Banking On Convergence

Integration of physical access control with IT functions begins a major shift at Fifth Third Bank

• Feb 01, 2006

FIFTH Third Bancorp is a diversified financial services company headquartered in Cincinnati. The company has $104.6 billion in assets and currently operates 19 affiliates with 1,100 full-service banking centers, including 128 Bank Mart® locations open seven days a week inside select grocery stores and 2,000 Jeanie® ATMs in Ohio, Kentucky, Indiana, Michigan, Illinois, Florida, Tennessee, West Virginia and Pennsylvania.

In the past, physical access control systems have typically resided within the security department, segregated from the rest of an organization's IT department. Meanwhile, the IT department has created an entirely different access system for network or logical access.

Today, that is no longer the desired or standard access control environment. Following this physical access control system paradigm shift, communication between the security and IT departments has become more critical than ever. Sharing the same infrastructure between the security and IT departments not only makes fiscal sense, but it makes security sense, as well.

"It is our job in physical security to protect the bank," said Mike Neugebauer, manager of safety and security for Fifth Third. "It is IT's job to protect our systems. Our mission has been successful due to the partnership that has formed between our departments. While our roles are different, our objective is the same. By working together, we have been able to accomplish a number of things that simply could not have been done without this partnership."

For instance, Fifth Third Bank has been using GE's Picture Perfect access control and security management system at its headquarters and 42 other locations since the early 1990s. With it, someone can create and support an unlimited number of badge holders and card readers. The system also provides access to features such as database partitioning and occupancy control. Bank officials can delegate facility administration while still maintaining centralized control. Notably, the bank is provided real-time monitoring and audit trails.

Fifth Third Bank also is in the process of integrating the March Networks DVRs and the Picture Perfect system into the GE MASterMind central station package (formerly Monitoring Automation Systems). This will allow employees to monitor and respond to all alarms, whether generated from a standard burglary or fire panel or through the card access system in a single interface. The CCTV integration provides instant access to any associated video information. This integration allows security to quickly e-mail high-quality photos to the proper authorities. This has directly resulted in apprehension in a number of cases.

In addition to being monitored by the central station, the Picture Perfect system is integrated with Fifth Third Bank's e-mail system, so that certain high-security alarms can automatically be sent out to personal computers and to designated cell phones via text messaging. Employees generally receive the alarms within a few seconds of the alarm being tripped. This allows the operators to follow standard dispatch procedures while key individuals are notified automatically.

By centralizing the security operations, security can achieve tighter control and use of personnel at maximum efficiencies, even though facilities are spread throughout nine states.

The system allows security to determine precisely who receives access to designated areas and at what time, and this information can be printed out or e-mailed as a report. As an example, security officials can enter a badge holder's name and determine the time and place that individual entered or exited an area.

How the System Works
For Fifth Third Bank, the security management system not only manages access control, but works in conjunction with CCTV surveillance and fire alarm functions. A redundant server configuration is used, running the Red Hat Linux operating system. The security management system runs on the IT backbone. A hot backup server ensures that if the primary machine goes down, the backup will take over, with no loss of operation. The backup server is located in a separate location in another state.

Ten client workstations are used to run the security management system. Seven are regular workstations designated for system configuration and alarm management. Three workstations are used for creating employee badges, which are presented at card readers to access various areas of the bank. The bank has added several hundred readers since installing its first version of the security management system, and it plans to add more it expands into other states.

The access control and security management system is used in all Fifth Third Bank corporate offices, which are usually located in denser downtown areas. The system controls more than 1,100 doors throughout the bank's nine-state area, some with both inbound and outbound readers.

In order to smoothen the transition to new credentials, the latest installation includes GE's new Transition card readers, which can read most types of access control cards including all popular proximity and smart cards. In fact, the bank is switching from magnetic-stripe to Mifare cards to stay on top of technology. The bank also has biometric readers for high-security areas.

The security management system allows remote management of access control functions, including scheduling what time doors will lock and unlock in other states. The automatic time zone feature is helpful. In the past, officials had to adjust for different time zones manually. Now, they can schedule doors to unlock at 8 a.m., and the system automatically converts to the time zone for that door.

Both CCTV surveillance cameras and fire alarm systems work in conjunction with the Picture Perfect security system. The cameras are always recording, and officials can find out who really used a given door and at what time by going to the camera. The bank can visually identify the people using doors synchronized to the second. If researching an incident, officials can look at a badge activity report and pull the exact time from the March DVR.

New Features Add Flexibility
Fifth Third Bank was the among the first sites to go live with the Picture Perfect 3.0 beta software. With this latest version, officials are now customizing forms for better appearance for the operator and changing the screen so that different tasks are seen in a more efficient way, depending on what the operator is working on.

Using database triggers, the bank can add its own features to customize the system even further. If needed, the triggers can be turned off and on, and will revert to the way that it was before. New scripts don't permanently affect the system and, more importantly, don't affect support agreements with vendors.

When the bank does its badge imaging, capturing photos for IDs, it can now use one security management system for two card access systems. These systems will eventually be integrated so that card management will be handled in Picture Perfect and automatically update the Verex alarm system used for burglary alarm and card access in retail locations.

Bank officials also use the reporting tool often, exporting to Excel or a PDF file. They can now write reports with drop-down boxes, which makes the information easier to find. Reports contain information on everything from who has access to certain areas, to system configuration information.

Automating the regular reports has allowed console operators to focus on more critical tasks rather than the manual tasks of pulling reports. The bank runs approximately 200 automated reports at various intervals, from weekly to monthly or quarterly. Recipients receive the reports as Excel files. In addition to saving operators time, automated reporting ensures that the reports go out on schedule and are never overlooked. This helps the bank maintain a high level of audit compliance.

Security officials also have written scripts that ensure that no employee has duplicate badges and that contractor badges are deactivated after a certain period of inactivity.

Fifth Third Bank's human resources department shares some non-sensitive employee information -- such as name, department and phone numbers -- so personnel changes are automatically imported to the system and terminations automatically deactivate a former employee's badge.

What It's All About
Without question, physical access control systems on an enterprise level are now described as much in IT terms as they are in access control terms. The openness of these integrated physical security systems lets security officials integrate security solutions with other business application systems, such as personnel and enterprise resource planning.

That's what convergence is all about.