Physical & Electronic Access Control
600.507 PHYSICAL AND ELECTRONIC ACCESS POLICY
Physical and electronic security is essential in providing security, access, and protection to Wenatchee Valley College students, personnel, equipment, buildings and resources. Colleges are popular targets of theft from both internal and external threats. Access to college buildings is a privilege, not a right, and implies user responsibilities and accountability. An essential element of security is maintaining adequate access control so that college facilities may only be accessed by those that are authorized. Issuance of access devices should be careful, systematic, and audited, as inadequately controlled access devices result in poor security. Each department will adopt and implement this policy and accompanying procedure. All units and departments within the scope of this policy are responsible for compliance to ensure the protection of college resources.
Approved by the president’s cabinet: 6/4/19
Adopted by the board of trustees: 6/19/19
Last reviewed: __/__/__
Policy contact: Administrative Services
Related policies and procedures
1600.507 Physical and Electronic Access Procedure
1600.507 PHYSICAL AND ELECTRONIC ACCESS CONTROL PROCEDURE
A. PURPOSE AND SUMMARY
The purpose of this procedure is to regulate access to Wenatchee Valley College property and ensure that any individual, college, department, operating unit, or program within the scope of this procedure is aware of their respective responsibilities when assigned key cards and building keys. This procedure will help provide a safe and secure campus environment through the diligent control of electronic access devices and building keys.
Access control is a needs-based standard. This standard touches all areas of access to include computer access, personal access, building access and residence halls. Access will be granted based on position description and the duties and responsibilities of the position. Decision makers are determined by roles and specific responsibilities. The tiers are implemented to create separation of duties. Separation of duties allows for decision-making and implementation at different levels, so there is a collaborative decision making tree to ensure security and auditing are done in a way to track access.
Effective physical and electronic security is essential in providing security, access and protection to the public, college students, employees and assets, and to mitigate threats or hazards, either natural or human-made.
The college has implemented several security measures to include but not limited to physical security (third party security vendor) with 24/7/365 day presence, cameras (internal and external locations on campus), and programmable external electronic locks on most buildings and future buildings.
This procedure and all implemented guidelines, standards and procedures will apply to all individuals using any device to access college buildings and or resources, including but not limited to the following:
- President, vice presidents, deans, directors and department heads.
Affiliates, associates and volunteers.
Faculty, appointed personnel, staff and students.
Third-party vendors, contractors and their agents.
Access Device/s: See definition of key.
Department Access Coordinator (DAC): Person designated by a vice president, dean, director, department head, or building manager to be responsible for authorizing and processing all access control transactions for the department.
Device: See definition of key.
Electronic Access Security: Any electronic or electro-mechanical locking device, using a key, which can be controlled from a site that is remote from the device. Any device that can be programmed or reprogrammed, that could have users added, modified or removed from a site that is remote from the device. Any device that can be opened, unlocked, locked or disabled from a remote location.
Key: Any means or device used to lock, unlock, open or gain access into a secured area. This includes but is not limited to metal key, combination, keypad code, keypad PIN code, key card, magnetic, proximity, biometric, radio frequency identification (RFID), or any combination of devices used to lock, unlock, open or gain access to a secured area.
Key Card: Wenatchee Valley College ID (key card) can be used as a key. See definition for key.
Mechanical Security: Mechanical locking device requiring no electrical power to open, lock, unlock or secure access to an area. Mechanical locking devices use a metal key or other apparatus.
Monitoring Center: Underwriters Laboratories (UL) listed monitoring center that provides 24-hour, 7-day-per-week off-site monitoring of security, fire, and other alarms and dispatches security, police, and/or fire personnel when an alarm is received. Monitoring center can be a third-party vendor.
Physical Security: Composed of mechanical security, electronic access security and a security system.
Level 1 - Basic Security: These areas are typically unlocked during business hours, allowing access by college personnel or the public. After hours, these areas are secured and access is by college key card and use of PIN. College support units will have access to these areas. Security systems are also integrated into this program and may be required to be armed and disarmed by authorized personnel, as necessary, to maintain the desired level of security.
Level 2 - Enhanced Security: Areas that are mechanically and electronically locked at all times, including during normal business hours, require college key card to gain entry each time, and may also require use of PIN. College support units will have access to these areas. Security systems are also integrated into this program and may be required to be armed and disarmed by authorized personnel, as necessary, to maintain the desire level of security.
Level 3 - High-Risk Security: Areas that by federal, state, or local laws or code have restricted access, or are restricted by college policies and/or procedures. These areas may require higher security access control devices such as biometric control devices. In some cases, access by college support services may be restricted or limited and may require that support services be escorted by approved department personnel. Security systems are also integrated into this program and may be required to be armed and disarmed by authorized personnel, as necessary, to maintain the desire level of security.
Security System: Devices to detect unauthorized intrusion or breach of a security parameter and notify a local or remote monitoring center.
Third-Party Security Vendor: A third-party sole-source vendor has been selected and is reviewed on an annual basis to ensure the level of service meets Wenatchee Valley College standards. This vendor provides a 24/7 support staff, and in the future may in conjunction with a UL-listed monitoring center, be able to monitor all of the designated security systems.
Unit: Any college, department, program or other operating unit.
D. COMPLIANCE AND RESPONSIBILITIES
The facilities and operations director and the safety, security and emergency manager are responsible for establishing electronic access and metal key policies and supporting procedures. They are also responsible for regulating metal key issuance. The college locksmith, or designee, maintains electronic access systems and maintains mechanical and electronic locking devices and all related door hardware specification, design, deployment, maintenance and integration with other security systems. The technology department oversees the computer data, back up and proper security integration protocol.
Responsibility for access to college buildings and resources and for implementation of this procedure rests with the vice presidents, deans, directors and department heads. This overall responsibility may not be delegated. Specific responsibilities within this procedure may be delegated within their respective units based on need and position held within Wenatchee Valley College.
The safety, security and emergency manager, or designee, will have responsibility for the following:
- Oversight of mechanical security, electronic access security, alarm security and the third-party security vendor.
- Development, revision, and oversight of this procedure and related procedures.
- Enforcement of this procedure.
- Issuing procedures and guidance to assist units in implementing this procedure. This procedure is the governing foundation for future policies and procedures related to physical security of campus buildings, property and resources.
Vice presidents, deans, directors, department heads and building managers will work together with the safety, security and emergency manager, or designee to serve as the primary contact between their respective units, facilities and operations, and any third-party security vendor regarding matters relating to physical security.
All security-related systems need to have a two, multi-factor authentication process.
E. ACCESS CONTROL AUTHORITY
Decision making on access control will be determined by roles and responsibilities. There are three tiers:
- Physical buildings and access points.
Physical building access is facilitated and scheduled by the locksmith, or designee, using the building scheduler management tool [the schedule].
- Residence hall(s).
The vice president of student services and director of campus life and equity determine physical access to the residence hall(s) and level of access for employees.
- Employee access.
The president’s cabinet, deans or designees in their chain of command determine level of access given to faculty and staff as supported by separation of duties.
Access is granted based on need. Need is determined by position.
F. ACCESS RESPONSIBILITIES
The vice president, dean, supervisor or designee that authorizes access for an individual is also responsible for revoking or reauthorizing that access as necessary. This includes any metal keys or electronic access devices issued to allow access to department controlled areas.
The locksmith or designee will have overall responsibility for the distribution of electronic key card access to building perimeter doors in conjunction with the college-established schedule and all internal doors that need to be scheduled to open/close.
The locksmith or designee is responsible for activating/deactivating electronic key card access to building perimeter doors and to all buildings under WVC access control system, RS2 electronic access, as determined by hours of operation and special events, via established schedules and cancellations.
The locksmith or designee is responsible for monitoring and tracking of locks and keys to include scheduled maintenance.
The safety, security and emergency manager or designee shall be notified when granting or removing access card authorization. This includes granting or removing access for faculty and staff, departmentally sponsored visitors, and include real-time employee status changes for hiring, retiring or separating employees.
Access authorization will be granted at the level of need. All access should have a termination date.
G. REVIEW OF ACCESS
Review of access needs to be done quarterly to look for people who have the incorrect level of access or for things that are out of the norm. This should be conducted by the vice president of administrative services or designee.
H. USER RESPONSIBILITIES
The user, which could be an employee, student, faculty, staff, visitor, contractor, subcontractor, or any other individual affiliated with the college, is responsible for securing and safeguarding any access device they have been issued. This includes but is not limited to, metal keys, key card, proximity device, biometric device, combination, PIN code, or any device used to gain access to any college buildings or areas under the control of, or maintained by, Wenatchee Valley College.
Users are individually responsible to confirm their key card and pin code work properly, prior to the necessity of afterhours building access, weekend access or to attend to any type of critical research in college buildings. Failure to do this could result in delays in gaining building access.
If any access device for which the user is responsible is lost, stolen or compromised, the user must report it immediately to security, the building manager or facilities/locksmith, or for contractors, their college point of contact.
Upon leaving the department or separation of employment with Wenatchee Valley College, either voluntarily or involuntarily, individuals are required to return all issued access devices to human resources or safety and security including metal building keys, which must be returned to be properly documented.
I. FACILITIES MANAGEMENT RESPONSIBILITIES
Since each college building is unique in design and purpose, the facilities director and the safety, security and emergency manager will coordinate with vice president(s) and deans to determine and develop and implement a workable plan to secure and schedule buildings converted to the new security protocol.
The college locksmith or designee (to include Stanley Best) is the only position authorized to originate or duplicate metal keys to any building or other area owned, operated or controlled by Wenatchee Valley College. Individuals in possession of an unauthorized college building key may be referred to security.
J. BUILDING ACCESS
Depending on building design and layout, access points will operate in the following manner:
- Designated perimeter doors will be electrically locked and unlocked according to electronic schedule, but capable of key card reader entry after hours or on weekends.
- Secondary perimeter doors will be locked and unlocked according to established schedules may or may not have a key card reader.
- Egress only doors will remain locked at all times.
- All perimeter doors are (or will be) equipped with door status contacts and will be monitored for status.
Afterhours building access will be granted by presenting a valid WVC key card, creating an audit trail. The locking and unlocking of designated entry doors will be accomplished electronically, according to established schedules.
K. BENEFITS OF ELECTRONIC ACCESS CONTROL
Provides building access for faculty, staff and students, without the need for metal keys.
Access to multiple buildings can easily be added or removed in accordance with needs based determination.
The extended liability of stolen or lost building entrance keys will be diminished.
An audit trail can be provided to document activity at each door.
Perimeter door lock and unlock schedules for buildings are adjusted per established schedules.
Campus Security can be notified if entry doors are forced open or propped open.
Campus Security - Perimeter doors on buildings can be remotely locked in the event of an emergency or threat situation.
Failure by individuals, departments, or units to follow this procedure and procedures may be subject to disciplinary action in accordance with negotiated agreements and Wenatchee Valley College policies and procedures as appropriate. Violations of this procedure may result in additional costs to the individual, department or unit.
The vice president of administrative services, the safety, security and emergency manager (SSEM) or his/her designee may grant exceptions to this procedure or related procedures after a security risk assessment. The vice president may rescind any exceptions to this procedure or procedures based on a new risk assessment or abuse of any exceptions granted. Residence life will be an exception to this procedure as that unit has its own keyless access procedure due to the unique living arrangements.
Exceptions to this procedure will be reviewed by the SSEM on an annual basis.
N. AFTERHOURS ACCESS SUPPORT
The following steps will be used in the event that a user, expecting to have access to a building, experiences trouble with the keyless access system:
- Call Security at 509.682.6911
- Security will confirm the event on the established calendar.
- If Security cannot confirm and event, they will follow the call out procedure.
In the event of an access card failure, please contact facilities/locksmith for card programming verification.
O. KEY ENTRY
Issuing of hard keys will fall under the same protocol as card access.
P. SAFETY AND SECURITY FOR DATA RETENTION
Data retention is critical. Currently the Basis System that primarily operates the residence hall and several other locations has data retention for 90 days. The RS2 System has a retention for a minimum of 90 days.
Approved by the president’s cabinet: 6/4/19
Presented to the board of trustees: 6/19/19
Last reviewed: __/__/__
Procedure contact: Administrative Services
Related policies and procedures
600.507 Physical and Electronic Access Control Policy