Systems and Procedures
A Division of The Office of Budget and Finance
A Division of The Office of Budget and Finance
Policy AD68 University Access, has been established "to protect the safety, security, privacy and property of the University, and of individuals assigned to use University facilities, by controlling access to such facilities." As used in this procedure, the term "University access" refers to the process involving the issuance and control of clearances, keys and other access devices which allow access to/within a facility owned, leased, and/or under the control of The Pennsylvania State University ("University" "penn State" PSU").
NOTE: Keys other than those defined herein (such as equipment locks, desk, computer or cabinet keys, etc.) are not covered under this procedure. These devices fall under locally established guidelines.
This procedure applies to all facilities owned, leased by, and/or under the control of The Pennsylvania State University, excluding Hershey Medical Center, the College of Medicine, and the Pennsylvania College of Technology. Protocol for residence and food service facilities access, including student rooms and apartments in University residence facilities, will be governed by the "Housing and Food Services Policies and Procedures for Key/Card Access," and as stated in the Terms, Conditions and Regulations of the Housing and Food Service Contract or Lease.
Enforcement of Policy AD68 University Access and this procedure is the responsibility of the University Police and Public Safety. This procedure will be implemented through an Access Coordinator in each college, department or area (at University Park), and at each campus.
Any exceptions or variances from this procedure must be approved by Deputy Director of Operations - University Police and the Director of Physical Security, in conjunction with the appropriate Budget Executive.
This procedure provides guidance on the responsibilities and the controls necessary to administer all aspects of University access control in accordance with Policy AD68 University Access.
The following definitions are pertinent to University access, as discussed in this procedure and its related policies and forms:
An Access Coordinator must be a full-time staff member. To effectively perform their duties, it is essential that they become knowledgeable of pertinent University policies and procedures, as well as the programs and personnel at their campus, college, department or area, particularly as these details pertain to "access" to their area of jurisdiction. The goal is to ensure that keys, access devices and/or clearances are issued to individuals only for the areas to which these individuals are authorized to enter.
Area managers/supervisors and employees will be responsible for working with the Access Coordinator to request access and changes to access, when needed. It is the responsibility of the Access Coordinator to maintain systematic and effective control of all keys, access devices and/or clearances for the rooms and/or buildings under their jurisdiction.
NOTE: While job profile descriptions may vary throughout the University, the "role" of an Access Coordinator shall be applicable to those positions whose responsibilities include duties described in Policy AD68 University Access and this procedure. As such, those individuals are bound to perform their duties within the parameters of Policy AD68 University Access and this procedure. These duties may include (but are not limited to) record-keeping, coordination, and oversight duties.
Each Budget Executive or Budget Administrator shall appoint an Access Coordinator for the campus, college, department or area, as appropriate, via the completion of an Access Coordinator Authorization Form. Once properly completed and forwarded to the University Access Controller, the Access Coordinator may commence with their duties, as specified below.
Keys already on hand must be recorded for proper accountability and control (see "Recording Inventory," below). New keys, when needed, will be obtained using the Key Management System (KMS, at University Park) or through the appropriate University Approved Locksmith (at campus locations), then recorded.
Access Coordinators may request to maintain a supply of access credential devices ("ACD's," such as key cards, fobs or tags) for issue upon proper authorization. Such requests are to be made through the University Access Controller.
Any Access Coordinator that maintains a supply of keys and/or ACD's for issuance shall secure and maintain them in a lockable cabinet. Inventory supplies should be kept to a minimum. Any issuance from this supply, permanent or temporary, must be documented in the perpetual key/access device inventory system being maintained.
It is the responsibility of the Access Coordinator to promptly record all key/ACD activity (inventory being held, issuance dates, return dates, names and pertinent information) into their perpetual inventory system (database, excel spreadsheet, manual system). A perpetual inventory record may be used.
NOTE: Keys and/or ACD's for leased properties are managed through the Division of Facilities Resources and Planning, Temporary issuances are handled by the Work Reception Center. These requests are not processed through the University Police / University Access Controller.
The Access Coordinator will ensure that clearances, keys, and/or ACD's are issued to individuals only for areas to which they have a justifiable need to access. This applies to ALL employee classifications (new hires or existing employees), as well as all non-employees. Requests for clearances, keys and/or ACD's must be made via the process discussed below. No clearance, key or ACD will be issued prior to this process being completed. At no time may an access request bypass the Access Coordinator (or Designee).
Access Coordinators shall utilize current building floor plans and Door Schedules so they may determine the correct level of clearance/key/ACD to issue, and to provide direction on changes to Key and Access Schedules. This information is available/obtainable via the Facilities Information System and selecting "Interactive Blockplan Map," or by contacting a Facilities Information System staff person.
Requests for access must be made via completion of a Facility Access Authorization Request form. Such requests are submitted by a "Sponsor," typically a supervisor or project manager, who is requesting access to a building and/or room on behalf of an employee or a non-employee, as applicable.
The employee or non-employee (as applicable) will be required to agree, as part of this process, to abide by the terms of Policy AD68 University Access before access will be granted. If the employee/non-employee will not agree to abide by Policy AD68, access will not be granted.
The Sponsor and Next Level Supervisor (when applicable), will affirm that they concur with the request and have advised the Requestor of policy AD68 by their signature(s) in the "AD68 Advisement Statement" area of the Facility Access Authorization Request.
All properly completed and agreed-upon requests for employees/non-employees will then be routed to the Access Coordinator for review and approval. Additional questions pertaining to the access request may be asked by the Access Coordinator, as necessary. If there are questions about the justification of the request, the Access Coordinator has the right to consult the Sponsor as well as the University Access Controller before approving or rejecting the request.
If, upon review, the request is acceptable, the Access Coordinator will sign and date the form, affirming that they have reviewed the details of the access request and they concur with the request for access. Additionally, they will determine the "type" of access needed, and check the appropriate boxes on the form.
If the request for access is rejected, the Access Coordinator will note the reason on the Facility Access Authorization Request Form and return a copy of the rejected form to the Requestor/Requesting Area. If explanation is lengthy, the Access Coordinator should record the information on the back of the form.
All processing will occur as described above, except:
For access requests that are outside the Requestor's home area, the Requestor's Home Area Access Coordinator must contact the Access Coordinator of the facility to which access is being requested for permission to access the facility. The discussion and decision to grant access (or not grant) must be substantiated through the exchange of a confirming email between the requesting department's Access Coordinator and the Access Coordinator of the facility to which access is being requested. Once granted and confirmed, the requesting department's Access Coordinator will sign and date, affirming that they have reviewed the details of the access request and access permission has been authorized. Additionally, the "type" of access granted will be substantiated by checking the appropriate boxes on the form.
If permission is not granted, the form will be retained as evidence of the decision. Copies of the confirming or denial emails (as applicable) must be retained by the both Access Coordinators involved for proper audit trail.
Approved requests which require the issuance of keys can often be filled from the Access Coordinator's on-hand supply. However, if circumstances warrant that a new key be made/issued, keys will be requested as specified in "New Key Requests."
Approved requests which require the activation of an ACD (for access to specific areas) will occur via entry of the requestor's information into the C-CURE System by the Access Coordinator.
Whether approved, non-temporary requests are filled from on-hand inventory, handled as a new key request, or require ACD activation, the Requestor must complete the process as specified below in "Final Processing for All Access Requests" before keys are issued/ACD's are activated.
The unit's Access Coordinator (or authorized designee) must login into OPP's Key Management System. The Access Coordinator will complete the request and submit for processing, as specified in "OPP Lock Shop Processing (University Park)."
The unit's Access Coordinator (or authorized designee) will process new key requests as specified in "University-Approved Locksmith Processing (For Non-University Park Locations)," below.
Once approved, and prior to receiving the appropriate access device from the requesting department's Access Coordinator, the Requestor must sign and date the "Acceptance" area of the Facility Access Authorization Request Form. In signing the form, the Requestor affirms and agrees to the following:
Once signed, the Access Coordinator will issue the access devices requested to the Requestor, along with a signed copy of the form. A signed copy of the form will also be issued to the Requestor's Supervisor. The Access Coordinator must retain the signed, original copy of the form for their records. For access requests OUTSIDE the Requestors home area, a signed copy of the form will be forwarded to the Access Coordinator of the facility being accessed.
In accordance with Policy AD68 University Access, when an individual's access requirements change, the individual will be required to notify their area Access Coordinator and make the appropriate changes, including the return of their keys/ACD's, and/or changes to their access credential clearances, as applicable. These circumstances can include, but are not limited to:
Lost keys/ACD's will be reported to the University Access Controller as specified in "Handling of Lost Keys/ACD's." Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the University. In addition, recoring costs may also be charged as defined in this procedure. When returned, the Access Coordinator will perform a spot audit of all keys that have been assigned to that individual and update their inventory records in a timely manner. Any discrepancies will be handled per "Handling of Lost Keys/ ACD's."
If at any time it becomes necessary for the employee to be issued additional keys or ACD's, a new Facility Access Authorization Request Form must be submitted through the proper channels, as described in "Processing Access, Key and ACD Requests".
An Access Coordinator may issue a Facility Entrance Key to an individual on a temporary basis for a building not equipped with electronic card access, if they determine that an individual needs access to that building after the hours that the building would normally be open. Such issuances must be requested and processed by completing a Facility Access Authorization Request, checking the "Temporary" box and the applicable start and ending dates, along with all other appropriate information requested on the form.
It is the responsibility of the issuing Access Coordinator, on a monthly basis, to audit those keys that are held as temporary. Temporarily-assigned keys may not be issued for periods of longer than 120 days, or until a permanent device can be requested and issued, whichever is the shorter time period.
NOTE: A temporary key cannot be issued to a contractor or outside vendors for use; these groups must go through the proper Project Manager or Department as described in "Access Requests for Contractors and Outside Vendors."
All lost keys/ACD's must be reported immediately by the key/ACD holder to the Access Coordinator. The Access Coordinator will, in turn, report lost keys/ACD's to the University Police along with a confirming email to the University Access Controller. If the Access Coordinator is unavailable for any reason (e.g., nights, weekends, vacations, holidays), the key/ACD holder must notify the University Police instead. However, the key/ACD holder should follow up with their Access Coordinator when business hours resume, so that the appropriate corrective action can be taken, as specified below.
On a temporary basis, a temporary key/ACD may be issued by completing a Facility Access Authorization Request, checking the "Temporary" box and the applicable start and ending dates, along with all other appropriate information requested on the form. This issuance will be noted accordingly in inventory records maintained by the Access Coordinator.
It is the responsibility of the issuing Access Coordinator, on a monthly basis, to audit those keys that are held as temporary. Temporarily-assigned keys may not be issued for periods of longer than 120 days, or until a permanent device can be requested and issued, whichever is the shorter time period.
If a key/ACD is determined to be "unrecoverable," the Access Coordinator and key/ACD holder will follow the steps previously described in the "Processing Access, Keys and ACD Requests" section of this procedure to obtain a replacement key/ACD.
The Access Coordinator, University Access Controller and responsible budget executive will assess the vulnerability of area(s) compromised by the lost key/ACD to determine the corrective measures needed to restore appropriate access control to the affected area(s).
Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the University.
Likewise, if it is determined through the security assessment process that new cores must be installed or access devices must be replaced/reprogrammed, such actions will be undertaken with the recovery costs being charged to the department.
If the area Budget Executive/Budget Administrator so chooses, recovery costs may be passed on to the key/ACD holder.
Leased Properties - The same regulations apply to keys/ACD's issued for leased properties, as specified above.
During the orientation process for new OPP trades persons, the individual will be issued the requested keys by the WRC at OPP, in accordance with this procedure and normal OPP standards for new hires.
Any OPP trades person that has a need to carry more than 15 keys on a ring shall be issued these keys on an approved Key Ring. These keys will be inventoried and listed as a 'ring' and a number associated with that ring on the appropriate section of their Facility Access Authorization Request. Any keys that are subsequently removed or added will be reported to their Supervisor and recorded with the WRC. The ring will be the responsibility of the trades person to whom it is assigned to. If shared, the ring will be checked in each night prior to sharing, and the receiving trades person will be responsible for the keys assigned to that ring. Any discrepancies, to include missing keys, evidence of tampering with the sealed ring, etc. must be immediately reported to the supervisor and this information passed on to the WRC.
In the event that any key(s) or key ring is transferred from one individual to another, processing will occur as discussed in "Transfer/Reissue of Keys Between Individuals".
There are situations when a key(s) or key ring must be transferred from one individual to another. Regardless of reason or department involved, whenever the status of an individual changes and the keys are to be re-issued, the area supervisor and Access Coordinator will be responsible for insuring that the proper paperwork is processed and approved in a timely manner. Keys/key rings will be handled in accordance with the following procedure:
These keys will be turned in, inventoried and accounted for, and a new Facility Access Authorization Request Form completed prior to re-issue to the new individual.
These rings will be handled as a 'batch', with a number assigned to that particular ring. All keys associated with that ring will be inventoried and accounted for. A new Facility Access Authorization Request Form will be generated and processed in accordance with this procedure, at which time the ring will then be issued to the requesting party.
In the event that any keys are missing or extra keys are discovered during this process, they will be handled in accordance with "Handling of Lost Keys / ACD's."
Per Policy AD68 University Access, "All keys subject to this policy shall be labeled with a unique identifier stamped onto the key. The University Key Management System (or equivalent key management system at Non-University Park locations) will be used to maintain a record of each key created and identified to its key holder by this unique identifier. No additional key labeling or tagging of any kind is permitted, unless authorized by the University Access Controller."
A Grand Master key may only be requested under exceptional circumstances, by written justification from the Budget Executive to the University Access Controller. Such justification will identify the person to whom the Grand Master key will be issued and the basis for need of such access. If approved by the University Access Controller, the Budget Executive and the area Access Coordinator will be notified. The Access Coordinator will then process the appropriate key request via the Key Management System, as specified in "New Key Requests."
Building Master Keys may only be requested by written justification from the Budget Executive to the University Access Controller. Such justification will identify the person to whom the Building Master key will be issued and the basis for need of such access. If approved by the University Access Controller, the Budget Executive and area Access Coordinators will be notified. The Access Coordinator will then process the appropriate key request via the Key Management System, as specified in "New Key Requests."
These keys are only kept in the possession of the Work Reception Center at OPP and the University Police, and will not be issued.
At University Park, the only areas authorized to keep an inventory of unassigned Grand Master, Building Master, or Facility Perimeter keys will be the Work Reception Center and the University Police.
At non-University Park locations, the Director of Business Services (DBS) shall act as the University Access Controller for the purpose of approving requests for these types of keys. The DBS shall also determine where and how to secure these keys.
In accordance with Policy AD68 University Access, "...key cutting or duplications shall be performed only by a University-approved locksmith," as defined in the "Definitions" section of this procedure.
After the appropriate authorizations have been obtained as discussed in "New Key Requests," Lock Shop employees will cut the approved key(s). Each key will be marked with a unique identifier, as specified in Policy AD68.
All key deliveries will be handled as described below:
NOTE: A second delivery attempt will be made. If the second attempt is not successful, the keys will be delivered to the Work Reception Center. The Access Coordinator (or Designee) must contact the Work Reception Center directly to arrange for key pick-up at the Office of Physical Plant.
NOTE: Grand Master and all other security sensitive keys will NOT be delivered. Instead, such keys must be picked-up by the Access Coordinator (or Designee) and signed for at the Work Reception Center. The Access Coordinator (or Designee) will call the WRC directly and schedule the appointment.
In accordance with Policy AD68 University Access, only a University-approved locksmith, as defined in the "Definitions" section of this procedure, may perform core changes, core moves, key cutting or duplications for a non-University Park location. For sound control of this process, the following guidelines must be observed :
In accordance with Policy AD68 University Access, "Any core changes, core moves, key cutting or duplications shall be performed only by a University-approved locksmith..."
Key-Core changes will be processed through the OPP Lock Shop in the same manner as previously described for the cutting of keys (see "OPP Lock Shop Processing"). Access Coordinators will identify, collect and record all keys forced out of service due to the requested key-core changes. These keys must then be returned to the University Access Controller for destruction.
Key core changes will be processed through the campus Office of Physical Plant or the Department that is responsible for locksmith work at that campus location. See "University-Approved Locksmith Processing (for Non-University Park Locations), above.
will be handled in accordance with the "Housing and Food Services Policies and Procedures for Key/Card Access," and as stated in the Terms, Conditions and Regulations of the Housing and Food Service Contract or Lease.
Requests for key-core changes are handled through the Division of Facilities Resources and Planning.
To insure the integrity of facility access as well as the safety and security of the University employees and students, contractors and vendors must follow the process specified below:
Quarterly, each Access Coordinator will review the status of the University keys/ACD's issued to verify that the device holders remain currently affiliated with the department which approved keys/ACD's issued. If a key/access device holder is no longer affiliated with that department, the Access Coordinator will notify the holder and applicable department official, and recover the keys/ACD's. If the keys/ACD's cannot be recovered, the appropriate avenues of collection of replacement/re-coring fee will be instituted in accordance the replacement fee mandates established in University Policy AD68 University Access and applicable sections of this procedure.
If an individual's access changes are as a result of leaving University employment, the employee should comply with applicable parameters of Policies HR55 Things to Know When Leaving University Employment, HR102 Separation and Transfer Protocol and AD68 University Access as they prepare to leave the University.
In accordance with Policy HR55 Things to Know When Leaving University Employment, "the faculty or staff member shall return all University-issued items including...keys."
Likewise, Policy HR102 Separation and Transfer Protocol "establishes University expectations for processing separations and transfers of covered individuals. The intent of the policy is to ensure that all University property is retrieved and that access to University facilities and systems is appropriately restricted at the time of the separation or transfer of a covered individual...."
Additionally, Policy AD68 University Access states that "the individual will be required to notify their area Access Coordinator and make the appropriate changes, including the return of their keys/ACD's, and/or changes to their access credential clearances, as applicable. These circumstances can include, but are not limited to:
Lost keys/ACD's will be reported to the University Access Controller. Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the University. In addition, recoring costs may also be charged..."
For additional questions to ensure complete and appropriate compliance, the departing employee should consult their supervisor, Human Resources Representative or area Financial Officer.
Annually, Access Coordinators are required to perform a review of their inventory and generate a report stating their findings. Upon completion, this report must be forwarded to the University Access Controller and the responsible Budget Executive or Budget Administrator.
Using their inventory records/system, the Access Coordinator will generate a report of ALL keys/ACD's that are under their control. Keys/ACD's that are not physically in the Access Coordinator's lockable cabinet are considered "issued" and should have an Facility Access Authorization Request or equivalent documentation (depending on the time frame when access was granted), to substantiate their issuance.
The Access Coordinator will compare/verify this inventory record to the physical inventory on hand. They will sign and date the inventory record, affirming that an audit was performed, and that all inventory was accounted for as documented. Any discrepancies must be noted, researched, and explained in their report. Any keys/ACD's not accounted for at the time of the audit must be reported as lost, stolen or unreturned (as applicable).
Action on any discrepancies reported will be decided upon by the University Access Controller.
Changes In Access Coordinator - Any time that a new Access Coordinator is assigned, a review of the current inventory information will be performed by the outgoing Access Coordinator, the incoming Access Coordinator and an Office of Physical Security representative. This will insure that all of the information and keys are accounted for, and allow any questions to be answered at the time of the transition. All keys/ACD's assigned to the outgoing Access Coordinator shall then be reassigned to the new Access Coordinator.
University Access Controller / Physical Security Audit - a random audit of a department's key/ACD inventory records may be held at any time by the University Access Controller or an Office of Physical Security representative to insure that both inventory and the security of keys and ACD's are being properly maintained.
Annually, each Access Coordinator will review their departmental database to insure that each of the clearance authorizations under their purview is current.
If discrepancies are discovered, the Access Coordinator will remove those clearances found not to be current and, if possible, notify the individuals via email that they have been removed.
The Financial Officer is responsible for ensuring that procedures pertaining to the accountability and safeguarding of all cash receipts, cash funds, and other assets are established and followed in accordance with approved University policies and procedures. Regular audits relating to advances, cash, travel, equipment accountability, and other expenditures provide a means to protect University assets. The Financial Officer is responsible for working with Internal Audit when audits are being performed in the administrative area. Audits relating to sponsored activities or other audits performed by external auditors may also be performed. The Financial Officer would also be responsible for working with the external auditor and/or a central university office related to these procedures.
University Records must be retained and managed in accordance with Policy AD35 - University Archives and Records Management , and records schedules approved by the Records Management Advisory Committee, Office of General Counsel, and Senior Vice President and Chief of Staff. These record retention schedules are derived or based upon federal, state, and local statute or regulations, University Policy, industry standards, and business needs. All University Records must be maintained in such a manner to provide ease of access, establish a suitable audit trail for all transactions, and to be reviewed prior to disposition.
Upon completion of the retention period, University Records must be disposed of via secure destruction or transfer to University Archives. If the disposition method for University Records states "Review by Archives" on the records retention schedule, the employee responsible for those records should consult the University Archivist for a final determination of disposition. For university Records that must be securely destroyed, units may arrange for shredding services by either contacting the Blue/White Shredding Program or the Inactive Records Center.
Exceptions to the disposition process are as follows:Additional questions may be directed to the Records Management Program.
For questions, additional detail, or to request changes to this procedure, please contact the Office of Physical Safety.