Abstract
Access control systems were examined to determine if a network based system would be more reliable and beneficial. Two major systems were determined to be very beneficial to the company. In contrast, the systems would consume a great deal of resources in order to be put into full working order at all sites worldwide. Together these findings suggest that using a network based system can ultimately serve the company better and create a more secure environment for the research and the employees.

Keywords: Access control, CCURE, Locknetics, security, networking
Network Based Access Control Systems: What Are They?
Personal and confidential information can easily be accessed at sites if the access to the specific areas is not updated quickly enough. To secure and protect this data, technology must adapt to mitigate the threats and risks. Applications and services are becoming mobile across multiple resources, sometimes in a dynamically allocated way, necessitating the migration of sensitive and private data. I propose a network based access control system to address the inadequacies of current technological solutions in preserving the confidentiality and privacy of data, along with the safety and security of the site. More specifically, I describe a solution for securing all Bristol-Myers Squibb sites throughout the world.
Access control systems have become a basic way of life for many businesses, especially large businesses. There are many different variations of these systems that control a wide variety of features, depending on what the needs of the business are. An access control system can be defined as an electronic system that allows, restricts and tracks the movement of people through entry/exit points in a site through programmable electronic cards and various other devices. (Brownwood) As stated in K.C. Laudon and J.P. Laudon’s book Managerial Information Systems: Managing the Digital Firm, access control consists of “all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders.” (Laudon, & Laudon, 2010) Some devices that would be considered in the access control system family are passwords, tokens, smart cards, biometrics, firewalls, intrusion detections systems, and keypads. As most of you know we already utilize a great deal of these systems at Bristol-Myers Squibb. However, there is much more we can do to better protect ourselves and utilize these systems to the best of their ability.
Brief Background
Bristol-Myers Squibb is a Fortune 500, New Jersey based company with many sites worldwide. Often known as BMS, the company took on the name in 1989 after the merger of two world renown pharmaceutical and overall health companies, E.R. Squibb and Bristol-Myers. Up until late 2009 BMS produced such common products as the Burt’s Bees line, Clairol, and Enfamil. (Bristol-Myers Squibb, 2011) On December 23, 2009 BMS sold all of their shares of Mead Johnson (the producer of Enfamil, Burt’s Bees, and Clariol) to redirect its focus to strictly biopharmaceuticals. BMS’s new mission is to “discover, develop and deliver innovative medicines that help patients prevail over serious diseases.” (Bristol-Myers Squibb, 2011) BMS announced “Project Focus” to their employees in 2009 and has since completed the first stage of it. The first phase of project focus is reorganizing BMS to free up as many funds and positions as possible that do not focus on research and development, thus contracting out many positions that were once filled by BMS employees. Johnson Controls Inc. won the contract for majority of Facilities; this includes security, building maintenance and operations for the Americas. While Veolia won the contract for Europe and Asia.
This is where access control systems come into play. Since there is a constant movement of people it is a necessity to keep the sites secure to the best of our abilities. BMS is filtering many new employees in and old employees out which becomes a problem with manual programming. Because of BMS’s large size and many research and development sites with critical areas it would be extremely advantageous to use a universal network based access control system. BMS currently uses many variations of access control systems, such as, HID card readers, biometrics, firewalls, VPN, CCURE 800 and Locknetics. The largest problems with BMS’s current setup are the many vendors that are used to implement these systems, the different variations of systems are used, and that some of the systems require manual programming. Many of the systems are not universally networked causing many man hours to be spent programming each system individually.
By using different vendors it allows many companies to know the inner workings of BMS and gives these outside company’s access to what we want everyone not to see. For instance, the companies Access Systems Integration (ASI) and Deterrent Technologies installed the majority of the access systems for the Hopewell, New Jersey site but not for the New Brunswick, New Jersey site and certainly not for the Wallingford, Connecticut site. Since contracting out the majority of Facilities and eliminating the site Security Operations Administrator positions it has left BMS’s infrastructure vulnerable. There is very little documentation as to what has been done in prior years and can take an extremely long period of time to decipher all that has been done. The past inconsistencies with product usage are now greatly affecting today’s system.
Proposed Devices
I propose a brand new integration with security systems that are network based, thus, creating something that can be over scene by Johnson Controls, Veolia and BMS from inception. Each site will use the same system creating uniformity between sites. CCURE 9000 Enterprise will be the main monitoring system, badging system, and control system. As stated on the CCURE 9000 Enterprise site. CCURE 9000 Enterprise “provides an advanced distributed architecture for enterprise scalability. Whether your organization consists of a few facilities that are locally dispersed or many that span the globe, this solution grows as your company grows. C•CURE 9000 Enterprise gives corporate security personnel and IT managers central control over the entire system, while each local facility maintains independent control of its individual operation. Its power gives system administrators at the main facility the ability to configure and monitor all locations from that single site. It also allows them to simultaneously monitor alarms from multiple facilities from one convenient workstation.” (Tyco, 2010) Because most sites are already using CCURE 800 I believe that upgrading to CCURE 9000 Enterprise will be an easy switch for users. CCURE 9000 Enterprise will allow for easy monitoring of any site from anywhere around the world. The system uses the intranet to connect all of the BMS sites, worldwide. By implementing 9000 Enterprise, we can discontinue use of VistitorWatch, the current visitor badging and registration system. CCURE9000 Enterprise offers their own visitor system which would be easier to manage with the “push install” feature 9000 offers. (Tyco, 2010) With the “push install” feature an upgrade of all systems can be done with a push of a button from one of the main stations. (Tyco, 2010) This concept completely discontinues the possibility of any station not being updated properly or in the same time period as all the others.
Secondly, I would like to add Locknetics devices to all the sites. The Locknetics device is produced by Ingersoll Rand and Schlage. A Locknetics device is a keyless entry keypad system that can be utilized by all employees for access into their offices, labs, and other secure areas. We have been using these devices at the Hopewell and Lawrenceville sites for a number of years now. The benefit of using a keyless entry system such as this is instead of issuing keys which are easily lost and are not guaranteed to be returned after termination a locknetics code can be given to the employee and easily tracked. Each code will be specific to the employee and they can carry it with them during their tenure at BMS. The code can be programmed in one device and taken out of another if a move should occur. If someone finds their office in disarray or something missing, a simple lock audit will list all of the persons that accessed the area. With the lock being on a network the information can be obtained instantaneously. If a termination occurs it is quick and easy to remove the person’s access creating security throughout the site.
I would like to install two types of Locknetics, an AD300 and AD400. The AD300 is a Locknetics devise that gains its power from wires that are run to it through the walls and door frames. (Rand, 2011) It is the ideal lock for an area that is easily accessible to hard wiring which also saves money in the long run by not having to replace batteries. The AD400 is essentially the same as the 300 but allows for battery power. The battery powered device makes it easy to install nearly anywhere. Both of these devices can easily be programmed using a wireless network. Currently, all of the Locknetics devices at the Hopewell site can only be programmed manually. This causes a delay in security of the area, a delay in customer service and occupies many hours of manpower. Ingersoll Rand explains how the lock connects with the computer for programming. “For reliable wireless communications, Schlage utilizes the 900MHz band to enable longer transmission ranges and simplify system design. Signal propagation with longer wavelengths travel a greater distance and penetrate through and around typical building construction better than signals with shorter wavelengths. Each RF transmission is encrypted with AES-128 bit keys to provide virtually uncompromisable security.” (Rand, 2011) Since some of the sites are so large there may be a need for additional transmitters in some areas to effectively program all of the devices. By implementing these devices it takes out the middleman. One person can be responsible for programming from the comfort of their desk. This also means that the system can easily be updated if changes should occur, new software comes out, and there will be no need to worry about palm pilots becoming out dated.
With using CCURE9000 Enterprise and Locknetics devices AD300 and AD400 the BMS sites can be secured, easier to manage and universally the same throughout the world. Despite all of the perks to these systems there are some downfalls as well. The biggest downfall and concern I’m sure is the price of the integration. Since all of the BMS sites are already running off of CCURE800, updating to 9000 Enterprise should not cost as much as it would if it was a brand new integration. Although I do not have exact figures on the total cost of the upgrade I will be happy to supply it when it becomes available. The second issue I see with implementing CCURE 9000 Enterprise is that some of the features are not available yet. A few of these features we do utilize on CCURE 800. I have attached the schedule of the proposed updates which will include some of these features so you have a general idea of when they will become available.
Although the AD locks are easy to install and straight forward to use a large cost will be associated with obtaining the devices themselves. Each lock cost approximately $1500. The Hopewell site alone will need over 1000 locks. Granted the cost will be heavy in the beginning but the maintenance that these devices will need over time will be minimal. The current Locknetics devices at the Hopewell site are becoming obsolete and more difficult to fix. With this point alone we will need to remedy this problem soon. Since these devices can easily be changed, upgraded and the software is compatible with what is currently being used it would make for the best solution to the current problem. There will be no need to reissue Locknetics codes and programming can all be done by the Site Security Coordinator.
The Three Year Proposal
Of course the integration of all this cannot take place overnight. I propose a three year plan for full implementation. Year one, we will use a test site to begin implementing both systems. Since Hopewell has been used as the test site in the past we will continue will the tradition. Hopewell will give us the best view of any problems that we may come across at the other sites. Since Hopewell is so large, has the most offices, is remote and is the home of the Regional Security Monitoring Center it is a prime location for testing. We will begin by implementing the new Locknetics devices since the need for them is growing by the day. By buying Locknetics on a site by site basis we can allocate funds as needed.
The first Locknetics will be places in two buildings, Building 16 and Building 27, these buildings will be the starting points. Building 16 is where the programming station is housed, where the Security office is and where all of Facilities is making it an ideal starting point. Building 27 will be used because it is the furthest building away from the hub and will need very few devices because the size of the building. If we can send a successful signal across the site to Building 27 we will be able to transmit one to any other building on campus. Being that all the other sites are smaller than Hopewell it will make it easy to determine whether or not this system can work effectively at the other BMS sites. Providing that the system works properly without any major issues we will begin to install the new devices in the other buildings. By the six month mark I would like to have Hopewell fully installed and begin working on the Plainsboro and Lawrenceville sites. Slowly each site will begin their transition. Having all the sites around the world fully converted to Locknetics by the end of year two.
Year two, will be the beginning phase of implementing CCURE 9000 Enterprise at the Hopewell site. The Security Coordinator will be the first point of contact for this system again. Since this system is only an upgrade from the 800 that is currently being used at the Hopewell site it should be a quick transition. We will contract out an expert in the 9000 Enterprise system to help with the transition. The expert will work closely with the Regional Security Technician, site Security Coordinator, Senior Communications Specialist and the Site Captain to implement the system. All four people will gain as much knowledge as possible during the startup so the information can be passed along to the other sites during their implementation. Each of the other Central New Jersey sites will be programmed by the Regional Security Technician saving funds for the company. As the New Jersey sites are up and running the rest of America will begin their transition. A dollar amount will need to be allocated for the Americas in order for this process to begin. As all of the Americas are online the Regional Security Monitoring Center will continue monitoring the Central New Jersey sites, Devin, Massachusetts, Wallingford, Connecticut, California, and Canada. This will allow for the monitoring center to soon monitor all of the Americas.
Year three, as the third and final year begins all of the Americas should be up and running properly. Europe and Asia will be the next group of sites to begin their transition. Again a cost amount will have to be allocated for this project. An expert will once again be hired to start the Asian market basing him/her out of Tokyo, Japan. The expert will be able to get the three sites in Japan and China running within three months. After the initial phase of the Asia’s begins the first phase of Europe will begin. An expert will be hired and based out of France. We will use France since it has a greater number of BMS sites than any other country in Europe. France will also be the best choice because it can easily communicate with the Canadian sites. By the end of the year all eight sites in Europe should be running.
Conclusion
Providing all systems adapt properly all of BMS can be network based within three years. Creating these network based sites will allow us to remove the middle man freeing up funds for research based uses. These systems also connect us to or fellow workers throughout the world. I believe that these systems will make BMS a state of the art company, providing the best service and security in the industry. These systems allow employees to be processed at faster speeds thus allowing more time for research. In the company’s mission statement it talks about discovery, developing, and delivery, each one of these things cannot be possible without the proper protection of the BMS facilities.

References
Bristol-Myers Squibb, s. (2011). Bristol-myers squibb: together we prevail. Retrieved from http://www.bms.com/ourcompany/Pages/history.aspx#

Brownwood Computer Innovations, Inc.,Glossary of common digital video surveillance terms. Retrieved from http://www.bci1.com/cctv_terms.htm

Laudon, K.C., & Laudon, J.P. (2010). Management information systems: managing the digital firm. Upper Saddle River, NJ, USA: Prentice
Hall.

Rand, Ingersoll. (2011) Ad-400 networked wireless lock. Retrieved from http://w3.securitytechnologies.com/products/electronic_locks/ad_ser ies/networked_options/Pages/details.aspx?InfoID=11

Tyco, . (2010). C•cure 9000 enterprise. Retrieved from
http://www.swhouse.com/products/software_CCURE9000_Enterprise.aspx