Commercial Access Control Assessment for Ottawa & Eastern Ontario

A commercial access control assessment is a structured, on-site review of how an existing access control system is actually deployed, configured, and managed across a live commercial or institutional facility. It looks past the brochure and asks the operational questions that matter: who can open which doors, whether former staff are still active, how visitors and contractors are handled, what the audit trail can prove, and whether the system can scale with the building. Family Security performs this review — our SiteScope assessment — for commercial, government, and institutional clients across Ottawa and Eastern Ontario.

This is an operational audit of a system you already own, not an upgrade quote. The sections below mirror the categories our technicians work through on site, and the findings reflect what we see in real Ottawa-area facilities. If you are weighing a modernization or replacement project instead, start with our Access Control Upgrade Assessment; if you want a broad operational picture first, this commercial access control assessment is the right starting point.

Access Control Assessment Overview

Most commercial access control problems are not failures of hardware — they are failures of configuration and management that accumulate quietly over years. Doors get added, staff turn over, contractors come and go, and the system drifts away from how the building is actually used. A commercial access control assessment documents that drift across ten areas: door and reader hardware, credentials and users, visitor and contractor handling, audit trails, remote management, lockdown readiness, scalability, and the platform-specific considerations for Kantech and Lenel deployments.

The deliverable is a documented, prioritized picture of your current posture — what is controlled, what is exposed, and what to address first — suitable for facility management, procurement, and security planning across Ottawa and Eastern Ontario.

Door & Hardware Review

The physical layer is where an access control system either holds or quietly fails. Every controlled opening is only as strong as its hardware and the way that hardware is wired back to the panel.

• Every controlled door confirmed against the system — no readers wired to doors that are no longer controlled, and no controlled doors missing a reader.
• Door closers, electric strikes, maglocks, and request-to-exit devices functioning and correctly fail-safe or fail-secure for their role and fire code.
• Door-held-open and door-forced alarms enabled and reporting, not disabled to stop nuisance alerts.
• Reader type and wiring appropriate for the security tier of each opening — high-security areas not protected by legacy low-frequency credentials alone.
• Panel and controller locations physically secured, powered, and on supervised communication.

Common finding: door-forced and held-open alerts switched off months ago to stop nuisance notifications — leaving the system unable to report the exact events it exists to catch.

Credential & User Management Review

The cardholder database is where access control drifts fastest. In a busy commercial or institutional building, the list of who holds a credential rarely matches the list of who should.

• Cardholder database reconciled against current staff — terminated employees, expired contractors, and dormant cards removed.
• Credentials issued per individual, not shared cards or shared PINs that defeat accountability.
• Access levels scoped by role and zone, so general staff cannot reach server rooms, cash areas, or restricted wings.
• Lost and replaced cards deactivated promptly, with a defined process rather than ad-hoc cleanup.
• A clear owner accountable for adding, changing, and revoking access — not “whoever is near the workstation.”

Common finding: it is routine to find 10–20% of active credentials belonging to people who no longer work in the building, alongside shared cards that make the audit trail unusable.

If your facility serves government or federal-adjacent clients, credential and user controls are also where compliance reviews focus — see our work on government security systems in Ottawa.

Visitor & Contractor Access Controls

Visitors, contractors, and temporary workers are the access population most likely to fall outside any process. They need to get in, the building is busy, and “just let them through” becomes the de facto policy.

• Defined sign-in and credentialing process for visitors and contractors, with escort rules for restricted zones.
• Temporary credentials time-bound and automatically expiring, not permanent cards handed out and forgotten.
• Contractor access scoped to the areas and hours they actually need.
• Loading, service, and side entrances controlled to the same standard as the main entrance.
• A record of who was issued temporary access, when, and whether it was returned or revoked.

Common finding: contractor cards issued for a project months ago that still open doors today, because nothing in the process forces them to expire.

Audit Trail & Reporting Review

An access control system’s value in an investigation is entirely dependent on its audit trail. If events are not logged, retained, and reviewable, the system cannot answer the questions you bought it to answer.

• Access events logged for every controlled door and retained for a defensible window.
• Logs reconcilable against CCTV footage, with system time synchronized across both.
• Reporting actually used — periodic review of after-hours access, denied attempts, and unusual patterns, not logs that exist only in theory.
• Administrative changes (who added or revoked access) tracked, so the management layer is itself auditable.
• Retention aligned with any regulatory, insurance, or client requirements that apply to the facility.

Common finding: full logging is enabled but never reviewed — so a credential used at 3 a.m. for weeks goes unnoticed until an incident forces someone to look.

Remote Management Capabilities

Remote management is now a baseline expectation for commercial access control, but it is also a security surface in its own right. The assessment checks both that you have the capability and that it is not an exposure.

• Ability to lock down, unlock, add, or revoke access remotely when a situation demands it.
• Remote and administrative access secured with strong credentials and multi-factor authentication.
• Access control servers and controllers segmented from the general corporate network.
• Default passwords changed on every panel, controller, and management workstation.
• Vendor and integrator back-door accounts identified, documented, and controlled.

Common finding: a management workstation or controller reachable on default credentials — convenient for remote support, and an open door for anyone who finds it.

Lockdown & Emergency Procedures

Access control earns its keep in an emergency — but only if lockdown is configured, tested, and understood before the day it is needed. For schools, government, and institutional facilities, this is often the single most important capability.

• A defined lockdown function that can secure the building or a zone quickly, from more than one trigger point.
• Lockdown behaviour reconciled with fire and life-safety code, so securing doors never traps occupants.
• Staff who can initiate lockdown trained, with the procedure documented rather than tribal knowledge.
• Lockdown tested periodically, not assumed to work from the day it was commissioned.
• Integration with mass notification or alarm systems where the facility requires it.

Common finding: a lockdown capability that exists in the software but has never been tested, mapped to staff roles, or checked against egress requirements.

Expansion & Scalability Assessment

An access control platform should grow with the organization. Part of the assessment is determining whether your current system can take on more doors, sites, and users — or whether you are approaching a wall.

• Controller and panel capacity for additional doors without a full head-end replacement.
• Licensing model understood — door, reader, or client-count limits that constrain growth.
• Ability to bring additional buildings or sites under one unified management platform.
• Software and firmware within the manufacturer-supported window, so expansion is not blocked by obsolescence.
• Integration headroom for CCTV, intrusion, and visitor management as needs evolve.

Common finding: a system at its licensed or hardware limit, where the next door added forces a larger upgrade decision that should have been planned for in advance.

Kantech Considerations

For facilities running Kantech, the assessment includes platform-specific checks. Kantech EntraPass is widely deployed across Ottawa commercial and institutional sites, and most issues we find relate to version currency and database hygiene rather than the hardware itself.

• EntraPass edition and software version within the supported window, with current updates applied.
• Controller firmware aligned with the software version to avoid integration gaps.
• Database backups running and verified, so the cardholder and configuration data is recoverable.
• Operator accounts and permission levels reviewed and current.
• Reader and credential technology assessed against the security tier each door requires.

For a deeper look at the platform, see our Kantech access control page, or compare options on Lenel vs Kantech.

Lenel Considerations

For larger and higher-security environments running Lenel, the assessment focuses on the configuration and lifecycle of an enterprise platform that is powerful but unforgiving when neglected.

• OnGuard version and database health reviewed, with patch level inside the supported window.
• Segmentation, access levels, and cardholder data structured cleanly rather than accumulated ad hoc.
• Integration with CCTV, intrusion, and visitor management validated against how the building operates.
• Redundancy, server health, and backup posture appropriate to the criticality of the facility.
• Operator roles and administrative access tightly controlled and audited.

More on the platform is available on our Lenel access control page.

Common Findings

Across the categories above, a consistent pattern emerges in most commercial access control assessments: the hardware is largely sound, but the configuration and management have drifted away from how the building is actually used. The equipment is rarely the problem — the gap is in who has access, what the system can prove, and whether anyone owns it.

Typical SiteScope Findings

These are the real-world issues our technicians most often document during an on-site SiteScope access control assessment in Ottawa and Eastern Ontario. None of them require a sophisticated attacker — they are everyday gaps that accumulate in busy facilities.

• Shared credentials — cards or PINs used by more than one person, making the audit trail meaningless.
• Former employees still active — terminated staff whose credentials still open doors weeks or months later.
• Excessive user permissions — general staff with access to server rooms, restricted wings, or high-value areas they never need.
• Unsecured perimeter or secondary doors — side, service, and loading entrances held to a lower standard than the main entrance.
• Missing lockdown procedures — a lockdown capability that exists in software but is untested and unmapped to staff roles.
• No visitor management controls — visitors and contractors entering with no sign-in, escort rules, or expiring credentials.
• Unsupported or aging hardware — controllers, software, or readers outside the manufacturer-supported window.
• Inconsistent credential policies — no defined standard for issuing, scoping, and revoking access.
• Poor audit trail review practices — full logging enabled but never actually reviewed.
• Expansion limitations — a system at its licensed or hardware capacity with no growth plan.

Documenting these findings against your actual facility — rather than a generic checklist — is the difference between a list of best practices and a prioritized plan you can act on.

SiteScope Assessment Checklist

Use this as a quick self-audit before a formal review. If several items are uncertain or “we think so,” that is the signal to move from a self-check to a documented SiteScope assessment.

• Every controlled door verified against the system, with working hardware and active forced/held-open alerts.
• Cardholder database reconciled against current staff, with no shared credentials.
• Access levels scoped by role and zone, with restricted areas on a higher tier.
• Visitor and contractor process defined, with time-bound, expiring temporary credentials.
• Audit trail logged, retained, reconcilable with CCTV, and actually reviewed.
• Remote management capable, segmented, and secured with MFA and changed default passwords.
• Lockdown defined, code-compliant, staff-trained, and tested.
• Expansion capacity and licensing understood ahead of need.
• Kantech or Lenel platform on a supported version with verified backups.
• A single accountable owner for access changes, reviews, and incident follow-up.

A professional review ties these items together and connects to the broader commercial security systems work needed to close any gaps.

Frequently Asked Questions

What is a commercial access control assessment?

It is a structured, on-site review of how your existing access control system is deployed, configured, and managed — covering doors and hardware, credentials and users, visitor and contractor handling, audit trails, remote management, lockdown readiness, and scalability. The result is a documented, prioritized picture of your current security posture, not a sales quote.

How is this different from an access control upgrade assessment?

A commercial access control assessment is a broad operational review of a live system — who has access, what it can prove, and how it is managed. An access control upgrade assessment is narrower and focuses specifically on whether to modernize or replace the system. Many facilities start with the operational assessment, then move to an upgrade assessment if replacement is on the table.

Do you assess both Kantech and Lenel systems?

Yes. We assess Kantech EntraPass and Lenel OnGuard deployments, along with other commercial platforms, and include platform-specific checks for version currency, database health, integration, and operator permissions.

Which areas of Ottawa and Eastern Ontario do you serve?

Family Security serves commercial, government, and institutional clients across Ottawa and Eastern Ontario, including Kanata, Nepean, Orleans, and the wider National Capital Region.

Will an assessment disrupt our operations?

No. A SiteScope access control assessment is a non-disruptive review conducted during normal operations. We document the system as it runs, and deliver findings and priorities afterward — without taking doors or controllers offline.

Book a SiteScope Access Control Assessment

Family Security performs on-site commercial access control assessments across Ottawa and Eastern Ontario. We work through the same categories on your actual facility — doors, credentials, visitors, audit trails, remote management, lockdown, scalability, and your Kantech or Lenel platform — document what we find, and deliver a prioritized plan. The result is a defensible picture of your current posture, not a quote for equipment you may not need. Planning a modernization or replacement project instead? Review our Access Control Upgrade Assessment.