Security Basics mailing list archives

Re: Biometric Access logs

From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Tue, 3 Mar 2009 07:29:55 -0500

Short of forcing everyone in your organization that has the access to
reach the exterior of the door in question record their biometric data
with your access control system (which wouldn't help at all if the
attempt was not made by an insider), there are two other options that
come to mind.  One, you could set up a camera to observe the door and
capture 4 or 5 seconds following an attempted or successful activation
of the biometric door control.  That would at least allow you to have
a visual on the people attempting to access the server room.  Two, you
could add another authentication method that must be utilized before
the biometrics can be attempted.  I.E. combine smart card access with
the biometrics.  The biometric would only be allowed to be attempted
after the smart card is swiped and belongs to someone on that door's
access control list.  This would at least tell you whose smart card is
being used.  If you saw a failed access attempt by a specific
individual's smart card you could contact them for further
investigation and if they claim the access attempt wasn't made by them
then you could quickly disable their old smart card on that door's
access control list.  This two factor authentication method would also
be more secure than biometrics alone.

Steve Mullins

On Mon, Mar 2, 2009 at 7:24 AM, John <tornado579 () gmail com> wrote:

Hi All,

Request you to give your views on the following issue.

We have Biometric access controlled server room door for better security.
There is no doubt that Biometric proovides enhanced protection. But the
issue with this access control mechanism is that it is not possible to
review and analyze denied attempt logs since the logs only shows that
access was denied, but to whom and other details are obvisouly not shown
because only few users from IT department only have the access to the server
room.
It is not like Swipe cards based Access control where all the employees are
registered with the access control system.
In that it becomes easily possible to trace who tried to access what and
when.

We faced issue in the audit because of this and auditor insisted that the
review and analysis of the logs for the Biometric controlled area needs to
be done.

What can be done in this scenario like this? Please give in your comments.

Thanks.

Current thread:

Biometric Access logs John (Mar 02)
- Re: Biometric Access logs Shailesh Rangari (Mar 03)
- Re: Biometric Access logs Thor Norse God of Thunder (Mar 03)
- RE: Biometric Access logs Murda Mcloud (Mar 03)
- RE: Biometric Access logs Christian Campbell (Mar 03)
- Re: Biometric Access logs Kurt Buff (Mar 03)
- Re: Biometric Access logs Stephen Mullins (Mar 03)
- Re: Biometric Access logs Rogerio Carvalho (Mar 03)
- <Possible follow-ups>
- RE: Re: Biometric Access logs fac51 (Mar 05)