Our company IT department is somewhat involved in physical access control.
And will never have full control.
Among other things, the company I work for does electronic security and physical access control system design and installation. And we have customers with very stringent and demanding requirements.
The thing is that the design, installation, and long term maintenance of good security systems is a specialty, a career specialty if you want to be very good at it.
And, yes, I am not just talking about door access, video surveillance, and so forth. I'm also talking about securing sensitive data, maintaining the integrity of an organizations PC's, servers, and so forth.
So, for instance, despite the fact that our company IT department has people who are quite good and knowledgeable. They aren't nearly as knowledgeable of security systems and philosophy as they might think they are. After all, their day to day work keeps em busy enough.
And, lets be realistic, your weak link in a good security system might be within your own IT department.
This isn't just MY take on the matter. It's also the way our most security conscious customers also view this sort of thing.
So while our IT department, and that of our very security conscious customers is, of course, involved in planning and execution. They DO NOT have full control. And in fact aren't even told everything, haven't access to everything, etc.
Within our company, our security systems design and implementation group, a small number of them, have overall responsibility for our own internal security systems. And among other things they do, they'll routinely audit and check up on our IT department.
That security specialist group, BTW, does contain a couple IT professionals, who specialize in IT security. But they're separate from and not connected to our IT department.
This is generally, almost always, also true of our most security sensitive customers. They have a separate security group, and I'm not talking about their security guards, that is responsible for overall security. Which also contains IT security specialists who are not members of the organization's IT department.
Because one of their jobs is to watch, audit, and otherwise try to find IT department personnel who might be violating the security rules.
It's kind of like this, let's take one VERY security conscious customer of ours. Their facility is loaded with surveillance cameras, various access control devices, motion sensors, etc, etc. All monitored 24/7 by better than average security department watchmen and guards.
But what those guys don't know is that there are additional systems and equipment installed which they don't see, which don't show on their monitoring screens ... which watch over THEM.
Oh, actually, they do know. They just don't know the specifics of where and what and how.
Those additional security systems and methods, that watch the watchers, are only known to a very small core group within the security department. And are accessible only to them.
Get the idea?
That small core group, BTW, NEVER actually have a chance to be alone in a situation where they might lay hands on the valuables that are being guarded (meaning either data or actual physical items being guarded). At all times, everything members of that core group do is monitored and watched by someone else.
The problem with an IT department having full control and power is just this ... who watches and monitors them? Plus, it is unlikely that any of them are all THAT knowledgeable of proven, tried, and true security methodology and philosophy. Which entails a lot more than simple knowledge of security hardware or software.
Sorry, can't go into a lot of details. For obvious reasons. Anyone interested can start learning the types of things I'm alluding to by obtaining and reading some books on the art and science of physical security.