Key Management Policy

Transcription

1 THE LAMBTON COLLEGE OF APPLIED ARTS AND TECHNOLOGY Issued Date: Supersedes Date: Policy #: January 04, 2006 October 02, Key Management Policy Policy It is the policy of the Lambton College to maintain a unified access program throughout all College sites, ensuring the highest security standards in the protection of site facilities and create a safe working environment by restricting access through the issuance and control of keys and cards related to the operation of Lambton College facilities. Scope To provide a high security keying and electronic access program encompassing the maintenance of all locks, issuance of security keys and key cards, tracking, auditing and retrieval of system keys and cards ensuring the integrity of the keying and electronic access management program. Management Structure Reference management chart (PDF) - appendix. College Program Coordinator The college Program coordinator is appointed to oversee the security keying program through all the Lambton College facilities. The coordinator is empowered to maintain the unified standards, policy and operation procedures remain consistent and of the highest standards.the coordinator will act as an ex-official member of all the management committees and receive all reports and documentation required to ensure that a unified effective keying program is being maintained throughout Lambton College. Access Management Committee The access management committee shall consist of three individuals representing management, security and physical plant with the College program coordinator and access control manager acting as ex official members of the committee representing all facilities and interrelated smaller facilities. This committee shall be empowered to issue or deny access to keys and cards and mandated to enforce the policies and process established a teach site. This committee, in conjunction with the program coordinator will have the power to change the access policy from time to time as the operational state of the facility changes. Members of the management committee may assign a temporary replacement during their absence Access Control Manager An individual with knowledge of the keying management and electronic access system will be selected and empowered to manage the day to day processes of issuing, tracking, auditing and retrieving keys and cards.the key control manager will oversee all record keeping and storage of non issued keys and cards including the report auditing of all departments. Reporting Structure

2 The access control manager is empowered to operate the day to day keying and access control program through the access management committee. The daily access system operation and management is based on the established access system policy and processes. The access control manager is required, utilizing the key management software and electronic access software, to forward status report confirming operational integrity to both the management committee and College system controller. Reports: 1. Key issuance 2. Lost/stolen key or card status 3. Request for key changes 4. Key design changes Key and Card Holder Accountability 1. All systems keys and cards are the property of Lambton College. The proper use and care of the keys and cards is the responsibility of the individual to whom the keys are issued. 2. System keys and cards are not to be loaned. 3. System keys and cards are not to be transferred. 4. System keys and cards are to be rendered on request and returned to the access control center if retirement, transfer, termination or separation from or within the College occurs. 5. Adherence to the access control is required. Issuance of Keys Keys will be issued to employees and students of the Lambton College and approved individuals. This policy and the access management committee will govern issuance of keys based on the level in the hierarchy design. LEVEL I ZONE LEVEL II BUILDING LEVEL III FLOOR LEVEL IV DEPARTMENT LEVEL V CHANGE Level I II These levels will be issued to a key tracking system. The keys in these levels are to be used on the College premises only and are not to leave the premises at any time. Only authorized individuals approved by the management committee will be allowed access to these keys by the issuance of a tracking auditing system. These keys must be returned daily to the tracking system based on the individual's job and time requirements. The access control manager has the authority to demand that keys be returned at any time if the assigned individual fails to return the key at the designated time or removes the key from the Lambton College facility. Level III The access control manager is assigned the authority to issue or deny Level III keys. These keys may be issued to the control center key trackers. The removal of these keys from the operating facility is not allowed. Any individuals not returning keys at the designated return time will be called and required to return keys to the facility. Issuance of Level IV & Level V The access control manager is assigned the authority to issue or deny Level IV & V keys. These keys will be assigned to individuals with the approved authority of area managers established and assigned to the key management software. Hierarchy

3 An approved keying hierarchy design reflecting the integration of the key master keying criteria for the College is the only keying structure to be followed in the maintenance, servicing and additions to the keying program. No cross keying or maizon keying to be allowed unless approved by the access manager committee.any keying outside the hierarchy criteria must be by the site management committee with clear justification and forward to the College program coordinator. Key Request All keys must be requested and supplied through the access controller and authorized in accordance with the policy and processes established by the Lambton College.Request for keys is to be on a Lambton College key request form. Authorization Level I & II The authorization for issuance of Level I & II keys to be approved by & II the access management committee with two signatures required. Level III The authorization for issuance of Level II keys to be approved by the access control manager with request from approve signatures of the department manager or supervisor of the operations department requesting the use of the keys. Level IV & V Level IV to V authorization for issuance of keys to be approved by & V the department manager of supervisor of the individual for which the key is being requested. The department manager or supervisor is required to complete a key request form and submit it to the access control manager. Electronic Card Issuance The access cards are defined in three levels: 1. Level I Security: access, this level controls building and high level entry doors in real time control with alarm response. 2. Level II Controlled: these doors are controlled by security with direct linkage and accountability by other groups. 3. Level III Departments: access, this level is directed to the departmental level and is managed by the individual or group as an independent location. Card Issuance Card issuance may be as direct distribution or utilization of an individual's present student or staff card. The security control and maintenance is by software or on site programming. Request re applications for access is through a security request form with proper authorization for approved location access. The control of all access is through the access control manager or their designate. Auditing The control and management of the electronic access is maintained by the access control manager or designate. Auditing of the software to ensure integrity will create managed entry points. Individuals in violation of the security protocols at any entry point will be subject to an operational review by security or direct supervisor and have denied access status until such time as violations are corrected. Electronic Card Returns The integrity of the electronic access is not dependant on the cards being returned, it is the policy of Lambton College to request that all access and I.D. be returned to the access manager upon retiring, transfer, separation or termination from the employment or attendance at Lambton College. Key Storage It is the responsibility of the key control manager that all spare keys to be secured in a key cabinet and ensure that all software data is properly maintained and updated as required for all system keys accountability. Key Auditing/Operational Processes

4 Attached to the policy are the operational key control requirements. Addendum: Operational Key Control F16. It is the responsibility of the access control manager to review the process outline and establish an operational plan to ensure all aspects of the issuance, tracking,auditing and retrieval are followed as established in the process outline approved by the corporate program coordinator. Change to Access Policy The access management committee in conjunction with the College system coordinator has the authority to make changes to the management policy as required to maintain a policy compliant with the operational requirements, staff and students, at Lambton College. Key Returns Security keys issued to individuals for the purpose of access to Lambton College remain the property of Lambton College and must be returned to the access control manager or their designate upon retiring, transfer, separation or termination from the employment or attendance of Lambton College. Individuals not returning their approved keys will be held responsible for a two or five hundred dollar penalty depending upon status or key level. Keys assigned with deposits, if not returned, will have the deposits held. Key Issuance Internal With the approved authorized signature, the access manager is required prior to issuance of security system keys to update the computer information and develop a signature acknowledgment form for which the key holder must sign. A key card I.D. will be issued to each key holder. The I.D. is to be registered with the appropriate departments ensuring retrieval of all keys prior to discharge or transfer. Key Issuance External The issuance of keys to external contracts is to be approved by the access control manager or authorized designate. The external contract will sign an acknowledgement of the key assignment and accept the cost of replacing keys if lost or stolen. (Form to be developed by corporate program manager). Lost/Stolen Keys & Cards Any individual in receipt of a security access key or card issued by Lambton College is responsible to notify immediately any key which is lost or stolen. Lost or stolen key reports must be reported immediately and not exceed a 12 hour period. The response as to the action required to ensure security is maintained is the access control manager and access management committee's responsibility. Departments or individuals may be held responsible for the cost of re-keying the College premises due to lost or stolen keys. Key System Changes Any keying changes to the master key system or renovations to the facility which will require new locking hardware will be processed through the access control manager. No individual may change any keys or locks at the facility without the consent of the key control manager. Any changes must follow the hierarchy design or be approved by the management committee. Maintenance The access control manager is empowered to maintain and service the keying and electronic access systems. All additions must use qualified key codes as designed in the original system or system approved by the access control manager. Key Management Software

5 The software is to reside on the computer in a location accessible by the access control manager. The software is the central management for control and issuance of any keys. An individual will be required to operate as the software manager. This individual or site designate will process all key requests and distribute keys in accordance with the management policy. Also required by the software manager is to process requests from Human Resources or department responsible for all individuals leaving the College facility and have a timely report of all individuals to allow the retrieval of keys before departure and process the reregistration of those keys in the software. Key Identification Lambton College requires that all systems keys be identified with a site code,location code and individual tracking codes. Multiple keys are to be attached to a serialized security ring or security identifying seal prior to issuance and this coding to be used for individual accountability. Key Card Tracking Every individual receiving a security system key will be issued a key card with the care and maintenance clearly explained. The individual serial code will be used to ensure key retrieval within the organization. Information System A document key record form must be used when: - Requesting keys # Reporting lost/stolen keys # System servicing # All rules and processes defined on the forms must be closely followed. Key Production Security and registered key production is restricted to the access control manager or their designate and production is restricted to Lambton College unless approved by the access management committee. Control of Codes All system codes must be maintained by the access control manager and use of the codes by the hardware manufacturer must be in conjunction to the restrictions and security needs of Lambton College. New Construction/Additions All system cylinders or electronic access used at Lambton College facilities must be supplied through the approval of the access control manager or the management committee in conjunction with the architectural criteria required in the new construction. Appendix Management Control and Accountability