Conventionally, electronic access control to areas of buildings involve access controllers coupled to readers and similar devices which control locking mechanisms to doors accessing areas of buildings. Access decisions, responsive to a badge or other user identifying means read by such readers, are based on information stored in a central computer database or in local databases of the access controllers. Such facilities access control systems are described for example in U.S. Pat. Nos. 4,839,640 and 4,218,690, and also the ONGUARD® systems sold by Lenel Systems International, Inc., Rochester, N.Y. Events detected by access control systems indicating that security has been compromised can be monitored by security personnel, but are not capable of automatically affecting user access in information systems, such as Windows NT, Windows 2000 or Unix servers, which often have terminals or computers located in the same physical environment controlled by the facility's access control systems. Typically, access to information is provided by user authorization, such as Login ID and associated password maintained by a system administrator. As a result, a user whose access privileges to areas of a building have been discontinued, often continues to have access to sensitive data maintained on information systems for a period of time, i.e., until a system administrator for the information systems is notified and then updates the user's access to the information systems, such as by disabling their Login IDs and passwords.
Similarly, at an information system, a user whose access, such as by Login ID and password, may have been blocked, can often continue to having access to areas of a building for a period of time, i.e., until an administrator of the facility's access control system is notified and then changes the user's privileges to access such areas. The delay between the blocking of access to an information system or facilities access control system after a security breach is detected may be minutes, hours or days, depending on the responsiveness of personnel and effectiveness of company policy and procedures. Such a delay can be detrimental to the ability of a company, government organization, or other institution, to protect sensitive information. Further, often other types of facility protection systems are provided in the same environment as the access control system, including digital video surveillance, fire and intrusion detection (burglar) systems, which may detect events posing risk to a facility, personnel, and information systems. Such events, although reported to security personnel monitoring facility protection systems, do not necessarily cause any automatic actions to protect data maintained by the information system, or in the case of intrusion detection (break-in), limit door exits by the access control system in the area of the detected intrusion.
Accordingly, it would be desirable to provide integrated monitoring and real-time response to events occurring in facilities physical environment protected by facility protection systems (such as access control systems, fire and intrusion detection systems) and data and network environments of information systems, respectively, such that events occurring in facility protection systems can cause actions at information systems to protect access to data and networks, and events occurring at information systems can cause actions at facility systems to protect facilities controlled/monitored by such facility protection systems. Furthermore, it would also be desirable to integrate the management of users and their access privileges to the facility environment controlled by a facility's access control system with user and access privileges to the data and network environments controlled by information systems.
Complex login procedures have been developed for information systems to increase secure access to such systems, such as described, for example, in U.S. Pat. Nos. 6,035,405, 5,887,140, 5,892,901, 5,970,227, and 5,712,973. Such login procedures have involved the use of other login means, such as biometric, fingerprint, smart cards, security tokens or badge ID information, often with authorization circuitry coupled to terminals of information systems enabling reading of such information. However, such information systems do not link access to information systems with access to facilities, in which the management of users and access privileges to facilities and information system are integrated in a single system.