Procedure SY2001 - University Access: Clearances, Keys and Access Devices; Authorization, Issuance, and Fees
University Policy & Public Safety
Policy Steward facilitating procedure: Assistant Vice President- Police & Public Safety
Table of Contents:
- ESTABLISHMENT / AUTHORIZATION OF ACCESS COORDINATOR POSITION
- DUTIES OF THE ACCESS COORDINATOR
- Establishing and Recording Departmental Key and ACD Inventories (Individual Keys/ACD's)
- Processing Access, Key and ACD Requests
- Requesting Access Using the Facility Access Authorization Request
- Issuance of Keys / Activation of ACD's
- New Key Requests
- Final Processing for All Access Requests
- Access Changes / Key Returns
- Issuing Additional Keys/ACD's
- Temporary Issuance of Facility Entrance Keys
- Handling of Lost Keys/ACD's
- Key Processing for OPP Personnel
- LABELING OF KEYS
- REQUESTS FOR GRAND MASTER/ BUILDING MASTER/ FACILITY PERIMETER KEYS
- OPP LOCK SHOP PROCESSING (UNIVERSITY PARK)
- UNIVERSITY APPROVED LOCKSMITH PROCESSING (FOR NON-UNIVERSITY PARK LOCATIONS)
- HANDLING OF KEY-CORE CHANGES
- University Park
- Commonwealth Campuses
- All Housing & Food Service (UP) Key Core Changes
- Leased Properties
- Contractor/Construction Key Cores
- ACCESS REQUESTS FOR CONTRACTORS AND OUTSIDE VENDORS
- WHEN LEAVING UNIVERSITY EMPLOYMENT
- AUDITS OF KEY/ACD INVENTORIES
- AUDITS OF CLEARANCES
- RECORD RETENTION, DISPOSITION AND DESTRUCTION
- CONTACT INFORMATION
- CROSS REFERENCES
Policy AD68 - University Access Policy , has been established "to protect the safety, security, privacy and property of the University, and of individuals assigned to use University facilities, by controlling access to such facilities." As used in this procedure, the term "University access" refers to the process involving the issuance and control of clearances, keys and other access devices which allow access to / within a facility owned, leased, and/or under the control of The Pennsylvania State University.
NOTE: Keys other than those defined herein (such as equipment locks, desk, computer or cabinet keys, etc.) are not covered under this procedure. These devices fall under locally established guidelines.
This procedure applies to all facilities owned, leased by, and/or under the control of The Pennsylvania State University, excluding Hershey Medical Center, the College of Medicine, and the Pennsylvania College of Technology. Protocol for residence and food service facilities access, including student rooms and apartments in University residence facilities, will be governed by the "Housing and Food Services Policies and Procedures for Key/Card Access," and as stated in the Terms, Conditions and Regulations of the Housing and Food Service Contract or Lease.
Enforcement of Policy AD68 and this procedure is the responsibility of the University Police and Public Safety. This procedure will be implemented through an Access Coordinator in each college, department or area (at University Park), and at each campus.
Any exceptions or variances from this procedure must be approved by Deputy Director of Operations-University Police and the Director of Physical Security, in conjunction with the appropriate Budget Executive.
This procedure provides guidance on the responsibilities and the controls necessary to administer all aspects of University access control in accordance with AD68.
The following definitions are pertinent to University access, as discussed in this procedure and its related policies and forms:
- Access Control System - An electronic security system that can be activated by an access credential. The system electronically controls locking and unlocking of doors, identifies and records cardholder information, and logs system events.
- Access Controls and Electronic Security Programs (A.C.E.S.) : a program within the Physical Security unit of the University Police and Public Safety. A.C.E.S.' mission is " to provide professional security services to The Pennsylvania State University community, consistent with the University's mission, culture, and resources in order to facilitate a safe and secure campus environment. "
- Access Coordinator - Ensures that clearances, keys, and access credential devices are issued to individuals only for the areas to which they are authorized to enter. Access Coordinators will be assigned as detailed in this procedure.
- Access Credential Device (ACD) - Identifies the holder to an access control system and enables the system to determine the rights and privileges to enter a specific area. Devices may include a card, fob or tag.
- C-CURE System - the University's primary electronic security system software that is used by Access Coordinators to grant access to individuals who request access to a particular area that the Access Coordinator oversees.
- Clearance - Refers to a person's approved rights to access a facility.
- Key - A traditional metal key or similar device that is used to unlock or lock specific mechanical door locks.
- Key Types:
- Grand Master Key - Opens multiple doors in multiple buildings.
- Facility Perimeter Key - an emergency key for obtaining entrance to facilities that are equipped with an access control system. This key is only to be used in the event of an access control system failure.
- At University Park - maintained by University Police and the OPP Work Reception Center, in a secured manner
- At non-University Park Locations - can be maintained by OPP, University Police, and/or the area Director of Business Services, in a secured manner
- Building Master Key - Opens most doors within a building.
- Building Sub-master Key - Opens multiple interior doors within an area of a building
- Facility Entrance Key - Only opens building entrance doors.
- Individual Door Key - Opens specific doors within a building.
- Control Key - device used to remove and replace a lock core. Such a device will only be held by the University Lock Shop, or University-approved locksmith.
- Specialized Use Keys - Opens locks to function specific areas in multiple locations.
- Key Management System (KMS) - A system used to process key requests, maintain a record of each key created, and associate keys to the key holder.
- Key Ring - A key-lockable, flexible style ring required for individuals carrying 10 or more keys, used to secure keys that need to be maintained on a single ring. This device deters unauthorized addition or subtraction of keys by individual key holders.
- University Access Controller(s) - Representatives from the University Police and Public Safety, responsible for overseeing, advising and enforcing the parameters of policy AD68 and this procedure.
- University Approved Locksmith:
- An employee authorized by the University to perform locksmith duties.
- Any outside vendor that has been properly retained and authorized by the University to perform the locksmith work needed.
- Work Reception Center (WRC) - A department within the Office of Physical Plant charged with maintaining University keys/ACD's for individual sign-out.
An Access Coordinator must be a full-time staff member. To effectively perform their duties, it is essential that they become knowledgeable of pertinent University policies and procedures, as well as the programs and personnel at their campus, college, department or area, particularly as these details pertain to "access" to their area of jurisdiction. The goal is to ensure that keys, access devices and/or clearances are issued to individuals only for the areas to which these individuals are authorized to enter.
Area managers/supervisors and employees will be responsible for working with the Access Coordinator to request access and changes to access, when needed. It is the responsibility of the Access Coordinator to maintain systematic and effective control of all keys, access devices and/or clearances for the rooms and/or buildings under their jurisdiction.
NOTE: While job profile descriptions may vary throughout the University, the "role" of an Access Coordinator shall be applicable to those positions whose responsibilities include duties described in Policy AD68 and this procedure. As such, those individuals are bound to perform their duties within the parameters of policy AD68 and this procedure. These duties may include (but are not limited to) recordkeeping, coordination, and oversight duties.
Each Budget Executive or Budget Administrator shall appoint an Access Coordinator for the campus, college, department or area, as appropriate, via the completion of an Access Coordinator Authorization Form. Once properly completed and forwarded to the University Access Controller, the Access Coordinator may commence with their duties, as specified below.
Keys already on hand must be recorded for proper accountability and control (see "Recording Inventory," below). New keys, when needed, will be obtained using the Key Management System (KMS, at University Park) or through the appropriate University Approved Locksmith (at campus locations), then recorded.
Access Coordinators may request to maintain a supply of access credential devices ("ACD's," such as key cards, fobs or tags) for issue upon proper authorization. Such requests are to be made through the University Access Controller.
Any Access Coordinator that maintains a supply of keys and/or ACD's for issuance shall secure and maintain them in a lockable cabinet. Inventory supplies should be kept to a minimum. Any issuance from this supply, permanent or temporary, must be documented in the perpetual key/access device inventory system being maintained.
Recording Inventory- It is the responsibility of the Access Coordinator to promptly record all key/ACD activity (inventory being held, issuance dates, return dates, names and pertinent information) into their perpetual inventory system (database, excel spreadsheet, manual system). A perpetual inventory record may be used.
NOTE: Keys and/or ACD's for leased properties are managed through the Division of Facilities Resources and Planning, Temporary issuances are handled by the Work Reception Center. These requests are not processed through the University Police / University Access Controller.
The Access Coordinator will ensure that clearances, keys, and/or ACD's are issued to individuals only for areas to which they have a justifiable need to access. This applies to ALL employee classifications (new hires or existing employees), as well as all non-employees. Requests for clearances, keys and/or ACD's must be made via the process discussed below. No clearance, key or ACD will be issued prior to this process being completed. At no time may an access request bypass the Access Coordinator (or Designee).
Access Coordinators shall utilize current building floor plans and Door Schedules so they may determine the correct level of clearance/key/ACD to issue, and to provide direction on changes to Key and Access Schedules. This information is available/obtainable via the Facilities Information System and selecting "Interactive Blockplan Map," or by contacting a Facilities Information System staff person.
Requests for access must be made via completion of a Facility Access Authorization Request form. Such requests are submitted by a "Sponsor," typically a supervisor or project manager, who is requesting access to a building and/or room on behalf of an employee or a non-employee, as applicable.
The employee or non-employee (as applicable) will be required to agree, as part of this process, to abide by the terms of policy AD68 before access will part of this process, to abide by the terms of policy AD68 before access will be granted. If the employee/non-employee will not agree to abide by policy AD68, access will not be granted.
The Sponsor and Next Level Supervisor (when applicable), will affirm that they concur with the request and have advised the Requestor of policy AD68 by their signature(s) in the "AD68 Advisement Statement" area of the Facility Access Authorization Request.
All properly completed and agreed-upon requests for employees/non-employees will then be routed to the Access Coordinator for review and approval. Additional questions pertaining to the access request may be asked by the Access Coordinator, as necessary. If there are questions about the justification of the request, the Access Coordinator has the right to consult the Sponsor as well as the University Access Controller before approving or rejecting the request.
If, upon review, the request is acceptable, the Access Coordinator will sign and date the form, affirming that they have reviewed the details of the access request and they concur with the request for access. Additionally, they will determine the "type" of access needed, and check the appropriate boxes on the form.
If the request for access is rejected , the Access Coordinator will note the reason on the Facility Access Authorization Request Form and return a copy of the rejected form to the Requestor/Requesting Area. If explanation is lengthy, the Access Coordinator should record the information on the back of the form.
All processing will occur as described above, except:
For access requests that are outside the Requestor's home area, the Requestor's Home Area Access Coordinator must contact the Access Coordinator of the facility to which access is being requested for permission to access the facility. The discussion and decision to grant access (or not grant) must be substantiated through the exchange of a confirming email between the requesting department's Access Coordinator and the Access Coordinator of the facility to which access is being requested. Once granted and confirmed, the requesting department's Access Coordinator will sign and date, affirming that they have reviewed the details of the access request and access permission has been authorized. Additionally, the "type" of access granted will be substantiated by checking the appropriate boxes on the form.
If permission is not granted, the form will be retained as evidence of the decision. Copies of the confirming or denial emails (as applicable) must be retained by the both Access Coordinators involved for proper audit trail.
Approved requests which require the issuance of keys can often be filled from the Access Coordinator's on-hand supply. However, if circumstances warrant that a new key be made/issued, keys will be requested as specified in "New Key Requests."
ACD's- Approved requests which require the activation of an ACD (for access to specific areas) will occur via entry of the requestor's information into the C-CURE System by the Access Coordinator.
Whether approved, non-temporary requests are filled from on-hand inventory, handled as a new key request, or require ACD activation, the Requestor must complete the process as specified below in "Final Processing for All Access Requests" before keys are issued/ACD's are activated.
the unit's Access Coordinator (or authorized designee) must login into OPP's Key Management System. The Access Coordinator will complete the request and submit for processing, as specified in " OPP Lock Shop Processing (University Park) ."
The unit's Access Coordinator (or authorized designee) will process new key requests as specified in " University-Approved Locksmith Processing (For Non-University Park Locations )," below.
Once approved, and prior to receiving the appropriate access device from the requesting department's Access Coordinator, the Requestor must sign and date the "Acceptance" area of the Facility Access Authorization Request Form . In signing the form, the Requestor affirms and agrees to the following:
- they have been advised of policy AD68;
- are aware of their responsibilities in receiving access; and
- by accepting key(s) and/or ACD(s) from the Access Coordinator, agree to comply in full with the terms specified on the form and all related University policies.
Once signed, the Access Coordinator will issue the access devices requested to the Requestor, along with a signed copy of the form. A signed copy of the form will also be issued to the Requestor's Supervisor. The Access Coordinator must retain the signed, original copy of the form for their records. For access requests OUTSIDE the Requestors home area, a signed copy of the form will be forwarded to the Access Coordinator of the facility being accessed.
In accordance with Policy AD68, when an individual's access requirements change, the individual will be required to notify their area Access Coordinator and make the appropriate changes, including the return of their keys/ACD's, and/or changes to their access credential clearances, as applicable. These circumstances can include, but are not limited to: (1) access changes in their current area of employment (2) leaving the University (see "When Leaving University Employment"), or (3) accepting employment in a different area of the University. Lost keys/ACD's will be reported to the University Access Controller as specified in "Handling of Lost Keys/ACD's." Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the University. In addition, recoring costs may also be charged as defined in this procedure. When returned, the Access Coordinator will perform a spot audit of all keys that have been assigned to that individual and update their inventory records in a timely manner. Any discrepancies will be handled per "Handling of Lost Keys/ ACD's."
If at any time it becomes necessary for the employee to be issued additional keys or ACD's, a new Facility Access Authorization Request Form must be submitted through the proper channels, as described in "Processing Access, Key and ACD Requests".
An Access Coordinator may issue a Facility Entrance Key to an individual on a temporary basis for a building not equipped with electronic card access, if they determine that an individual needs access to that building after the hours that the building would normally be open. Such issuances must be requested and processed by completing a Facility Access Authorization Request , checking the "Temporary" box and the applicable start and ending dates, along with all other appropriate information requested on the form.
It is the responsibility of the issuing Access Coordinator, on a monthly basis, to audit those keys that are held as temporary. Temporarily-assigned keys may not be issued for periods of longer than 120 days, or until a permanent device can be requested and issued, whichever is the shorter time period.
NOTE: A temporary key cannot be issued to a contractor or outside vendors for use; these groups must go through the proper Project Manager or Department as described in "Access Requests for Contractors and Outside Vendors."
All lost keys/ACD's must be reported immediately by the key/ACD holder to the Access Coordinator. The Access Coordinator will, in turn, report lost keys/ACD's to the University Police along with a confirming email to the University Access Controller. If the Access Coordinator is unavailable for any reason (e.g., nights, weekends, vacations, holidays), the key/ACD holder must notify the University Police instead. However, the key/ACD holder should follow up with their Access Coordinator when business hours resume, so that the appropriate corrective action can be taken, as specified below.
On a temporary basis, a temporary key/ACD may be issued by completing a Facility Access Authorization Request , checking the "Temporary" box and the applicable start and ending dates, along with all other appropriate information requested on the form. This issuance will be noted accordingly in inventory records maintained by the Access Coordinator.
It is the responsibility of the issuing Access Coordinator, on a monthly basis, to audit those keys that are held as temporary. Temporarily-assigned keys may not be issued for periods of longer than 120 days, or until a permanent device c an be requested and issued, whichever is the shorter time period.
If a key/ACD is determined to be "unrecoverable," the Access Coordinator and key/ACD holder will follow the steps previously described in the "Processing Access, Keys and ACD Requests" section of this procedure to obtain a replacement key/ACD.
The Access Coordinator, University Access Controller and responsible budget executive will assess the vulnerability of area(s) compromised by the lost key/ACD to determine the corrective measures needed to restore appropriate access control to the affected area(s).
Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the University.
Likewise, If it is determined through the security assessment process that new cores must be installed or access devices must be replaced/reprogrammed, such actions will be undertaken with the recovery costs being charged to the department.
If the area Budget Executive/Budget Administrator so chooses, recovery costs may be passed on to the key/ACD holder.
Leased Properties - The same regulations apply to keys/ACD's issued for leased properties, as specified above.
During the orientation process for new OPP trades persons, the individual will be issued the requested keys by the WRC at OPP, in accordance with this procedure and normal OPP standards for new hires.
Any OPP trades person that has a need to carry more than 15 keys on a ring shall be issued these keys on an approved Key Ring. These keys will be inventoried and listed as a 'ring' and a number associated with that ring on the appropriate section of their Facility Access Authorization Request . Any keys that are subsequently removed or added will be reported to their Supervisor and recorded with the WRC. The ring will be the responsibility of the trades person to whom it is assigned to. If shared, the ring will be checked in each night prior to sharing, and the receiving trades person will be responsible for the keys assigned to that ring. Any discrepancies, to include missing keys, evidence of tampering with the sealed ring, etc. must be immediately reported to the supervisor and this information passed on to the WRC.
In the event that any key(s) or key ring is transferred from one individual to another, processing will occur as discussed in "Transfer/Reissue of Keys Between Individuals".
There are situations when a key(s) or key ring must be transferred from one individual to another. Regardless of reason or department involved , whenever the status of an individual changes and the keys are to be re-issued, the area supervisor and Access Coordinator will be responsible for insuring that the proper paperwork is processed and approved in a timely manner. Keys/key rings will be handled in accordance with the following procedure:
- Individual Key/Keys (up to 15 keys): These keys will be turned in, inventoried and accounted for, and a new Facility Access Authorization Request Form completed prior to re-issue to the new individual.
- Key Rings (any number of keys greater than 15): These rings will be handled as a 'batch', with a number assigned to that particular ring. All keys associated with that ring will be inventoried and accounted for. A new Facility Access Authorization Request Form will be generated and processed in accordance with this procedure, at which time the ring will then be issued to the requesting party.
In the event that any keys are missing or extra keys are discovered during this process, they will be handled in accordance with "Handling of Lost Keys / ACD's."
Per Policy AD68 , " All keys subject to this policy shall be labeled with a unique identifier stamped onto the key. The University Key Management System (or equivalent key management system at non-University Park locations) will be used to maintain a record of each key created and identified to its key holder by this unique identifier. No additional key labeling or tagging of any kind is permitted, unless authorized by the University Access Controller. "
A Grand Master key may only be requested under exceptional circumstances, by written justification from the Budget Executive to the University Access Controller. Such justification will identify the person to whom the Grand Master key will be issued and the basis for need of such access. If approved by the University Access Controller, the Budget Executive and the area Access Coordinator will be notified. The Access Coordinator will then process the appropriate key request via the Key Management System, as specified in "New Key Requests."
Building Master Keys may only be requested by written justification from the Budget Executive to the University Access Controller. Such justification will identify the person to whom the Building Master key will be issued and the basis for need of such access. If approved by the University Access Controller, the Budget Executive and area Access Coordinators will be notified. The Access Coordinator will then process the appropriate key request via the Key Management System, as specified in "New Key Requests."
These keys are only kept in the possession of the Work Reception Center at OPP and the University Police, and will not be issued.
At University Park, the only areas authorized to keep an inventory of unassigned Grand Master, Building Master, or Facility Perimeter keys will be the Work Reception Center and the University Police.
At non-University Park locations, the Director of Business Services (DBS) shall act as the University Access Controller for the purpose of approving requests for these types of keys. The DBS shall also determine where and how to secure these keys.
In accordance with Policy AD68, "...key cutting or duplications shall be performed only by a University-approved locksmith," as defined in the "Definitions" section of this procedure.
After the appropriate authorizations have been obtained as discussed in "New Key Requests," Lock Shop employees will cut the approved key(s). Each key will be marked with a unique identifier, as specified in policy AD68.
All key deliveries will be handled as described below:
For all OPP staff and trade persons - all new keys, whether temporary or permanent issue, will be delivered to the Work Reception Center (WRC) to be distributed per WRC procedures.
For All Other Requests - The below procedures are used in conjunction with the proper paperwork and approvals for key issues:
- Key(s) will be cut by the OPP Lock Shop.
- Key(s) placed in envelope - Access Coordinator's name is placed on the envelope.
- A copy of the Workorder is attached to the key envelope and placed in secure storage container in the OPP Mail Room.
- The Courier service picks up keys from OPP Mail Room and delivers to the applicable Access Coordinator (or Designee).
- The Workorder will be signed/dated by the Access Coordinator (or Designee), certifying that the key(s) have been received.
- If Access Coordinator (or Designee) is not available - If the Access Coordinator (or Designee) is unavailable to accept delivery, the Courier will leave an Attempted Delivery Notice (See Exhibit "A" ) containing instructions to call Delivery Services to reschedule delivery. Undeliverable keys are returned to the OPP Mail Room secure container for storage until next delivery attempt.
NOTE: A second delivery attempt will be made. If the second attempt is not successful, the keys will be delivered to the Work Reception Center. The Access Coordinator (or Designee) must contact the Work Reception Center directly to arrange for key pick-up at the Office of Physical Plant.
- Upon successful delivery, the signed/dated Workorder will be returned to Office of Physical Security, 118 OPP Building via campus mail for file retention.
NOTE: Grand Master and all other security sensitive keys will NOT be delivered. Instead, such keys must be picked-up by the Access Coordinator (or Designee) and signed for at the Work Reception Center. The Access Coordinator (or Designee) will call the WRC directly and schedule the appointment.
In accordance with AD68 , only a University-approved locksmith, as defined in the "Definitions" section of this procedure, may perform core changes, core moves, key cutting or duplications for a non-University Park location. For sound control of this process, the following guidelines must be observed :
- A unique identifier must be placed on all keys made.
- The University-approved locksmith shall deliver keys to the area Access Coordinator, rather than send them through the mail.
- Documentation of locksmith services- the area Access Coordinator must maintain a physical record, such as an invoice or work order, to validate/substantiate the services performed. Documentation must include the building/area/room information for the location(s) serviced, who requested the performance of such services, who authorized/approved the services, details explaining the services performed, and any other pertinent information that supports the services performed.
In accordance with policy AD68 , "Any core changes, core moves, key cutting or duplications shall be performed only by a University-approved locksmith..."
Key-Core changes will be processed through the OPP Lock Shop in the same manner as previously described for the cutting of keys (see "OPP Lock Shop Processing"). Access Coordinators will identify, collect and record all keys forced out of service due to the requested key-core changes. These keys must then be returned to the University Access Controller for destruction.
Key core changes will be processed through the campus Office of Physical Plant or the Department that is responsible for locksmith work at that campus location. See "University-Approved Locksmith Processing (for Non-University Park Locations), above.
will be handled in accordance with the " Housing and Food Services Policies and Procedures for Key/Card Access ," and as stated in the Terms, Conditions and Regulations of the Housing and Food Service Contract or Lease.
Requests for key-core changes are handled through the Division of Facilities Resources and Planning.
- Any Contractor that is involved in new building construction, where the building under construction is not yet occupied by any PSU personnel, may be allowed to use a "Contractor Core" until such a time that the building is turned over to the University for occupation or installation of University Assets.
- If a Contractor is providing services (new building construction or renovations) and University cores and keys/ACD's are in use, the Contractor must abide with the terms of Policy AD68 and this procedure in using and returning all University keys/ACD's issued to them.
- At no time should a Contractor Core be used in an already-occupied building unless previously approved by the University Access Controller or an individual designated by the University Access Controller.
- In the event that any University-owned Keys or Access Devices are lost, this will be reported by the Project Manager to the Work Reception Center at OPP and the situation will be handled as described in "Handling of Lost Keys/ACD's."
To insure the integrity of facility access as well as the safety and security of the University employees and students, contractors and vendors must follow the process specified below:
- Access requests for contractors and vendors that will be performing work in any Penn State building will be made by the responsible Project Manager or other appropriate sponsor by completing a Facility Access Authorization Request , as discussed in " Requesting Access Via the Facility Access Authorization Request Form ." Once authorized, a copy of this request will be printed out and maintained at the WRC.
- When a key/ACD is needed, the contractor/vendor representative will identify themselves to the personnel in the WRC and the key/ACD obtained from the electronic key system unit. At day-end or end of shift (as applicable), this key/ACD will be returned to the electronic key system unit.
- If for any reason the key/ACD is not returned within the appropriate time period, the key system generates an email notifying the WRC, the Contractor Supervisor and responsible Project Manager that the key/ACD is still outstanding. Upon notification, the project manager must investigate and resolve the situation (key/ACD returned).
- When warranted, the Project Manager or other appropriate sponsor may request an extended issuance of keys/ACD's for a Contractor/vendor, by completing a Facility Access Authorization Request , as discussed in " Requesting Access Via the Facility Access Authorization Request Form ." This period is not to exceed two weeks in length, at which time the keys/ACD's will be turned in, inventoried and reissued per a new request, if necessary.
- When the project is completed, the Contractor will turn in all keys/ACD's in their possession to the Project Manager/other appropriate sponsor (as applicable). Any cost associated with unreturned keys/ACD's could result in additional costs to the contractor, as described in "Handling of Lost Keys/ACD's."
Quarterly, each Access Coordinator will review the status of the University keys/ACD's issued to verify that the device holders remain currently affiliated with the department which approved keys/ACD's issued. If a key/access device holder is no longer affiliated with that department, the Access Coordinator will notify the holder and applicable department official, and recover the keys/ACD's. If the keys/ACD's cannot be recovered, the appropriate avenues of collection of replacement/re-coring fee will be instituted in accordance the replacement fee mandates established in University policy AD68 and applicable sections of this procedure.
If an individual's access changes are as a result of leaving University employment, the employee should comply with applicable parameter of policies HR55, HR102 and AD68 as they prepare to leave the University.
In accordance with policy HR55 , " the faculty or staff member shall return all University-issued items including...keys ."
Likewise, policy HR102 " establishes University expectations for processing separations and transfers of covered individuals. The intent of the policy is to ensure that all University property is retrieved and that access to University facilities and systems is appropriately restricted at the time of the separation or transfer of a covered individual.... "
Additionally, policy AD68 states that " the individual will be required to notify their area Access Coordinator and make the appropriate changes, including the return of their keys/ACD's, and/or changes to their access credential clearances, as applicable. These circumstances can include, but are not limited to: (1) access changes in their current area of employment (2) leaving the University, or (3) accepting employment in a different area of the University. Lost keys/ACD's will be reported to the University Access Controller... Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the University. In addition, recoring costs may also be charged... "
For additional questions to ensure complete and appropriate compliance, the departing employee should consult their supervisor, Human Resources Representative or area Financial Officer.
Annually, Access Coordinators are required to perform a review of their inventory and generate a report stating their findings. Upon completion, this report must be forwarded to the University Access Controller and the responsible Budget Executive or Budget Administrator.
Using their inventory records/system, the Access Coordinator will generate a report of ALL keys/ACD's that are under their control. Keys/ACD's that are not physically in the Access Coordinator's lockable cabinet are considered "issued" and should have an Facility Access Authorization Request or equivalent documentation (depending on the time frame when access was granted), to substantiate their issuance.
The Access Coordinator will compare/verify this inventory record to the physical inventory on hand. They will sign and date the inventory record, affirming that an audit was performed, and that all inventory was accounted for as documented. Any discrepancies must be noted, researched, and explained in their report. Any keys/ACD's not accounted for at the time of the audit must be reported as lost, stolen or unreturned (as applicable).
Action on any discrepancies reported will be decided upon by the University Access Controller.
Changes In Access Coordinator - Any time that a new Access Coordinator is assigned, a review of the current inventory information will be performed by the outgoing Access Coordinator, the incoming Access Coordinator and an Office of Physical Security representative. This will insure that all of the information and keys are accounted for, and allow any questions to be answered at the time of the transition. All keys/ACD's assigned to the outgoing Access Coordinator shall then be reassigned to the new Access Coordinator.
University Access Controller / Physical Security Audit - a random audit of a department's key/ACD inventory records may be held at any time by the University Access Controller or an Office of Physical Security representative to insure that both inventory and the security of keys and ACD's are being properly maintained.
Annually, each Access Coordinator will review their departmental database to insure that each of the clearance authorizations under their purview is current.
If discrepancies are discovered, the Access Coordinator will remove those clearances found not to be current and, if possible, notify the individuals via email that they have been removed.
Record retention must be managed in accordance with Policy AD35 - University Archives and Records Management , and records schedules approved by the Records Management Advisory Committee, Office of General Counsel, and Office of the President. These retention requirements are the University's retention criteria, either derived or based upon federal, state, and local statute or regulations, industry standards, and business needs. Retention beyond recommended time periods require justifiable reasons and warrant review by the Records Management Officer or designee. All documents must be maintained in such a manner so as to provide ease of access for review, and to provide a suitable audit trail for all transactions.
- Documents subject to a Legal Hold (see AD35, Legal Hold). A legal hold will remain in effect until it is released in writing by the Office of General Counsel.
- Documents under audit or review, either internally or externally. The retention period extends until released by the Corporate Controller's Office. The Financial Officer will be notified regarding any accounts which are under audit; the Financial Officer will be responsible for contacting the department.
Additional questions may be directed to the University Archivist or the Records Management Officer.
For questions, additional detail, or to request changes to this procedure, please contact the ENTER THE INFORMATION AS IT PERTAINS TO FURTHER INFORMATION. For those procedures maintained by their respective area, their contact information would be included so end-users know whom to contact with questions.
- Policy AD22 - Health Insurance Portability and Accountability Act
- Policy AD35 - University Archives and Records Management
- Policy AD68 - University Access Policy
- HR55 - Things to Know When Leaving University Employment
- HR102 - Separation and Transfer Protocol
- Blue/White Shredding Program
Date Approved: 03/25/14
Most recent changes:
- Revision 7 - Dated 03/19/14 (Revised per major changes to new Policy AD68 [formerly SY19], to reflect current operations)
Revision History (and effective dates:)
- Revision 6 - Dated 02/05/07 (Revised to reflect current operations, per major changes to Policy SY19)
- Revision 5 - Dated 10/12/04
- Revision 4 - Dated 01/04/90
- Revision 3 - Dated 03/17/88
- Revision 2 - Dated 08/06/86
- Revision 1 - Dated 03/14/86
- Original - Dated 11/21/85