(343) 505-6500 info@familysecurity.ca Ottawa, ON — Eastern Ontario
NDAA COMPLIANT · 20+ YEARS FR

Common Access Control Issues Found During Site Reviews

Commercial building entrance reviewed for common access control issues

Most commercial buildings in Ottawa have access control. Far fewer have access control that works the way the building owner thinks it does. The gap between the doors lock and the system is operationally trustworthy is where Family Security’s commercial site reviews live. A site review is not a sales walkthrough.

It is a technician-led structural audit of every layer of an existing access control deployment — head-end controllers, readers, credentials, network path, door hardware, integrations, and the documentation that holds it all together. When the reviewing technician publishes a Technician Review Note at the end, the building owner is reading the same diagnostic file a procurement officer or insurer would.

The list below captures the common access control issues we encounter most often when we walk a commercial or institutional site for the first time. None are unusual. Several are inherited. All of them shape the upgrade conversation that follows.

1. Legacy controllers approaching end-of-life

The most common finding on a first walkthrough is a head-end controller the manufacturer has already moved past. Kantech KT-100 and KT-300 panels still operate, but their published end-of-life dates have passed and replacement boards become harder to source every quarter. Earlier DSC PC-Link generations and discontinued HID VertX controllers sit in the same category.

The doors still unlock — until a board fails, the proprietary programming tool stops loading on a current Windows machine, or the building changes hands and the new owner discovers the system cannot be expanded. Identifying these common access control issues early lets the upgrade path be planned around procurement budgets and tenant impact, instead of triggered by an outage. This is the most frequent route into a security system upgrade project we see.

2. Credential databases no one trusts

Technician swiping a credential at a commercial card reader during a site review

A typical mid-size commercial building has between 80 and 400 active card holders. When we ask for an audit-quality list, what we are most often handed is a spreadsheet that has not been reconciled in two to four years. Orphan cards still belong to terminated employees. Visitor and contractor cards were issued and never revoked. Card numbers were re-used between people. Photo ID and card number are not linked anywhere.

The system trusts every credential the database still considers active — which is the underlying access control issue, not the cards themselves. A clean credential audit is one of the most reliably valuable items a commercial access control site review produces, and frequently the trigger that gets cardholder governance onto someone’s calendar for the first time in years.

3. Reader hardware that is quietly NDAA-noncompliant

Sites that host any federal-tenant traffic — and a notable share of Ottawa commercial buildings do — are exposed to Section 889 of the National Defense Authorization Act, which restricts U.S. federal agencies from buying or using telecommunications and surveillance equipment from certain manufacturers. Older readers, badge printers, and a fair share of IP video components quietly sit on the wrong side of that line.

The building’s operations team rarely knows which reader model is installed at each door. Federal tenants assume their landlord has cleared the supply chain. A site review documents the manufacturer, model, and firmware of every reader and head-end component, and flags any that fall under the Section 889 prohibitions. On federal-tenant buildings we frequently recommend migration to enterprise-grade platforms such as Lenel OnGuard where the supply-chain posture is already on record.

4. Mis-tiered authentication zones

Technician verifying keypad authentication tier on a commercial access control reader

A common access control design failure is the “every door is the same door” pattern. Server room, executive office, after-hours staff entrance, and a side fire-exit corridor are all protected by the same single-factor card read at the same access level. The cardholder list inherits this — anyone with a card has the same effective authority everywhere they hold access. Mature commercial deployments separate perimeter, occupied space, sensitive workspace, and restricted infrastructure into distinct authentication tiers, often with two-factor (card + PIN) or card + biometric on the highest-sensitivity doors. A commercial access control site review maps the existing zoning, compares it against operational reality, and proposes a tiered design that matches credential strength to actual risk.

5. Door hardware lagging the head-end

The access control panel was upgraded eight years ago. The strike, REX sensor, and door position switch on the same opening have not been touched since the building opened. Mechanical lag is one of the most common sources of latent access control issues: an electric strike that releases late, a magnetic lock that holds slightly past the unlock signal, or a request-to-exit sensor that intermittently fails to fire. The head-end logs say the door operated normally. The building operator says staff complain about that door every week. Door hardware lifecycle has to be reviewed alongside the head-end, never separately — which is why our site review template walks every opening physically, not just from the panel.

6. Documentation drift

Family Security technician documenting access control issues during a commercial client site walkthrough

A single technician programmed the system in 2014. The technician is no longer with the original integrator. The original integrator may no longer be in business. Programming changes since have been applied directly to the panel without record. The Operator Programming Manual lives in someone’s desk drawer. There is no diagram of which controller serves which door. This pattern — undocumented multi-master programming — is the single greatest barrier to a clean handover, a defensible upgrade scope, a maintenance contract, or a forensic incident review. Restoring documentation is rarely glamorous and almost always the first deliverable of a serious site review. Done once, it pays back for the life of the building.

7. Network paths that quietly violate IT policy

Access control controllers were originally serial devices. Many of the panels we encounter still communicate over RS-485 with no encryption, bridged onto the corporate LAN by a serial-to-IP converter the IT team did not approve. Some sit on the same VLAN as the building’s printers. Plaintext panel-to-host traffic and unsegmented controller VLANs are common access control issues an IT audit will surface before a security audit will — and they are increasingly common pre-conditions for cyber-insurance renewal. A site review captures the controller’s actual network path, including any bridging hardware, and flags the gaps before someone else does.

8. Maintenance debt that surfaces only on failure

Kantech KT-400 controller in a clean compliance-ready installation

Standby batteries past their service life. Tamper switches disconnected and never reconnected. Fail-safe versus fail-secure assumptions made by the last contractor and never verified. Door position switches that have stopped reporting, but the panel was never told to alarm on the silence. These are not glamorous findings, and the building usually has no record of them.

They are the common access control issues a building notices only on the day they matter — the day a power event takes out a controller with a dead battery, or a fire safety inspection finds a magnetically locked egress door that fails closed instead of open. Maintenance debt is surfaced through structured inspection, not through reading the panel log. Our security system maintenance program is built around catching it before failure.

9. Integration gaps with CCTV, intrusion, and intercom

Access control, video surveillance, and intrusion detection are usually purchased and installed in different years by different vendors. They are rarely integrated. A door forced open does not pull a camera view. An invalid-credential event does not raise an intrusion zone. An after-hours card swipe is not gated by the building’s alarm-system state. The owner has paid for three subsystems that operate as three silos. Resolving these integration gaps is a primary driver of the work on our commercial security systems page, and a typical Tier-2 deliverable of a thorough site review.

10. How Site Reviews Surface Common Access Control Issues

A SiteScope site review ends with a structured Technician Review Note, not a quote. The note documents every finding in the categories above — make and model of each controller and reader, credential audit summary, zoning map, door hardware inventory, network path diagram, documentation gaps, maintenance status, integration gap summary — and assigns each item to one of three response tiers: address now, plan into the next upgrade cycle, or monitor. The building owner leaves with a procurement-grade reference document. The common access control issues that warrant remediation are scoped honestly; the ones that do not are explicitly de-prioritized. Either outcome is more useful than a sales-led walkthrough.

Family Security has been deploying commercial access control in Ottawa for more than twenty years across federal-tenant, institutional, multi-site, and bilingual deployments. A site review is how we start every long-term engagement, and the most reliable way to surface the common access control issues a building has been carrying without knowing it.

Book a SiteScope site review
Talk to an access control specialist