access shall be denied after each attempt to gain access with invalid memorized information only. The access shall be suspended after 5 sequential incorrect inputs within a pre-set period of time. |
OP |
OP |
N/A |
N/A |
|
20 |
When using biometrics, shall not exceed limits shown for each grade. NOTE 1 = FAR (false acceptance rate) when 1:1 comparison is performed (e.g. biometric verification of an identity claimed by memorized information or token) or FAR^ = FAR x n when 1:n comparison is performed and n = number of stored templates (e g. biometric identification without using memorized information or token). NOTE 2 The FAR values are based on the review of the supplied manufacturer’s documentation. |
1 % |
0,3 % |
0,3 % |
0,1 % |
|
21 |
The minimum ratio between number of possible user codes and number of allocated codes shall be at least 1 000 to 1 when system is using recognition of a valid user by memorized information only e.g.: up to 10 users - 4 digits, up to 100 users - 5 digits, up to 1 000 users - 6 digits, etc |
M |
M |
N/A |
N/A |
|
22 |
For systems using recognition by memorized information combined with token or biometrics the memorized information requires 4 digits minimum |
OP |
OP |
M |
M |
|
23 |
In normal mode of operation the system shall use complete token information (facility code and card number, or unique card number) for recognition |
M |
M |
M |
M |
|
24 |
Support for multiple facility codes if the system utilizes facility coding |
OP |
OP |
OP |
M |
|
25 |
In degraded mode of operation the system may use partial token information (e.g. facility code only) for recognition |
OP |
OP |
OP |
NP |
|
26 |
Tokens with coding system structure visible to unaided human eye shall not be used |
M |
M |
M |
M |
|
27 |
The token identity number readable on the token not to be a direct representation of the entire coding |
M |
M |
M |
M |
|
NOTE Abbreviations used in the table are the following: NP = not permitted OP = optional OP* = one of the options in the identified grouping (gray area) shall be implemented Also refer to the additional token requirements for each grade as per item 9) in 6.8 M = mandatory NA = not applicable |
|||||
Duress signalling requirements
The operation of the duress initiating device in the protected area and transmission of an alert to the monitoring console shall be in accordance with Table 5 and the requirements below:
The duress signal received at the monitoring console shall include identification of location, time and date of occurrence.
The duress signal received at the monitoring console shall include user identification.
Table 5 - Duress signalling requirements
|
Duress signalling requirements |
Grade assignment |
||||
|
1 |
2 |
3 |
4 |
||
|
1 |
Enabling of the duress functionality shall be configurable |
OP |
OP |
OP |
M |
|
2 |
The duress alert at the monitoring console to be distinct from other alerts |
M* |
M* |
M* |
M |
|
3 |
The operation of the duress initiating device shall not produce a signal which may be audible or visible at the location where the duress has been initiated |
M* |
M* |
M* |
M |
NOTE Abbreviations used in the table are the following:
OP = optional
M = mandatory
M* = mandatory only if optional functionality is supported for the specified grade
Overriding requirements
Electronic access control systems shall allow manual commands that override the configured mode of operation of access point (release/secure/block) in accordance with Table 6 and the requirements below:
All overriding commands shall be logged with time and date of the occurrence.
The logged information shall include the type of overriding command and operator ID.
Table 6 - Overriding requirements
|
Overriding requirements |
Grade assignment |
||||
|
1 |
2 |
3 |
4 |
||
|
1 |
Single free access granting, single portal |
OP |
OP |
M |
M |
|
2 |
System-wide free access granting |
OP |
OP |
OP |
OP |
|
3 |
Free access granting until further system command, single portal or group of portals |
OP |
OP |
OP |
OP |
|
4 |
Scheduled/timed free access granting, single portal or group of portals |
OP |
OP |
OP |
OP |
|
5 |
The electronic access control system shall not prohibit the free exit granted by other emergency systems (e.g. fire, environmental) |
M |
M |
M |
M |
|
6 |
Blocking of portal until further system command, single portal or group of portals |
OP |
OP |
OP |
OP |
|
7 |
Scheduled/timed blocking of portal, single portal or group of portals |
N/A |
OP |
OP |
OP |
|
NOTE Abbreviations used in the table are the following: OP = optional M = mandatory M* = mandatory only if optional functionality is supported for the specified grade N/A = not applicable |
|||||
Communication requirements
The communication channel between the electronic access control system and the monitoring console shall meet the following requirements:
Failure and/or restoration of the communication channel for Grade 2, Grade 3 and Grade 4 equipment shall not result in the release of portals.
The end to end communication verification (timing) shall be conducted as part of the final installation and it shall meet the requirements of Table 3, line 38, for that installation.
Grade 2, Grade 3 and Grade 4 equipment shall be capable of operating in stand-alone mode after communication interruption with the monitoring console. The equipment shall be capable of performing all functionalities with the exception of the ones affected by the loss of communication.
Grade 4 equipment shall ensure the integrity of communications between all components of the access control system transmitting or receiving data related to the granting of access, including for example: communications between token/cards and user interfaces, user interfaces and access control units and between access control units and the monitoring console.
The integrity of communication shall be achieved by supervision of the communication channel (Table 7, line 9) and the security of information transmitted.
The information security shall be provided by measures to prevent unauthorised reading and modification of the information transmitted.
Description of how the measures for security of information are achieved shall be provided during testing of the equipment.
System self-protection requirements '
The components of the electronic access control system shall meet the following requirements and the appropriate requirements in Table 7 for each grade.
The housings for components of electronic access control systems shall be provided with the means to prevent access to internal elements to minimize the risk of tampering. Requirements for tamper protection may vary depending on the grade of the EACS and on whether a component of the system is located within or outside of the protected area.
Components located externally to the protected area shall have appropriate means of tamper protection and detection as per Table 7, lines 5 and 6.
All terminals and means of mechanical and electronic adjustment shall be located within electronic access control component housings.
Open or short circuit conditions applied to wires connected to any components of an access control system installed outside its controlled area or accessible from outside its controlled area shall not result in the operation of the access point actuator device allowing access to the secured area.
Housing shall be sufficiently robust to prevent undetected access to internal elements without visible damage. The user interface (e.g. reader, keypad, etc.) housing shall be protected to IP4X. It shall not be possible to grant access by the insertion of a 1 mm steel probe into the housing. IP ratings are detailed in IEC 60529.
The user interface housing shall be protected to IK04. Damage to the housing is permitted after impact, provided that it is not possible to grant access by manipulating internal elements of the user interface. Alternatively a tamper condition shall be generated before access to internal elements is possible. IK ratings are detailed in IEC 62262.
Means of access to internal elements of components of electronic access control system shall be robust and mechanically secured. Normal access shall require the use of a tool.
Interconnections shall be suitable for the purpose and designed to provide a reliable means of communication between components of electronic access control system. They shall be designed to minimize the possibility of signals being delayed, modified, substituted or lost.
The following requirements for token and communication between token and user interface unit shall be met in addition to the requirements stated in Table 4 and Table 7:
Grades 1 and 2: no additional requirements;
Grade 3: chip based contact or contactless (RFID) token with access conditions at least for writing/modifying of ID information and for RFID token only session encrypted data communication. This is required only when the token is used as a single method of recognition;
Grade 4: chip based contact or contactless (RFID) token with mutual authentication and access conditions for reading, writing or modifying information and for RFID token only session encrypted data communication.
Table 7 - System self-protection requirements (T of 2)
|
System self-protection requirements |
Grade assignment |
|||||
|
1 |
2 |
3 |
4 |
|||
|
A - Prevention |
||||||
|
1 |
Memory stored information (settings) shall be kept for the indicated minimum period of time in case of total power loss (except for loss of data retention battery) |
10 min |
2 wks |
2 wks |
2 wks |
|
|
2 |
Following a total loss of power automatic restart of the access control system is required upon primary power source restoral |
M |
M |
M |
M |
|
|
3 |
If full functionality of the access control unit cannot be restored (data corrupted or lost) following the automatic restart a trouble condition shall be annunciated |
M |
M |
M |
M |
|
|
4 |
Means of access to the internal elements of components of an access control system shall require the use of a tool |
M |
M |
M |
M |
|
|
5 |
Opening of the enclosure of the user interface intended to be installed outside of the controlled area or that could be accessible from outside the controlled area shall result in tamper detection if manipulation of the internal elements can cause an access granted condition. The tamper detection shall occur before the tamper mechanism can be defeated |
OP |
M |
M |
M |
|
|
6 |
Devices intended to be installed outside the controlled area or that could be accessible from outside the controlled area shall detect removal from mounting if that provides access to the internal elements and manipulation of these elements can cause an access granted condition |
OP |
OP |
M |
M |
|
|
7 |
The enclosures of the EACS components accessible from outside the controlled area shall meet the required IP and IK ratings |
IP4X IK04 |
IP4X IK04 |
IP4X IK04 |
IP4X IK04 |
|
|
8 |
In case of loss of communication between the control unit(s) and the monitoring console, the control unit should be capable of storing and subsequently transmitting upon restoration of communications a minimum number of events per portal |
N/A |
OP |
500 |
1000 |
|
|
9 |
Communication between control unit and the EACS components shall be monitored. The loss of the communication for the indicated duration shall result in an alert at the monitoring console |
N/A |
OP |
10 min |
2 min |
|
|
10 |
System administration including configuration shall only be logically accessed with the use of valid credentials (e.g. password, token) |
N/A |
M |
M |
M |
|
|
11 |
There shall be separate access levels that categorize the ability of the operators to perform different functions in the system. Minimum number of logical access levels is: |
1 |
1 |
2 |
4 |
|
|
12 |
The minimum number of required characters for logical access by memorized information only shall be as indicated (N=numeric/A=alphanumeric) |
4N |
5N |
6A |
8A |
|
|
13 |
If numeric codes are used for logical access by memorized information, sequential ascending or descending pass-code digits and use of same digit more than twice shall not be allowed |
OP |
OP |
M |
M |
|
