How To Manage Keys At Trent University

Transcription

1 POLICY ACCESS CONTROL Category: Approval: Responsibility: Date: Operations & Governance PVP Vice President Administration Date initially approved: September 1, 2005 Date of last revision: April 2012 Definitions: Change Keys keys that allow access into a single room, or a suite of two or three rooms all keyed alike eg. An office or office area. Master Keys keys that allow access into a group of rooms or buildings. Generally, a Grand Master will allow access to all doors on a single keyway; a Master will allow access to all rooms in a building or a number of common function doors in one or more buildings eg, residence rooms, mechanical spaces; a Sub Master will allow access to number of functionally or organizationally related rooms in a building such as all spaces controlled by a University Department. Shift keys one or more keys that are issued to an employee for the duration of their work shift to allow them access to spaces that are not occupied and/or controlled solely by them. For example, several sub-masters to allow a custodian access to all spaces in a building for cleaning. Purpose/Reason for Policy: The purpose of the Access Control Policy is to: protect the personal safety of faculty, staff and students. safeguard both university and privately owned material assets. clearly define the approved procedures and authorities for access control at Trent University. Scope of this Policy: This policy applies to all Trent owned infrastructure and access control systems. It applies to all employees, students, contractors and visitors who require key or card access to Trent infrastructure. Policy Statement: It is the policy of Trent University to safeguard persons and property by controlling access to university buildings so that only authorized users of a space have access to that space. To minimize the risk of lost or stolen keys, Trent University will work towards installing card access systems on all external doors. We will also operate a decentralized key/card access system that places the authority and responsibility for maintaining internal building security through effective key/card control at the departmental level. The Access Control Supervisor will assist departments in establishing and maintaining a key/card access system. 1

2 Responsibilities: VPs, AVPs, Deans, Associate Deans, Department Chairs and Directors are the Designated Access Control Authority for the facilities allocated to their unit. They may delegate the authority to request and control keys/access cards and/or requisition changes to locks to a staff member using the Access Control Delegated Authority Form (Appendix 1), which is to be submitted to the Director, Risk Management. All requests for master keys must be approved by the appropriate Vice-President, AVP or Dean and the Director, Risk Management. Requests for sub-master keys must be approved by all AVPs, Directors or Department Chairs who control spaces that can be accessed by the sub-master. The Director, Risk Management is responsible to approve the selection of cost effective access control hardware and software (standard locking system) to provide appropriate physical security commensurate with the risk inherent in each location. The Director, Risk Management will ensure adherence to this policy and has the authority to deny any requests for keys/cards that contravene the intent of this policy or compromise the security of the university. Such denials may be appealed to the Vice President Administration. The Director, Risk Management is responsible to ensure department key control practices are audited when required. The audit will, as a minimum, verify that unused keys/cards are securely stored, that keys are properly signed out and recovered, that all individuals with keys/cards still have a bona fide requirement for those keys and that the department only retains keys for spaces allocated to that department. The Locksmith and Locksmith assistants are responsible for the maintenance, repair and replacement of door lock cylinders and lock sets. They are responsible to receive key/card and lock change requests, ensure that the requests are signed by a valid Authority and perform the requested work within a reasonable time frame. The Locksmith is responsible to maintain up to date records of all keys produced, issued, returned and destroyed, as well as the keyways and codes for all locking devices installed throughout the university, with the exception of desks, cabinets etc. The Designated/Delegated Authorities (hereafter referred to as the Authority ) are responsible to secure keys/cards that have not been issued. The Authority is responsible to keep a record of all keys issued to faculty, staff, students, contractors and visitors and ensure that those keys are returned when the individual is no longer authorized to have access to the space. Authorities must ensure individuals who are not faculty, staff or students at Trent University read and sign the Key Holder Agreement (Appendix 2) when they are issued university keys/cards. Students, staff and faculty are to be informed by the Authority that they are required to read and comply with this policy when their keys/cards are issued. Authorities requesting a change or upgrade to the standard locking system such as re-keying, replacing lock sets and cylinders or installation of a different security system such as electronic (keypad), biometric or card access, are responsible to cover the cost of the change and the ongoing cost of maintaining the upgraded locking system from their departmental operating budget, unless the Director, Risk Management determines that the upgrade is required for the university to maintain appropriate security. The criteria for approving upgrades to the standard locking system are if the space is multi-occupant (4 or more) and/or if the space contains extremely sensitive, vulnerable, dangerous or valuable contents that cannot be effectively secured by the standard locking system. The department is also responsible for the cost of replacing lost, stolen, broken or worn keys and the cost of re-keying in the event of lost or stolen keys. The department may recover these costs at their discretion from the individual who has signed out the keys. Keyholders. Keys to University spaces issued to individuals affiliated with the university remain the property of Trent University. Upon receipt of a key/card, the individual key/card holder agrees: a. to the proper use and care of the key/card; b. not to loan, duplicate or use the key/card in any unauthorized manner; 2

3 c. to return it to the issuing authority upon demand. All Trent community members are responsible to refrain from installing unauthorized locking devices on university doors. To ensure access in the event of an emergency, no campus area may be secured except by a locking device approved by the Locksmith. Keys to filing cabinets, desks, cabinets, lockers etc. will remain the responsibility of the person in charge of the area. Space allocation authorities are responsible to provide up to date lists annually to the Director, Risk Management of rooms and spaces allocated to each department/unit on campus. They are also to advise the Director, Risk Management of any changes to those lists as they occur. Contact Officer Director, Risk Management Date for Next Review 2015 May 01 Related Policies, Procedures and Guidelines Policies Superseded by This Policy Campus Card Policy N/A 3

4 APPENDIX B PROCEDURE ACCESS CONTROL Contact Officer Director, Risk Management Purpose To detail the procedures for obtaining, safeguarding and disposing of keys and key cards, and effecting repairs or changes to access control hardware. Procedure Designated or delegated authority A Trent University Key Request Form (Appendix 3) must be completed and signed by the Authority for all key/card requests. Forms can be found at The completed form must be submitted to [email protected] or by fax to as per the instructions on the form. PROCEDURE authority Keyholder When the locksmith completes an order, the Authority will be informed to make pick up arrangements. The Authority will sign out the keys to individual recipients, keeping a written record of each key issue and informing the recipient of their responsibilities under this policy. A sample Key Control Record is attached at Appendix 4. A downloadable database called Simkey, which is compatible with the locksmith s key control database, is available at Username is Trent and password is University. The Key Holder Agreement Form (Appendix 2) must be completed before keys are issue to any individuals who are not Trent University faculty, staff or students. All lost or stolen building keys/cards must be reported to Campus Security and the appropriate Authority. The Authority will complete a Key Request Form (Appendix 3) if replacement keys are required and a will [email protected] to initiate lock cylinder changes or other lock related work as required. The Authority may consult the Access Control Supervisor or the Director, Risk Management to reach a mutual decision on lock changes based on the risk involved. Lost or stolen cards will be immediately deprogrammed. Costs associated with the missing key/card are born by the issuing department who may in turn assess these costs against the individual who lost the key/card. It is recommended that departments create internal policies to clearly outline who is responsible for the cost of replacing lost keys/cards, any contingent changes to locks and/or any damages or losses to Trent property resulting from the loss of the key/card. 3 Authorities Authorities will ensure that individuals return their keys/cards when they are no longer affiliated with the department, or when they are no longer authorized to access a particular room or building. Returned keys may 4

5 be retained by the Authority for reissue to the replacement staff member, unless they have an employee number stamped on them. In such cases, the key is to be returned to the Locksmith for re-stamping. As well, Authorities will promptly return all keys/cards to the locksmith that are no longer required by that department. Examples include reductions in staff or a reallocation of space. Authority Only the locksmith or a contractor authorized by the Access Control Supervisor are authorized to re-key, repair and relocate university lock cylinders or arrange the installation of new locking systems. All repairs or additions to any locking device, key or door hardware will be controlled by the Risk Management Department and documented with a work request to [email protected]. Authorities Contractors requiring access to specific areas on campus may be issued keys by Campus Security, Physical Resources or Information Technology. The Authority for a department sponsoring contractor work may request single keys or contractor rings made up of a number of keys using the key request form (Appendix 3). The requester will indicate that these keys are for contractor use. Master keys will not normally be issued to contractors unless approved by the appropriate Vice President, the Director, Risk Management and Director of Physical Resources or Information Technology. When the locksmith produces the keys, the key ring is to be locked to reduce the chances of loss and print do not duplicate on each key. The entire key set, with each key itemized, will be issued to and signed for by the requesting department authority. The department is then responsible to secure these sets and issue them to contractors in accordance with the following procedures: a. the contracting authority provides the name of the company and/or tradesperson contracted to do the work as well as the areas to which they are to have access and the duration of that access. b. the contractor/tradesperson provides photo ID to verify that they are employees of the contracted firm. c. the contractor signs a key holder agreement form (Appendix 2) and signs for each key/key ring. d. the issuing authority advises the contractor of when and where to return the keys and ensures that the keys are returned as required. If the contractor arrives when the Parking Office is closed, they will contact the on duty Security Officer by phone to arrange return or issue of keys. 8.2 If a sponsoring department requires Campus Security to issue keys or access contractors on their behalf, they will provide the information in para 8.1.a to Campus Security, along with the appropriate keys (where applicable). Authority 8.3 Shift Keys are useful for employees who require access to university spaces in excess of their normal workplace, such as security officers, custodians, residence staff, PRD staff, IT staff and anyone who needs a master key or building master to perform their duties. These keys are not to be removed from Trent property because the impact of 5

6 them being lost or stolen is significant. The risk of criminal acts, including crimes against persons, and the cost of re-keying an entire building or buildings are high. These keys are not issued to a specific individual, rather they are placed on a locked key chain, secured within the department and signed out for a shift and returned at the end of that shift. Key holders may be permanently issued a single building and/or office key to access the shift keys. Shift keys may be issued by an individual or though an automated key watcher system. 8.4 Master Keys are to be treated with the greatest care and not to be issued to individuals unless approved by the appropriate Vice President, AVP or Dean and the Director, Risk Management. Individuals in permanent possession of Master keys must provide a Canadian Police Information Certificate (police records check) to the Director, Risk Management before the keys are issued. Master keys will normally be treated as shift keys and remain on site in a secure key lockup when the regular user is not at work. Grand Master keys will not be issued to anyone other than the locksmith and Campus Security. All master keys will be stamped do not duplicate. Date Approved Approval Authority Date of Commencement Month Day Year PVPs, VP, Dean, Director, etc. Year Month Day Amendment Dates List the dates the policy has been amended (Year Month Day ) Date for Next Review Related Policies, Procedures and Guidelines Year Month Day Name and link to related policies, procedures and guidelines 6

7 APPENDIX C GUIDELINE TEMPLATE NAME OF GUIDELINE Contact Officer Provide the position title rather than the name of a person Purpose A statement about the purpose of the guideline. Guideline Actual guideline. Related Policies / Procedures Name and link to related policies, procedures and guidelines. Links Links to relevant documentation, forms, explanatory notes. Date Approved Approval Authority Year Month Day Board, Senate, PVPs, VP, Dean, Director, etc. 7