PROCEDURE SY2001 UNIVERSITY ACCESS: CLEARANCES, KEYS AND ACCESS DEVICES; AUTHORIZATION, ISSUANCE, AND FEES

PROCEDURE SY2001 UNIVERSITY ACCESS: CLEARANCES, KEYS AND ACCESS DEVICES; AUTHORIZATION, ISSUANCE, AND FEES
Budget and Finance Policy and Procedure Office
A Division of The Office of Budget and Finance
Last Revision: 03/25/2014
PROCEDURE SY2001 UNIVERSITY ACCESS: CLEARANCES, KEYS AND ACCESS DEVICES; AUTHORIZATION, ISSUANCE, AND FEES
Process Owner: University Police & Public Safety
Policy Steward facilitating procedure: Assistant Vice President for Police & Public Safety
TABLE OF CONTENTS
GENERAL
DEFINITIONS
PROCEDURE
ESTABLISHMENT/AUTHORIZATION OF ACCESS COORDINATOR POSITION
Authorization
DUTIES OF THE ACCESS COORDINATOR
Establishing and Recording Departmental Key and ACD Inventories (Individual Keys/ACD's)
Keys
ACD's
Storage
Recording Inventory
Processing Access, Key and ACD Requests
Requesting Access Using the Facility Access Authorization Request
Access Requests
WITHIN
the Requester Home Area
Access Requests
OUTSIDE
the Requester Home Area
Issuance of Keys / Activation of ACD's
New Key Requests
At University Park
At Non-University Park Locations
Final Processing for All Access Requests
Acceptance/Recordkeeping
Access Changes / Key Returns
Issuing Additional Keys/ACD's
Temporary Issuance of Facility Entrance Keys
Handling of Lost Keys/ACD's
Reporting
Temporary Issuance
Replacement
Security Assessment
Associated Cost Recovery
Key Processing for OPP Personnel
Key Issuance
Transfer/Reissue of Keys Between Individuals
Individual Key/Keys (up to 15 keys)
Key Rings (any number of keys greater than 15)
LABELING OF KEYS
REQUESTS FOR GRAND MASTER/ BUILDING MASTER/ FACILITY PERIMETER KEYS
Grand Master Keys
Building Master Keys
Facility Perimeter Keys
OFFICE OF PHYSICAL PLANT (OPP) LOCK SHOP PROCESSING (UNIVERSITY PARK)
Key Cutting
Delivery of Completed Keys
NON-UNIVERSITY PARK LOCATIONS UNIVERSITY-APPROVED LOCKSMITH PROCESSING
HANDLING OF KEY-CORE CHANGES
University Park
Commonwealth Campuses
All Housing & Food Service (UP) Key Core Changes
Leased Properties
Contractor/Construction Key Cores
ACCESS REQUESTS FOR CONTRACTORS AND OUTSIDE VENDORS
Daily Use
Extended Issuance
REVIEWS
WHEN LEAVING UNIVERSITY EMPLOYMENT
AUDITS OF KEY/ACD INVENTORIES
AUDITS OF CLEARANCES
AUDIT COORDINATION - FINANCIAL AND PROCEDURAL
UNIVERSITY RECORDS RETENTION AND DISPOSITION
EXHIBITS
CONTACT INFORMATION
CROSS REFERENCES
PROCEDURE STATUS
DATE APPROVED
MOST RECENT CHANGES
REVISION HISTORY
GENERAL
Policy
AD68 University Access
, has been established "to protect the safety, security, privacy and property of The Pennsylvania State University (University), and of individuals assigned to use University facilities, by controlling access to such facilities." As used in this procedure, the term "University access" refers to the process involving the issuance and control of clearances, keys and other access devices which allow access to/within a facility owned, leased, and/or under the control of The Pennsylvania State University ("University" "Penn State" PSU").
NOTE:
Keys other than those defined herein (such as equipment locks, desk, computer or cabinet keys, etc.) are not covered under this procedure. These devices fall under locally established guidelines.
This procedure applies to all facilities owned, leased by, and/or under the control of The Pennsylvania State University, excluding Hershey Medical Center, the College of Medicine, and the Pennsylvania College of Technology. Protocol for residence and food service facilities access, including student rooms and apartments in
University
residence facilities, will be governed by the "Housing and Food Services Policies and Procedures for Key/Card Access," and as stated in the Terms, Conditions and Regulations of the Housing and Food Service Contract or Lease.
Enforcement of Policy
AD68 University Access
and this procedure is the responsibility of the
University
Police and Public Safety. This procedure will be implemented through an Access Coordinator in each college, department or area (at University Park), and at each campus.
Any exceptions or variances from this procedure must be approved by Deputy Director of Operations - University Police and the Director of Physical Security, in conjunction with the appropriate Budget Executive.
This procedure provides guidance on the responsibilities and the controls necessary to administer all aspects of
University
access control in accordance with Policy
AD68 University Access
DEFINITIONS
The following definitions are pertinent to
University
access, as discussed in this procedure and its related policies and forms:
Access Control System
An electronic security system that can be activated by an access credential. The system electronically controls locking and unlocking of doors, identifies and records cardholder information, and logs system events.
Access Controls and Electronic Security Programs (A.C.E.S.)
a program within the Physical Security unit of the University Police and Public Safety. A.C.E.S.' mission is "to provide professional security services to The Pennsylvania State University community, consistent with the University's mission, culture, and resources in order to facilitate a safe and secure campus environment."
Access Coordinator
Ensures that clearances, keys, and access credential devices are issued to individuals only for the areas to which they are authorized to enter. Access Coordinators will be assigned as detailed in this procedure.
Access Credential Device (ACD)
Identifies the holder to an access control system and enables the system to determine the rights and privileges to enter a specific area. Devices may include a card, fob or tag.
C-CURE System
the University's primary electronic security system software that is used by Access Coordinators to grant access to individuals who request access to a particular area that the Access Coordinator oversees.
Clearance
Refers to a person's approved rights to access a facility.
Key
a traditional metal key or similar device that is used to unlock or lock specific mechanical door locks.
Key Types:
Grand Master Key
- Opens multiple doors in multiple buildings.
Facility Perimeter Key
- an emergency key for obtaining entrance to facilities that are equipped with an access control system. This key is only to be used in the event of an access control system failure.
At University Park
- maintained by University Police and the OPP Work Reception Center, in a secured manner
At Non-University Park Locations
- can be maintained by OPP, University Police, and/or the area Director of Business Services, in a secured manner
Building Master Key
- Opens most doors within a building.
Building Sub-master Key
- Opens multiple interior doors within an area of a building
Facility Entrance Key
- Only opens building entrance doors.
Individual Door Key
- Opens specific doors within a building.
Control Key
- device used to remove and replace a lock core. Such a device will only be held by the University Lock Shop, or University-approved locksmith.
Specialized Use Keys
- Opens locks to function specific areas in multiple locations.
Key Management System (KMS)
A system used to process key requests, maintain a record of each key created, and associate keys to the key holder.
Key Ring
A key-lockable, flexible style ring required for individuals carrying 10 or more keys, used to secure keys that need to be maintained on a single ring. This device deters unauthorized addition or subtraction of keys by individual key holders.
University Access Controller(s)
Representatives from the University Police and Public Safety, responsible for overseeing, advising and enforcing the parameters of Policy
AD68 University Access
and this procedure.
University Approved Locksmith
An employee authorized by the University to perform locksmith duties.
Any outside vendor that has been properly retained and authorized by the University to perform the locksmith work needed.
Work Reception Center (WRC)
A department within the Office of Physical Plant charged with maintaining University keys/ACD's for individual sign-out.
PROCEDURE
ESTABLISHMENT/AUTHORIZATION OF THE ACCESS COORDINATOR POSITION
An Access Coordinator must be a full-time staff member. To effectively perform their duties, it is essential that they become knowledgeable of pertinent
University
policies and procedures, as well as the programs and personnel at their campus, college, department or area, particularly as these details pertain to "access" to their area of jurisdiction. The goal is to ensure that keys, access devices and/or clearances are issued to individuals only for the areas to which these individuals are authorized to enter.
Area managers/supervisors and employees will be responsible for working with the Access Coordinator to request access and changes to access, when needed. It is the responsibility of the Access Coordinator to maintain systematic and effective control of all keys, access devices and/or clearances for the rooms and/or buildings under their jurisdiction.
NOTE:
While job profile descriptions may vary throughout the
University
, the "role" of an Access Coordinator shall be applicable to those positions whose responsibilities include duties described in Policy
AD68 University Access
and this procedure. As such, those individuals are bound to perform their duties within the parameters of Policy
AD68 University Access
and this procedure. These duties may include (but are not limited to) record-keeping, coordination, and oversight duties.
Authorization
Each Budget Executive or Budget Administrator shall appoint an Access Coordinator for the campus, college, department or area, as appropriate, via the completion of an
Access Coordinator Authorization Form
. Once properly completed and forwarded to the
University
Access Controller, the Access Coordinator may commence with their duties, as specified below.
DUTIES OF THE ACCESS COORDINATOR
Establishing and Recording Departmental Key and ACD Inventories (Individual Keys, ACD's)
Keys
Keys already on hand must be recorded for proper accountability and control (see "Recording Inventory," below). New keys, when needed, will be obtained using the Key Management System (KMS, at University Park) or through the appropriate
University
Approved Locksmith (at campus locations), then recorded.
ACD's
Access Coordinators may request to maintain a supply of access credential devices ("ACD's," such as key cards, fobs or tags) for issue upon proper authorization. Such requests are to be made through the
University
Access Controller.
Storage
Any Access Coordinator maintaining a supply of keys and/or ACD's for issuance shall secure and maintain them in a lockable cabinet. Inventory supplies should be kept to a minimum. Any issuance from this supply, permanent or temporary, must be documented in the perpetual key/access device inventory system being maintained.
Recording Inventory
It is the responsibility of the Access Coordinator to promptly record all key/ACD activity (inventory being held, issuance dates, return dates, names and pertinent information) into their perpetual inventory system (database, excel spreadsheet, manual system). A perpetual inventory record may be used.
NOTE:
Keys and/or ACD's for leased properties are managed through the Division of Facilities Resources and Planning, Temporary issuances are handled by the Work Reception Center. These requests are not processed through the
University
Police/University Access Controller.
Processing Access, Key and ACD Requests
The Access Coordinator will ensure that clearances, keys, and/or ACD's are issued to individuals only for areas to which they have a justifiable need to access. This applies to ALL employee classifications (new hires or existing employees), as well as all non-employees. Requests for clearances, keys and/or ACD's must be made via the process discussed below. No clearance, key or ACD will be issued prior to this process being completed. At no time may an access request bypass the Access Coordinator (or Designee).
Access Coordinators shall utilize current building floor plans and Door Schedules so they may determine the correct level of clearance/key/ACD to issue, and to provide direction on changes to Key and Access Schedules. This information is available/obtainable via the
Facilities Information System
and selecting "Interactive Blockplan Map," or by contacting a Facilities Information System staff person.
Requesting Access Using the Facility Access Authorization Request
Access Requests WITHIN the Requester Home Administrative Area
Requests for access must be made via completion of a
Facility Access Authorization Request
form. Such requests are submitted by a "Sponsor," typically a supervisor or project manager, who is requesting access to a building and/or room on behalf of an employee or a non-employee, as applicable.
The employee or non-employee (as applicable) will be required to agree, as part of this process, to abide by the terms of Policy
AD68 University Access
before access will be granted. If the employee/non-employee will not agree to abide by Policy AD68, access will not be granted.
The Sponsor and Next Level Supervisor (when applicable), will affirm that they concur with the request and have advised the Requester of policy AD68 by their signature(s) in the "AD68 Advisement Statement" area of the Facility Access Authorization Request.
All properly completed and agreed-upon requests for employees/non-employees will then be routed to the Access Coordinator for review and approval. Additional questions pertaining to the access request may be asked by the Access Coordinator, as necessary. If there are questions about the justification of the request, the Access Coordinator has the right to consult the Sponsor as well as the University Access Controller before approving or rejecting the request.
If, upon review, the request is acceptable, the Access Coordinator will sign and date the form, affirming that they have reviewed the details of the access request and they concur with the request for access. Additionally, they will determine the "type" of access needed, and check the appropriate boxes on the form.
If the request for access is rejected, the Access Coordinator will note the reason on the Facility Access Authorization Request Form and return a copy of the rejected form to the Requester/Requesting Area. If explanation is lengthy, the Access Coordinator should record the information on the back of the form.
Access Requests OUTSIDE the Requester Home Administrative Area
All processing will occur as described above, except:
For access requests that are outside the Requester home area, the Requester Home Area Access Coordinator must contact the Access Coordinator of the facility to which access is being requested for permission to access the facility. The discussion and decision to grant access (or not grant) must be substantiated through the exchange of a confirming email between the requesting department's Access Coordinator and the Access Coordinator of the facility to which access is being requested. Once granted and confirmed, the requesting department's Access Coordinator will sign and date, affirming that they have reviewed the details of the access request and access permission has been authorized. Additionally, the "type" of access granted will be substantiated by checking the appropriate boxes on the form.
If permission is not granted, the form will be retained as evidence of the decision. Copies of the confirming or denial emails (as applicable) must be retained by the both Access Coordinators involved for proper audit trail.
Issuance of Keys / Activation of ACD's
Approved requests which require the issuance of keys can often be filled from the Access Coordinator's on-hand supply. However, if circumstances warrant that a new key be made/issued, keys will be requested as specified in "New Key Requests."
Approved requests which require the activation of an ACD (for access to specific areas) will occur via entry of the requester information into the C-CURE System by the Access Coordinator.
Whether approved, non-temporary requests are filled from on-hand inventory, handled as a new key request, or require ACD activation, the Requester must complete the process as specified below in "Final Processing for All Access Requests" before keys are issued/ACD's are activated.
New Key Requests
At University Park
The unit's Access Coordinator (or authorized designee) must login into OPP's Key Management System. The Access Coordinator will complete the request and submit for processing, as specified in "OPP Lock Shop Processing (University Park)."
At Non-University Park Locations
The unit's Access Coordinator (or authorized designee) will process new key requests as specified in "University-Approved Locksmith Processing (For Non-University Park Locations)," below.
Final Processing for All Access Requests
Acceptance/ Recordkeeping
Once approved, and prior to receiving the appropriate access device from the requesting department's Access Coordinator, the Requester must sign and date the "Acceptance" area of the Facility Access Authorization Request Form. In signing the form, the Requester affirms and agrees to the following:
they have been advised of Policy
AD68 University Access;
are aware of their responsibilities in receiving access; and
by accepting key(s) and/or ACD(s) from the Access Coordinator, agree to comply in full with the terms specified on the form and all related
University
policies.
Once signed, the Access Coordinator will issue the access devices requested to the Requester, along with a signed copy of the form. A signed copy of the form will also be issued to the Requester Supervisor. The Access Coordinator must retain the signed, original copy of the form for their records. For access requests OUTSIDE the Requester home area, a signed copy of the form will be forwarded to the Access Coordinator of the facility being accessed.
Access Changes / Key Returns
In accordance with Policy
AD68 University Access
, when an individual's access requirements change, the individual will be required to notify their area Access Coordinator and make the appropriate changes, including the return of their keys/ACD's, and/or changes to their access credential clearances, as applicable. These circumstances can include, but are not limited to:
access changes in their current area of employment;
leaving the University (see "When Leaving
University
Employment"); or,
accepting employment in a different area of the
University
Lost keys/ACD's will be reported to the
University
Access Controller as specified in "Handling of Lost Keys/ACD's." Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the
University
. In addition, recoring costs may also be charged as defined in this procedure. When returned, the Access Coordinator will perform a spot audit of all keys that have been assigned to that individual and update their inventory records in a timely manner. Any discrepancies will be handled per "Handling of Lost Keys/ ACD's."
Issuing Additional Keys/ACD's
If at any time it becomes necessary for the employee to be issued additional keys or ACD's, a new Facility Access Authorization Request Form must be submitted through the proper channels, as described in "Processing Access, Key and ACD Requests".
Temporary Issuance of Facility Entrance Keys
An Access Coordinator may issue a Facility Entrance Key to an individual on a temporary basis for a building not equipped with electronic card access, if they determine that an individual needs access to that building after the hours that the building would normally be open. Such issuances must be requested and processed by completing a
Facility Access Authorization Request
, checking the "Temporary" box and the applicable start and ending dates, along with all other appropriate information requested on the form.
It is the responsibility of the issuing Access Coordinator, on a monthly basis, to audit those keys that are held as temporary. Temporarily-assigned keys may not be issued for periods of longer than 120 days, or until a permanent device can be requested and issued, whichever is the shorter time period.
NOTE:
A temporary key cannot be issued to a contractor or outside vendors for use; these groups must go through the proper Project Manager or Department as described in "Access Requests for Contractors and Outside Vendors."
Handling of Lost Keys/ACD's
Reporting
All lost keys/ACD's must be reported immediately by the key/ACD holder to the Access Coordinator. The Access Coordinator will, in turn, report lost keys/ACD's to the
University
Police along with a confirming email to the
University
Access Controller. If the Access Coordinator is unavailable for any reason (e.g., nights, weekends, vacations, holidays), the key/ACD holder must notify the
University
Police instead. However, the key/ACD holder should follow up with their Access Coordinator when business hours resume, so that the appropriate corrective action can be taken, as specified below.
Temporary Issuance
On a temporary basis, a temporary key/ACD may be issued by completing a
Facility Access Authorization Request
, checking the "Temporary" box and the applicable start and ending dates, along with all other appropriate information requested on the form. This issuance will be noted accordingly in inventory records maintained by the Access Coordinator.
It is the responsibility of the issuing Access Coordinator, on a monthly basis, to audit those keys that are held as temporary. Temporarily-assigned keys may not be issued for periods of longer than 120 days, or until a permanent device can be requested and issued, whichever is the shorter time period.
Replacement
If a key/ACD is determined to be "unrecoverable," the Access Coordinator and key/ACD holder will follow the steps previously described in the "Processing Access, Keys and ACD Requests" section of this procedure to obtain a replacement key/ACD.
Security Assessment
The Access Coordinator,
University
Access Controller and responsible budget executive will assess the vulnerability of area(s) compromised by the lost key/ACD to determine the corrective measures needed to restore appropriate access control to the affected area(s).
Associated Cost Recovery
Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the
University
Likewise, if it is determined through the security assessment process that new cores must be installed or access devices must be replaced/reprogrammed, such actions will be undertaken with the recovery costs being charged to the department.
If the area Budget Executive/Budget Administrator so chooses, recovery costs may be passed on to the key/ACD holder.
Leased Properties - The same regulations apply to keys/ACD's issued for leased properties, as specified above.
Key Processing for OPP Personnel
During the orientation process for new Office of Physical Plant (OPP) trades persons, the individual will be issued the requested keys by the
WRC at
OPP
, in accordance with this procedure and normal
OPP
standards for new hires.
Key Issuance
Any
OPP
trades person that has a need to carry more than 15 keys on a ring shall be issued these keys on an approved Key Ring. These keys will be inventoried and listed as a 'ring' and a number associated with that ring on the appropriate section of their
Facility Access Authorization Request
. Any keys that are subsequently removed or added will be reported to their Supervisor and recorded with the
WRC
. The ring will be the responsibility of the trades person to whom it is assigned to. If shared, the ring will be checked in each night prior to sharing, and the receiving trades person will be responsible for the keys assigned to that ring. Any discrepancies, to include missing keys, evidence of tampering with the sealed ring, etc. must be immediately reported to the supervisor and this information passed on to the
WRC
In the event that any key(s) or key ring is transferred from one individual to another, processing will occur as discussed in "Transfer/Reissue of Keys Between Individuals".
Transfer/Reissue of Keys Between Individuals
There are situations when a key(s) or key ring must be transferred from one individual to another. Regardless of reason or department involved, whenever the status of an individual changes and the keys are to be re-issued, the area supervisor and Access Coordinator will be responsible for insuring that the proper paperwork is processed and approved in a timely manner. Keys/key rings will be handled in accordance with the following procedure:
Individual Key/Keys (up to 15 keys)
These keys will be turned in, inventoried and accounted for, and a new
Facility Access Authorization Request
Form completed prior to re-issue to the new individual.
Key Rings (any number of keys greater than 15)
These rings will be handled as a 'batch', with a number assigned to that particular ring. All keys associated with that ring will be inventoried and accounted for. A new
Facility Access Authorization Request
Form will be generated and processed in accordance with this procedure, at which time the ring will then be issued to the requesting party.
In the event that any keys are missing or extra keys are discovered during this process, they will be handled in accordance with "Handling of Lost Keys / ACD's."
LABELING OF KEYS
Per Policy
AD68 University Access
, "All keys subject to this policy shall be labeled with a unique identifier stamped onto the key. The
University
Key Management System (or equivalent key management system at Non-University Park locations) will be used to maintain a record of each key created and identified to its key holder by this unique identifier. No additional key labeling or tagging of any kind is permitted, unless authorized by the
University
Access Controller."
REQUESTS FOR GRAND MASTER / BUILDING MASTER / FACILITY PERIMETER KEYS
Grand Master Keys
A Grand Master key may only be requested under exceptional circumstances, by written justification from the Budget Executive to the
University
Access Controller. Such justification will identify the person to whom the Grand Master key will be issued and the basis for need of such access. If approved by the
University
Access Controller, the Budget Executive and the area Access Coordinator will be notified. The Access Coordinator will then process the appropriate key request via the Key Management System, as specified in "New Key Requests."
Building Master Keys
Building Master Keys may only be requested by written justification from the Budget Executive to the
University
Access Controller. Such justification will identify the person to whom the Building Master key will be issued and the basis for need of such access. If approved by the
University
Access Controller, the Budget Executive and area Access Coordinators will be notified. The Access Coordinator will then process the appropriate key request via the Key Management System, as specified in "New Key Requests."
Facility Perimeter Keys
These keys are only kept in the possession of the
WRC
at
OPP
and the
University
Police, and will not be issued.
At University Park, the only areas authorized to keep an inventory of unassigned Grand Master, Building Master, or Facility Perimeter keys will be the
WRC
and the
University
Police.
At non-University Park locations, the Director of Business Services (DBS) shall act as the
University
Access Controller for the purpose of approving requests for these types of keys. The DBS shall also determine where and how to secure these keys.
OFFICE OF PHYSICAL PLANT (OPP) LOCK SHOP PROCESSING (UNIVERSITY PARK)
In accordance with Policy
AD68 University Access
, "...key cutting or duplications shall be performed only by a University-approved locksmith," as defined in the "Definitions" section of this procedure.
Key Cutting
After the appropriate authorizations have been obtained as discussed in "New Key Requests," Lock Shop employees will cut the approved key(s). Each key will be marked with a unique identifier, as specified in Policy AD68.
Delivery of Completed Keys
All key deliveries will be handled as described below:
For all OPP staff and trade persons - all new keys, whether temporary or permanent issue, will be delivered to the
WRC
to be distributed per
WRC
procedures.
For All Other Requests - The below procedures are used in conjunction with the proper paperwork and approvals for key issues:
Key(s) will be cut by the
OPP
Lock Shop.
Key(s) placed in envelope - Access Coordinator's name is placed on the envelope.
A copy of the Workorder is attached to the key envelope and placed in secure storage container in the
OPP
Mail Room.
The Courier service picks up keys from
OPP
Mail Room and delivers to the applicable Access Coordinator (or Designee).
The Workorder will be signed/dated by the Access Coordinator (or Designee), certifying that the key(s) have been received.
If Access Coordinator (or Designee) is not available
- If the Access Coordinator (or Designee) is unavailable to accept delivery, the Courier will leave an Attempted Delivery Notice (See
Exhibit "A"
) containing instructions to call Delivery Services to reschedule delivery. Undeliverable keys are returned to the
OPP
Mail Room secure container for storage until next delivery attempt.
NOTE:
A second delivery attempt will be made. If the second attempt is not successful, the keys will be delivered to the
WRC
. The Access Coordinator (or Designee) must contact the
WRC
directly to arrange for key pick-up at
OPP
Upon successful delivery, the signed/dated Workorder will be returned to Office of Physical Security, 118 OPP Building via campus mail for file retention.
NOTE:
Grand Master and all other security sensitive keys will NOT be delivered. Instead, such keys must be picked-up by the Access Coordinator (or Designee) and signed for at the
WRC
. The Access Coordinator (or Designee) will call the
WRC
directly and schedule the appointment.
NON-UNIVERSITY PARK LOCATIONS UNIVERSITY-APPROVED LOCKSMITH PROCESSING
In accordance with Policy
AD68 University Access
, only a
University
-approved locksmith, as defined in the "Definitions" section of this procedure, may perform core changes, core moves, key cutting or duplications for a non-University Park location. For sound control of this process, the following guidelines must be observed :
A unique identifier must be placed on all keys made.
The University-approved locksmith shall deliver keys to the area Access Coordinator, rather than send them through the mail.
Documentation of locksmith services- the area Access Coordinator must maintain a physical record, such as an invoice or work order, to validate/substantiate the services performed.
Documentation must include the building/area/room information for the location(s) serviced, who requested the performance of such services, who authorized/approved the services, details explaining the services performed, and any other pertinent information that supports the services performed.
HANDLING OF KEY-CORE CHANGES
In accordance with Policy
AD68 University Access
, "Any core changes, core moves, key cutting or duplications shall be performed only by a University-approved locksmith..."
University Park:
Key-Core changes will be processed through the
OPP
Lock Shop in the same manner as previously described for the cutting of keys (see "OPP Lock Shop Processing"). Access Coordinators will identify, collect and record all keys forced out of service due to the requested key-core changes. These keys must then be returned to the
University
Access Controller for destruction.
Commonwealth Campuses
Key core changes will be processed through the campus Office of Physical Plant or the Department that is responsible for locksmith work at that campus location. See "University-Approved Locksmith Processing (for Non-University Park Locations), above.
All Housing & Food Service (UP) Key-Core Changes
Will be handled in accordance with the "Housing and Food Services Policies and Procedures for Key/Card Access," and as stated in the Terms, Conditions and Regulations of the Housing and Food Service Contract or Lease.
Leased Properties
Requests for key-core changes are handled through the Division of Facilities Resources and Planning.
Contractor/Construction Key Cores
Any Contractor that is involved in new building construction, where the building under construction is not yet occupied by any
University
personnel, may be allowed to use a "Contractor Core" until such a time that the building is turned over to the
University
for occupation or installation of
University
Assets.
If a Contractor is providing services (new building construction or renovations) and
University
cores and keys/ACD's are in use, the Contractor must abide with the terms of Policy AD68 and this procedure in using and returning all
University
keys/ACD's issued to them.
At no time should a Contractor Core be used in an already-occupied building unless previously approved by the
University
Access Controller or an individual designated by the
University
Access Controller.
In the event that any
University
-owned Keys or Access Devices are lost, this will be reported by the Project Manager to the
WRC
at
OPP
and the situation will be handled as described in "Handling of Lost Keys/ACD's."
ACCESS REQUESTS FOR CONTRACTORS AND OUTSIDE VENDORS
Daily Use
To insure the integrity of facility access as well as the safety and security of the
University
employees and students, contractors and vendors must follow the process specified below:
Access requests for contractors and vendors that will be performing work in any
Penn State
building will be made by the responsible Project Manager or other appropriate sponsor by completing a
Facility Access Authorization Request
, as discussed in "Requesting Access Via the Facility Access Authorization Request Form." Once authorized, a copy of this request will be printed out and maintained at the
WRC
When a key/ACD is needed, the contractor/vendor representative will identify themselves to the personnel in the
WRC
and the key/ACD obtained from the electronic key system unit. At day-end or end of shift (as applicable), this key/ACD will be returned to the electronic key system unit.
If for any reason the key/ACD is not returned within the appropriate time period, the key system generates an email notifying the
WRC
, the Contractor Supervisor and responsible Project Manager that the key/ACD is still outstanding. Upon notification, the project manager must investigate and resolve the situation (key/ACD returned).
Extended Issuance
When warranted, the Project Manager or other appropriate sponsor may request an extended issuance of keys/ACD's for a Contractor/vendor, by completing a
Facility Access Authorization Request
, as discussed in "Requesting Access Via the Facility Access Authorization Request Form." This period is not to exceed two weeks in length, at which time the keys/ACD's will be turned in, inventoried and reissued per a new request, if necessary.
When the project is completed, the Contractor will turn in all keys/ACD's in their possession to the Project Manager/other appropriate sponsor (as applicable). Any cost associated with unreturned keys/ACD's could result in additional costs to the contractor, as described in "Handling of Lost Keys/ACD's."
REVIEWS
Quarterly, each Access Coordinator will review the status of the
University
keys/ACD's issued to verify that the device holders remain currently affiliated with the department which approved keys/ACD's issued. If a key/access device holder is no longer affiliated with that department, the Access Coordinator will notify the holder and applicable department official, and recover the keys/ACD's. If the keys/ACD's cannot be recovered, the appropriate avenues of collection of replacement/re-coring fee will be instituted in accordance the replacement fee mandates established in University Policy
AD68 University Access
and applicable sections of this procedure.
WHEN LEAVING UNIVERSITY EMPLOYMENT
If an individual's access changes are as a result of leaving
University
employment, the employee should comply with applicable parameters of Policy
HRG20 Separation and Transfer Protocol
and
AD68 University Access
as they prepare to leave the
University.
In accordance with Policy
HRG20 Separation and Transfer Protocol
, "the faculty or staff member shall return all University-issued items including...keys."
Likewise, Policy
HRG20 Separation and Transfer Protocol
"establishes
University
expectations for processing separations and transfers of covered individuals. The intent of the policy is to ensure that all
University
property is retrieved and that access to
University
facilities and systems is appropriately restricted at the time of the separation or transfer of a covered individual...."
Additionally, Policy
AD68 University Access
states that "the individual will be required to notify their area Access Coordinator and make the appropriate changes, including the return of their keys/ACD's, and/or changes to their access credential clearances, as applicable. These circumstances can include, but are not limited to:
access changes in their current area of employment;
leaving the
University
; or,
accepting employment in a different area of the
University
Lost keys/ACD's will be reported to the
University
Access Controller. Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the
University
. In addition, recoring costs may also be charged..."
For additional questions to ensure complete and appropriate compliance, the departing employee should consult their supervisor, Human Resources Representative or area Financial Officer.
AUDITS OF KEY/ACD INVENTORIES
Annually, Access Coordinators are required to perform a review of their inventory and generate a report stating their findings. Upon completion, this report must be forwarded to the
University
Access Controller and the responsible Budget Executive or Budget Administrator.
Using their inventory records/system, the Access Coordinator will generate a report of ALL keys/ACD's that are under their control. Keys/ACD's that are not physically in the Access Coordinator's lockable cabinet are considered "issued" and should have an Facility Access Authorization Request or equivalent documentation (depending on the time frame when access was granted), to substantiate their issuance.
The Access Coordinator will compare/verify this inventory record to the physical inventory on hand. They will sign and date the inventory record, affirming that an audit was performed, and that all inventory was accounted for as documented. Any discrepancies must be noted, researched, and explained in their report. Any keys/ACD's not accounted for at the time of the audit must be reported as lost, stolen or unreturned (as applicable).
Action on any discrepancies reported will be decided upon by the
University
Access Controller.
Changes In Access Coordinator - Any time that a new Access Coordinator is assigned, a review of the current inventory information will be performed by the outgoing Access Coordinator, the incoming Access Coordinator and an Office of Physical Security representative. This will insure that all of the information and keys are accounted for, and allow any questions to be answered at the time of the transition. All keys/ACD's assigned to the outgoing Access Coordinator shall then be reassigned to the new Access Coordinator.
University
Access Controller / Physical Security Audit - a random audit of a department's key/ACD inventory records may be held at any time by the
University
Access Controller or an Office of Physical Security representative to insure that both inventory and the security of keys and ACD's are being properly maintained.
AUDITS OF CLEARANCES
Annually, each Access Coordinator will review their departmental database to insure that each of the clearance authorizations under their purview is current.
If discrepancies are discovered, the Access Coordinator will remove those clearances found not to be current and, if possible, notify the individuals via email that they have been removed.
AUDIT COORDINATION - FINANCIAL AND PROCEDURAL
The Financial Officer is responsible for ensuring that procedures pertaining to the accountability and safeguarding of all cash receipts, cash funds, and other assets are established and followed in accordance with approved
University
policies and procedures. Regular audits relating to advances, cash, travel, equipment accountability, and other expenditures provide a means to protect
University
assets. The Financial Officer is responsible for working with Internal Audit when audits are being performed in the administrative area. Audits relating to sponsored activities or other audits performed by external auditors may also be performed. The Financial Officer would also be responsible for working with the external auditor and/or a central university office related to these procedures.
UNIVERSITY RECORDS RETENTION AND DISPOSITION
University
Records must be retained and managed in accordance with Policy
AD35 University Archives and Records Management
, and records schedules approved by the Records Management Advisory Committee, Office of General Counsel, and Senior Vice President and Chief of Staff. These record retention schedules are derived or based upon federal, state, and local statute or regulations,
University
Policy, industry standards, and business needs. All
University
Records must be maintained in such a manner to provide ease of access, establish a suitable audit trail for all transactions, and to be reviewed prior to disposition.
Upon completion of the retention period,
University
Records must be disposed of via secure destruction or transfer to
University
Archives. If the disposition method for
University
Records states "Review by Archives" on the records retention schedule, the employee responsible for those records should consult the
University
Archivist for a final determination of disposition. For
University
Records that must be securely destroyed, units may arrange for shredding services by contacting the
Inactive Records Center
Exceptions to the disposition process are as follows:
University
Records subject to a Legal Hold
(See AD35, Legal Hold) - A legal hold will remain in effect until it is released in writing by the Office of General Counsel.
University
Records under audit or review by external auditors
- The Financial Officer will be notified regarding any cost objects that are under audit hold; the Financial Officer will be responsible for contacting the Unit associated with the cost objects. An audit hold will remain in effect until the hold is released by the Office of Budget and Finance.
University
Records under audit or review by Internal Auditing
- Internal Auditing will notify the department or individual regarding any audit holds pertaining to an Internal Auditing investigation. The audit hold will remain in effect until the hold is released by Internal Auditing.
To safeguard the privacy of individuals, records that contain Personally Identifiable Information (PII), as defined in Policy
AD53 Privacy Policy
or student records, as defined in Policy
AD11 Confidentiality of Student Records
, must be destroyed beyond recovery. For additional information regarding privacy and the protection of an individual's personal information, see Policy
AD53 - Privacy Policy
Additional questions may be directed to the
Office of Records Management
EXHIBITS
Exhibit A - Attempted Delivery Notice Form
CONTACT INFORMATION
For questions, additional detail, or to request changes to this procedure, please contact the Office of Physical Safety.
CROSS REFERENCES
Policy AD11 Confidentiality of Student Records
Policy AD35 University Archives and Records Management
Policy AD53 Privacy Policy
Policy AD68 University Access
HRG20 Separation and Transfer Protocol
Access Coordinator Authorization Form
Facility Access Authorization Request Form
PROCEDURE STATUS
DATE APPROVED
03/25/2014
MOST RECENT CHANGES
January 20, 2023 - Editorial changes per the directive of the Associate Vice President for Finance:
Changed all references to the Office of Corporate Controller to the Office of Budget and Finance
Changed all references to the Corporate Controller to the Associate Vice President for Finance
Changed all references to the Vice President for Administration to the Senior Vice President and Chief of Staff
REVISION HISTORY
Revision 7 - Dated 03/19/14 (Revised per major changes to new Policy AD68 [formerly SY19], to reflect current operations)
Revision 6 - Dated 02/05/07 (Revised to reflect current operations, per major changes to Policy SY19)
Revision 5 - Dated 10/12/04
Revision 4 - Dated 01/04/90
Revision 3 - Dated 03/17/88
Revision 2 - Dated 08/06/86
Revision 1 - Dated 03/14/86
Original - Dated 11/21/85