Keys and Campus Access Control Policy

• Bylaws
• Policy Document
• Procedures
• Guidelines
• Form

I. REASON FOR POLICY

The reason for this policy is to describe specific responsibilities, conditions and practices designed to address critical physical access needs in a manner which minimizes risks and maximizes the protection of physical assets within the jurisdiction and/or ownership of the State UNIVERSITY of New York at Fredonia (“UNIVERSITY”). The policy seeks to enhance the safety of the UNIVERSITY community members, the physical security of the UNIVERSITY and personal property, and the ability of UNIVERSITY Police Department and other appropriate law enforcement agencies to investigate and prosecute security incidents.

II. POLICY STATEMENT

The safety and physical security of the UNIVERSITY’s physical space and assets is a shared responsibility and privilege of all members of the UNIVERSITY community. It is the policy of the UNIVERSITY that access to the UNIVERSITY’s facilities is controlled in order to prevent and/or limit potential loss. To meet this obligation, the provisions set forth below address the design, administration and management of the campus key and access control systems. The policy applies to all facilities on the UNIVERSITY’s main campus, as well as those other UNIVERSITY-operated facilities located within the jurisdiction of the UNIVERSITY Police Department. Access to the UNIVERSITY’s facilities is considered a privilege, and is determined and assigned based on the specific needs and requirements of the UNIVERSITY and the user. Other than during normal working hours, all buildings should be locked to maintain the safety of students, employees the buildings and their content. Keys and FREDCard access control are issued for entry to UNIVERSITY buildings for the purpose of conducting official UNIVERSITY business. The primary access control to building is provided by manual key and the access control system utilizing various keyways and access control clearance codes to prevent unauthorized access or key duplication. All keys issued remain the property of the UNIVERSITY. Keys to vehicles, cabinets, lockers, and desks are not covered by this policy. Facilities Services will attempt to furnish such keys upon request but, the issuance and control of these keys are the responsibility of the individual UNIVERSITY departments. The use of keys and the access control system under this policy will be conducted in a manner consistent with all existing UNIVERSITY policies, including the NonDiscrimination Statement, the Sexual Harassment Policy, and the Domestic Violence in the Workplace Policy. All Campus Access Control System us related to administrative investigations must be in writing to the Executive Director of the Faculty Student Association or designee if such investigations involve Faculty Student Association (FSA) employees. All compliance reports related to administrative investigations must be made in writing to the Vice President of Student Affairs or designee if such investigations involve students. All compliance reports related to administrative investigations must be made in writing to the Director of Facilities Services or designee if such investigations involve contractors or vendors engaging in official UNIVERSITY business. The UNIVERSITY President or any President’s Cabinet member can request in writing a compliance report for administrative investigating involving their division. Building Access Coordinators shall have access to compliance reports for their designated area of responsibility for the purpose of access control audits and administrative purposes. Any person who tampers with or destroys keys or any part of the access control system may be prosecuted in the criminal justice system, as well as the campus judicial system or face discipline in accordance with the terms and conditions of the collective bargaining agreement (if any) that governs their employment with the UNIVERSITY.

III. DEFINITIONS OF TERMS

Keys shall mean a device that is used to operate a lock (such as to lock or unlock it). FREDCard shall mean the official identification card issued by the UNIVERSITY to students, employees and affiliates. The FREDCard is produced by the Faculty Student Association (FSA) and is a multitechnology credential utilized for various services and systems throughout the UNIVERSITY. Different colors are utilized on the FREDCard to designate affiliations (e.g. Students, Faculty and Staff = Blue, Visitors = Green, Contractors = Orange, Summer Conferences = Tan etc.) Access shall mean the ability to gain entry into an area, space, and/or facility by means of access device. Access Device(s) shall mean all devices and items provided to an authorized user for purposes of providing access. Such access devices may consist of traditional metal key(s), FREDCards, proximity devices and temporary ID cards, or any electronic means of access. Affiliate(s) shall mean non-employee members of the UNIVERSITY that include but are not limited to: auxiliaries, vendors, contractors, guests, volunteers, observers, trustees, dependents of employees, retirees, emeriti faculty/staff, alumni, conference members, and summer conference members. Access Control shall mean the selective restriction of access to a physical space or other resource. ProWatch Campus Access Control System shall mean the electronic access system that is part of the UNIVERSITY’s integrated physical security system which allows authorized users to use a FREDCard as the means of gaining physical access to designated exterior and interior spaces. This system replaces traditional keys with an electronic FREDCard reader that is networked into the current Information Technology infrastructure to allow for remote communication. The electronic access readers use iClass contactless Corporate 1000 card technology for secure access control. The system is currently utilized for facilitating requests for FREDCard access for individuals to interior and exterior doors within residential and academic buildings, facilitating automated lock and unlock schedules for interior and exterior doors, access control compliance reporting, remote security management for badging, alarm and event monitoring. The systems consists of servers, client workstations, networked communication panels, iclass card readers, sounders, REX motions sensors, contacts, electronic door strikes and panic devices. User(s) shall mean any student, employee, or affiliate that is issued by the UNIVERSITY a valid FREDCard or key for physical access control purposes. Building Access Coordinator(s) shall mean those UNIVERSITY employees or affiliates who are designated as the primary point of contact by department or organization as being responsible for requesting FREDCard access control provisioning and deprovisioning, clearance codes assignment, door schedules and access control functionality for assigned doors within their building(s). All interior and exterior doors within their scope of responsibility have designated physical numbers and access control levels which are to be utilized for submitting requests. All BAC members will be approved annually by the appropriate President’s Cabinet member. Compliance Report(s) shall mean the reports produced by the ProWatch Campus Access Control System which could include FREDCard user physical access control logs to physical space(s)and clearance code(s), logical device configuration(s) and other audit logs for the purpose of maintaining regulatory compliance, criminal investigations, internal investigations and system audits. Access Control Clearance Code(s) shall mean the logical group of card readers for interior or exterior doors that have timezones assigned for designated specific access levels for users. All Access Control Clearance Codes will need the proper written approval by the designated Building Access Coordinator. Default Access Control Clearance Code(s) shall mean a set of access control clearance codes that are approved by the Chief of the UNIVERSITY Police Department or Director of Facilities Services or Director of Residence Life and used to facilitate normal UNIVERSITY business operations (e.g. maintenance).

Access Control Level(s):

1. Level 1 Access Control shall mean the (public) physical security level assigned to exterior and interior doors generally accessed by the public. Building Access Coordinators can approve access.
2. Level 2 Access Control shall mean the (restricted) physical security level assigned to residential living spaces or spaces with equipment owned by the UNIVERSITY generally accessed by the campus community. Building Access Coordinators and Departmental Directors/Chairperson/Head/Dean shall approve access.
3. Level 3 Access Control shall mean the (confidential) physical security level assigned to exterior and interior doors to highly-sensitive areas such as evidence room, cash control, data center, disaster recovery sites and file rooms. President’s Cabinet members or designees shall approve access.

Door Schedule(s) shall mean the time schedule assigned to door(s) to remotely and automatically lock (Card-Only Mode) and unlock for the purpose of facilitating business operations for UNIVERSITY departments and affiliates. Building Access Coordinators manage weekly door schedules for their designated set of building doors. Temporary I.D. card shall mean the official identification card utilized for physical access control purposes issued to UNIVERSITY affiliates. Physical Door(s) shall mean the point of entry or exit to physical space controlled by manual keys or the campus access control system. All physical doors on the campus access control system will have official numbers assigned to them to distinguish them for key and access control request purposes and access control level assignment.

IV. ADMINISTRATION AND SUPPORT RESPONSIBILITIES

Information Technology Services staff, as designated by the Associate Vice President of Information Technology/ Chief Information Officer, are responsible for the administration, planning, project management, clearance code provisioning and deprovisioning, database integration, designing, programming, auditing and support of the ProWatch Access Control System and Services. The AVP of IT/CIO or designee, or his/her designee, may authorize access to any campus facility for emergency reasons on an as-needed basis. Such emergency access shall be communicated promptly in writing to the appropriate Building Coordinator and Chief of UNIVERSITY Police during normal business hours. Facilities Services staff as designated by the Director of Facilities Services, are responsible for the repair and maintenance of all end devices including, but not limited to, card readers, door hardware, sounders, REX motion devices, strikes, power supplies, and wiring. They are also responsible for the provisioning and deprovisioning temporary contractor cards. The Director of Facilities Services, or his/her designee, may authorize access to any campus facility for reasons of emergency maintenance or repair on an asneeded basis. Such emergency access shall be communicated promptly in writing to the appropriate Building Coordinator during normal business hours. Faculty Student Association staff as designated by the Executive Director, are responsible for administration of all access control clearance code provisioning and deprovisioning, field device configuration/functionality and door schedules for their organization’s operations and the issuing of Fredonia I.D. cards (FREDCards) to the campus community. Building Access Coordinators are designated by the completion of the Building Access Coordinator (BAC) Authorization Form as the primary point of contact for departments throughout the UNIVERSITY and are responsible for the following for their designated doors: requesting FREDCard access control provisioning and deprovisioning clearance codes, approving clearance codes, door schedules and access control functionality for assigned doors within their building(s). All interior and exterior doors within their scope of responsibility has designated physical numbers which are to be utilized for submitting requests. Approve building or area access privileges under the terms of the policy. Coordinate and/or schedule building or area lock and unlocking, holiday schedules and other events. Provide reports as requested of all individuals having access to the building for which they are responsible. Provide a building occupancy schedule, i.e., the daily locking and unlocking times, to ITS each time an occupancy schedule is modified. Approve access privilege requests for the secured area to which they are assigned under the terms of the policy. Coordinate and/or schedule area lock and unlocking, holiday schedules and other events with the Building Coordinator at least 24 hours in advance of required change. UNIVERSITY Police Department staff as designated by the Chief of UNIVERSITY Police, are responsible for the remote monitoring of alarms as appropriate, remote control of end devices (e.g. door strikes, card readers etc.), compliance reporting for criminal investigations, remote management of devices for after-hours operations and the approval for access control levels assigned to interior and exterior doors. The UPD staff are also responsible for the following: participate on all committees related to access control and security; provide alarm response as appropriate; participate in system design as related to the campus integrated physical security systems; monitor access alarm activation for Level 3 locations and dispatch appropriate personnel to resolve violations. Coordinate, in the event that a location cannot be secured, respond with ITS and other personnel until the location is secured. Any UPD employee, may authorize access to any campus facility in any situation affecting safety of persons or property. Such emergency access shall be promptly communicated to the appropriate Building Access Coordinator during normal business hours. The Chief of UNIVERSITY Police or designee, or his/her designee, may authorize access to any campus facility for emergency reasons on an as-needed basis. Such emergency access shall be communicated promptly in writing to the appropriate Building Coordinator during normal business hours.

V. PROVISIONING AND DEPROVISIONING KEYS AND CAMPUS ACCESS CONTROL - EMPLOYEES

All requests for keys must be approved by the departmental Chairperson or Head or Dean for all UNIVERSITY employees. Chairpersons or Heads or Deans must determine and authorize what building/room access is required per UNIVERSITY employee. Keys will not be issued to a third party. No initial deposit is required. However, if assigned key(s) are lost, a fee will be assessed for replacement of each lost key, consistent with campus policy. Individuals leaving the UNIVERSITY due to retirement, resignation or change of job need to return all UNIVERSITY owned keys assigned to them prior to leaving Fredonia. Audit regulations require that keys be turned in to the Customer Service Center located at the Services Complex. It is the responsibility of each employee to return their assigned keys and keys are not to be shared. Building Access Coordinators utilize the designated online request form to provision and deprovision FREDCard access control for their approved areas for employees (e.g. change of job, retirement or resignation.). The Human Resources department deprovisions campus access control clearance codes for employees through separation notices sent to the Information Technology Services department. Department Heads/Chairpersons/Deans may request campus access control services for employees under their supervision through the appropriate Building Access Coordinator or divisional Vice President secretary.

VI. PROVISIONING AND DEPROVISIONING KEYS AND CAMPUS ACCESS CONTROL - STUDENTS

The Chairperson or Head or Dean must approve the student key authorization form to the Office of Facilities Services requesting a key or keys, to be issued to the student. Residence Hall key procedures shall follow the policy and procedure set by the Office of Residence Life. In the case of a lost key to a residence hall or apartment, the lock may be changed. In accordance with UNIVERSITY policy, a fee is charged to individual students for a replacement key. After a key has been ordered from the lock shop, refunds are not permitted. Each student is allowed only one key per room. Duplicates should be surrendered to the Office of Residence Life immediately. UNIVERSITY owned keys issued for academic and administrative areas (i.e. studios, practice rooms, labs, etc) shall be turned in to the Office of Facilities Services Customer Service Center located at the Services Complex. UNIVERSITY owned keys issued for the Faculty Student Association controlled spaces shall be turned into the Executive Director of FSA or designee. Residence hall room keys should be turned in as per the procedures established by the Office of Residence Life. Building Access Coordinators utilize the online Access Control Request Form to submit access control requests to deprovision and provision access control for their assigned areas of responsibility. Students living within the residence halls are automatically provisioned and deprovisioned access control to their respective residence halls based on their housing assignment per semester. Students registered for certain courses are automatically provisioned and deprovisioned access control to certain academic spaces based on their course registration per semester. Faculty Student Association keys should be turned in as per the procedures established by the Faculty Student Association.

VII. PROVISIONING AND DEPROVISIONING KEYS AND CAMPUS ACCESS CONTROL - AFFILIATES

Formal request is required, see Responsibility Section for details. The Project Manager must verify and approve each request for keys. The person authorized to carry the key must personally pick up and sign for the key at the Customer Service Center. Keys will not be issued to a third party. Appropriate picture identification is required at time the key is issued. Keys or temporary I.D. cards are never to be shared unless authorized approval has been obtained in writing. Keys or temporary I.D. cards are to be returned to Facilities Services for each project. Building Access Coordinators utilize the online Campus Access Control Request Form to submit access requests to provision and deprovision access control to designated areas. The Faculty Student Association provisions and deprovisions key and FREDCards for affiliates in accordance with this policy (e.g. summer conferences).

VIII. RESPONSIBILITIES FOR KEYS AND FREDCARDS - EMPLOYEES AND STUDENTS

An employee’s FREDCard acts like a key to gain access to certain university buildings. As with physical keys, said card must be used properly and in full compliance with this Policy. Faculty and Staff shall be given keys and FREDCard access control to spaces assigned to them. All keys will be issued at the Lock Shop to the individual who is requesting such keys. Individuals transferring to different locations must return the old keys to the Lock Shop and pick up new keys after obtaining the necessary approvals. Faculty, Staff and Students who enter locked buildings are responsible for securing all doors they use. Directors and Department Heads will instruct each member of their staffs who requires electronic access to obtain and maintain a valid FREDCard. Access privileges will be in effect concurrent with Fredonia I.D. status, and will follow all changes to Fredonia I.D. Students, staff, faculty, and others are responsible for maintaining their FREDCard in an active status and to notify the appropriate office if the card is lost, stolen or replaced The propping open of secured doors, or otherwise interfering with the locking mechanism or door parts in order to render the door insecure, or any attempt to incapacitate security device or alarm component, is not permitted. Willful or intentional violation of a door equipped with an alarm device, including those equipped with delayed exit alarms may, consistent with the terms and conditions of the various collective bargaining Agreements (if applicable), subject the employee to discipline. Any department that schedules contractors, vendors, or others to enter the building during “closed” hours must ensure appropriate communication of access policies and adherence to procedures. Duplication of keys or FREDCards is not permitted. The Lock Shop staff are the only personnel allowed to install or change locks and/or cut and issue keys. Keys or FREDCards should never be left unattended. Keys or FREDCards should never be shared or loaned to others. Altering keys, locks, FREDCards or related mechanisms is prohibited. The holder of a key or FREDCard to any Fredonia facility assumes the responsibility for the safekeeping of the key and its use. Protect keys or FREDCards against loss, theft, or unauthorized use. Report lost or stolen keys immediately to the Facilities Services Customer Service Center located at the Services Complex. Failure by an employee to abide by the terms and conditions of this policy may, consistent with the terms and conditions of the various collective bargaining Agreements (if applicable), subject the employee to discipline. Failure by a student to abide by the terms and conditions of this policy may, consistent with the Student Code of Conduct, subject the student to discipline. The installation of new campus access control equipment on UNIVERSITY doors will communicated to the appropriate Building Access Coordinator, Facilities Services and UNIVERSITY Police. These doors will be automatically added to the approved default clearance code list for the campus (Access Levels 1 & 2 only).

IX. RESPONSIBILITIES FOR KEYS AND FREDCARDS - AFFILIATES

Before keys or temporary I.D. cards are issued, the Customer Service Center requires a current signed (by an officer of the company) document on company letterhead with the employee’s name and position. It must state they are authorized to check out keys on behalf of that company and that company is assuming full financial responsibility for all re-keying that may be required to restore security due to keys not returned or locks not in proper working order. The Project Manager will be responsible for issuance and return of keys and temporary I.D. cards. The holder of a key or temporary I.D. card with access to any UNIVERSITY facility assumes responsibility for the safekeeping of the key. All lost or stolen keys or FREDCards must be reported immediately. Written confirmation from Customer Service is required before final payment is made by Project Manager. Short-term daily check-out of keys requires the contractor/vendor to follow this Policy. A copy of their driver’s license will be retained until all keys are returned. Failure by a Contractor, Consultant or Vendor to abide by the terms and conditions of this policy may lead to a revocation of their ability to work at Fredonia. Vendors who visit the campus regularly will be issued ID cards by the FSA Office. The cards and any keys approved for the vendor will be signed out and returned to the Facilities Services Office. Contractors, consultants and service providers will be issued temporary ID cards by the FSA Office. Such temporary cards are to be returned to Facilities Services at the end of each project and they are required to notify the Facilities Services department if the card is lost, stolen or damaged.

X. LOST, STOLEN, UNRETURNED AND DEFECTIVE KEYS AND FREDCARDS

Lost keys or FREDCards must be reported immediately upon discovery to the Customer Service Center (x-3452) at Facilities Services and Faculty Student Association. A Key Request form must be submitted to the Customer Service Center for the lock change and replacement keys. Stolen keys or FREDCards must be reported immediately upon discovery to the Customer Service Center (x-3452) at Facilities Services and Faculty Student Association. Customer Service will contact the UNIVERSITY Police. A detailed police report must be filed by the department detailing the circumstances of the theft. A Key Request form must be submitted to the Customer Service department for the lock change and replacement keys. If a key is broken or otherwise damaged, the pieces must be returned to the Customer Service Center. If a key is broken off in a lock or is malfunctioning, immediately notify Customer Service Center. A new key will be issued after damage verification. There is no charge for the replacement. Lost FREDCards should be reported to Information Technology Services and Faculty Student Association. New and replacement FREDCards are issued by the Faculty Student Association. Unreturned keys and FREDCards shall be considered stolen and the user is responsible for replacement cost associated with rekeying impacted areas. Key assignments campus-wide will be audited periodically by Facilities Services. Campus access control clearance code assignments campus-wide will be audited periodically by Buildings Access Coordinators and Information Technology Services.

XI. COMPLIANCE

It is the responsibility of all members of the UNIVERSITY community to observe this policy. Anyone found to be in non-compliance will be subject to sanctions or discipline as determined by the laws of New York, and/or campus administrative procedures or in accordance with the terms and conditions of the collective bargaining agreement (if any) that governs their employment or affiliation with the UNIVERSITY.

XII. RELATED DOCUMENTS, FORMS AND TOOLS, IF ANY

Related procedures can be found at www. fredonia.edu/facilitiesservices and www.fredonia.edu/resnet.

XIII. RESPONSIBILITY FOR ENFORCEMENT

Responsibility for enforcement of this policy is the Vice President of Academic Affairs and Provost and the Vice President of Finance and Administration.

XIV. AUTHORITY FOR POLICY

Authority for policies is the President’s Cabinet.