Administrative Policies

AD65 Electronic Security and Access Systems

Policy Status: 

Under Review

Policy Steward: 

Vice President for Administration

Contents:

PURPOSE:

To promulgate policies, practices, and protocols governing assessment of physical security needs, as well as the design, specification, installation, testing, acceptance, maintenance, and operation of electronic security systems within or around the campuses and facilities of The Pennsylvania State University.

SCOPE:

This policy applies to all facilities owned, leased and/or under the control of The Pennsylvania State University excluding Hershey Medical Center, the College of Medicine, and the Pennsylvania College of Technology.  In general, this does not apply to environmental and life-safety systems.

POLICY:

It is the policy of The Pennsylvania State University to preserve an open access environment for students, faculty, staff, and the general community while facilitating safety and security by establishing and maintaining standards for electronic security and access control. To that end, standards and procedures, as established by this policy, shall be implemented for all new construction or facility alterations, for access to electronic security information including surveillance and electronically stored information, and for all applicable safety and security enhancements. Integration with the central access control, alarm monitoring, and surveillance systems is mandatory for all installed electronic physical security technology. All access control systems installed shall be functionally compatible with the University ID card.

DEFINITIONS:

Access Control Systems: electronic systems that use a code, card, device or biological characteristic of an individual as the basis for determining authorization to enter or exit a facility, or an area within a facility.

Security Alarm Systems: all electronic systems installed for the purpose of monitoring, signaling, and reporting the condition (status) of interior/exterior spaces or objects.

Duress Alarm Systems:  all electronic devices installed to actuate and transmit a “silent” alarm signal to University Police and/or other designed police or security agency.  Duress alarm systems are installed in areas where the risk of personal confrontation is heightened because of the nature of the work unit’s business and/or other environmental factors.

Hold-up Alarm Systems: all electronic devices installed to actuate and transmit a “silent” alarm signal to University Police and/or other designated police or security agency.  Hold-up alarms are installed in areas where the risk of robbery is heightened because of the nature of the work unit’s business and/or environmental factors.

Certificate of Fitness:  certification substantiating the successful completion of training on the proper use of duress and hold-up alarm devices/systems in an individual's work area.  For more information, refer to the “Approval” section below.

A.C.E.S. (Access Controls and Electronic Security Programs): a unit within the University, whose mission is "to provide professional security services (including fire alarm protection) to The Pennsylvania State University community, consistent with the University’s mission, culture, and resources in order to facilitate a safe and secure campus environment.” For more information, refer to the "Responsibilities" section, below.

Video Surveillance Systems: any video security equipment installed for viewing and/or recording video images for facilitating deterrence, detection, documentation, and/or remote observation.

Security Assessment Team (S.A.T.): A unified effort jointly managed by A.C.E.S. and University Police, working closely with Risk Management and other University units, as warranted. The S.A.T. identifies potential vulnerabilities and recommends integrated technical and operational security solutions specific to the customer’s situational needs.  The S.A.T. will recommend security measures compliant with this policy, the University’s Strategic Security Plan (SSP), and security best practices.

A.C.A.M.S.:  Access controls, alarm monitoring, and surveillance.

DESCRIPTIONS OF ELECTRONIC SECURITY SYSTEMS:

All electronic security systems within the scope of this policy fall into three sub-system categories--access control, security alarms and video surveillance (A.C.A.M.S.). The published Electronic Security System Technical Guide specifications, which are referenced in this policy, define the mandatory architecture for each of these distinct systems to which all proposed systems must comply. The goal of this program is to develop and implement technically and operationally integrated security systems, enterprise-wide.  Wherever possible, proposed installations shall be integrated with other sub-systems or be consistent with their eventual integration.

ELECTRONIC SECURITY SYSTEM STANDARDS:

Electronic Security System Technical Guide Specifications

A.C.E.S., in conjunction with the Electronic Security Systems Committee and Office of Physical Plant Design and Construction, publishes and maintains standards and requirements for the application, design, installation and maintenance of electronic access controls, video surveillance, and security alarm systems. 

Five Categories of Security Standards

All University facilities shall be assigned to one or more of five categories.  The S.A.T., in conjunction with customers, Design and Construction, and Risk Management, shall determine the security category to be assigned to a facility or an area(s) within a facility.

Category I Security Standards:  Facility Perimeter

Applies to “University’s standard Educational and General Purpose buildings, with no unusual vulnerabilities noted.”

The following electronic security and access systems are required for this facility type:

  • Electronic access controls for ingress and egress
  • Video surveillance of primary ingress and egress
  • Perimeter alarm protection
    • Local alarm annunciator
    • Remote alarm annunciator
    • Facility staff response
    • Police response

Note: Only mechanical access measures (non-electronic) may be required for some facilities as defined by the S.A.T. (policy reference:  SY19).

Category II Security Standards:  Facility Perimeter and Selected Interior Spaces

Applies to “University’s facilities which have particularly sensitive information, other University special business or regulatory requirements, and/or high-value asset exposures.”

The following electronic security and access systems are required for this facility type:

  • Electronic access controls for ingress and egress
  • Video surveillance of primary ingress and egress
  • Perimeter alarm protection
    • Local alarm annunciator
    • Remote alarm annunciator
    • Facility staff response
    • Police response

Category II Security:  Possible Interior Security Measures

  • May include alarm protection of interior spaces
  • May include electronic access controls of selected interior spaces
  • May include surveillance of selected interior spaces
  • May include assistance phones
Category III Security Standards:  Private Residences, Hotels, and University Facilities Providing Sleeping Accommodations

Applies to “University’s facilities with private residences, hotels, and those with sleeping accommodations.”

The following electronic security and access systems are required for this facility type:

  • Electronic access controls for ingress and egress
  • Video surveillance of primary ingress and egress
  • Perimeter alarm protection
    • Local alarm annunciator
    • Remote alarm annunciator
    • Facility staff response
    • Police response
Category III Security:  Possible Interior Security Measures
  • May include alarm protection of interior spaces
  • May include electronic access controls of selected interior spaces
  • May include surveillance of selected interior spaces
  • May include assistance phones
Category IV Security Standards:  Security Sensitive Facilities/Areas

Applies to “University’s facilities which pose special (inherent) risks to facility users, the University community, and/or the general public due to the nature of their special events, research activities, materials stored/handled or other unique facility conditions which may exist.”

Category IV security standards include the electronic security and access systems required for Category I and II facilities (i.e., facility perimeter and interior space coverage), as well as:

  • electronic access controls of security-sensitive areas;
  • surveillance of primary security-sensitive ingress and egress.  (May include surveillance of interior security-sensitive areas);
  • alarm protection of interior security-sensitive spaces;
  • May include security sensitive area entry/exit screening performed by University or non-University personnel;
  • Other security measures as determined by the S.A.T., or as deemed necessary to comply with:  established rules, regulations, statutes, and/or accreditation requirements;
  • These standards shall undergo periodic security assessments performed by the S.A.T.
Category V Security Standards:  Exterior Common Areas

Applies to “University’s exterior common areas, traffic ways, and parking facilities used as travel pathways or gathering places.”

Based on a site-specific assessment by the S.A.T., there may be a need for:

  • Blue light assistance phones;
  • Video surveillance;
  • Protective lighting recommendations presented by University Committees;
  • Other security measures (such as bollards, berms, fencing, signage, etc.).

NOTE: All new construction or facility alterations, at a minimum, shall include the following:

  1. At least one public entrance door shall be access controlled with a card reader which utilizes the University ID card.
  2. All exterior doors used for ingress shall include electronic locking and unlocking capability.
  3. All exterior doors, exclusive of numbers 1 and 2 above shall require status monitoring (door/latch position) via the access system.
  4. Perimeter entrance doors equipped with card readers shall be monitored by video surveillance cameras for ingress/egress.

APPROVALS:

  • All work unit electronic access control systems, video surveillance systems, and security alarm systems must be in compliance with this policy, the Security Design Guide Specifications, and the Strategic Security Program.
  • All work unit physical security systems shall be evaluated, recommended, and implemented by A.C.E.S. and the S.A.T., working in conjunction with customers and other parties as warranted.
  • University units may request authorization to "live monitor" their video surveillance system or a portion of the system.  Requests shall be submitted for review and approval/disapproval by the S.A.T. and the University’s Chief Privacy Officer. 
    • EXCEPTION: Security sensitive facilities (Category IV Security Standards) shall be an exception to this requirement. Because of the nature of their security needs, Category IV customers may have the option to "live monitor" their individual surveillance systems without requesting authorization.
  • University units may request authorization to install cameras in non-public areas within their work units.  Requests shall be submitted for review and approval/disapproval by the S.A.T. and the University’s Chief Privacy Officer.
  • Duress and/or hold-up alarms - All University units desiring to install (silent) duress and/or hold-up alarms must:
     
    1. Submit a written request to the University S.A.T., detailing the reason for the request.
    2. The S.A.T., in conjunction with the customer and Risk Management, shall review each request on a case-by-case basis, and shall approve or disapprove the request.
    3. If approval is granted, the S.A.T. shall specify the location and type of duress and/or hold-up alarm devices to be installed.If disapproved, the S.A.T. will provide a written explanation to the University unit on why their request was denied.
    4. Prior to activating the alarm system, and periodically thereafter, all employees working within the area where the alarm system is being installed will be required to receive training on the proper use of the devices by University Police or other responding police or security agency. Successful completion of the training shall result in a “Certificate of Fitness” being issued to each individual employee.
    5. University units already possessing duress and/or hold-up alarm systems must also comply with these “Certificate of Fitness” requirements.

RESPONSIBILITIES:

Fiscal Responsibility:

Fiscal responsibility is detailed in the Strategic Security Plan (SSP) and is administered through the Strategic Security Program and related policies established by the Electronic Security Systems Committee, the S.A.T., and the A.C.E.S. group as approved by the Senior Vice President for Finance and Business.

A.C.E.S. (Access Controls & Electronic Security Programs)

  • Primary responsibility for implementing and managing the Strategic Security Plan (SSP) and this policy, University-wide. 
  • Manages day-to-day security operational needs and provides the leadership for the long-term implementation, support, and success of the SSP University-wide.
  • Maintains and chairs the Electronic Security Systems Committee. The Electronic Security Systems Committee shall include representation from University Police, the Office of Physical Plant, ITS, and Auxiliary and Business Services. Additional committee members may be appointed as deemed appropriate by the permanent committee.
  • Reviews and approves all proposed electronic security systems falling under the provisions of this policy.
  • Ensures ongoing operation and maintenance of installed systems and makes recommendations regarding long-term replacement.
  • Establishes and maintains Design and Construction Standards for electronic security systems.
  • Co-manages the S.A.T. with University Police.

University Police:

  • Works with Environmental Health & Safety and A.C.E.S. to address safety considerations.
  • Co-manages the S.A.T. with A.C.E.S.
  • Utilizes security technologies in support of police operations.
  • Manages and operates a central alarm monitoring station in conjunction with A.C.E.S.
  • Works with customers to establish appropriate response procedures.
  • Serves as co-chair of the Electronic Security Systems Committee.

Environmental Health and Safety:

  • Works with University Police and A.C.E.S. to address safety considerations.

Budget Executives:

  • Responsible for employee compliance with University policy and seeing that all security technology installed is being properly utilized within their work unit.
  • Responsible for providing appropriate funding to properly install, operate, and maintain A.C.A.M.S. technology according to fiscal responsibilities assigned in this policy.
  • Ensure and document that all persons employed where alarm devices are in place hold a Certificate of Fitness, where required by policy.

Security Assessment Team:

  • Conducts an in-depth security assessment of the customer’s facilities while working within the framework of the Strategic Security Plan and existing security/police best practices as well as other recognized guidelines and standards.
  • Provides recommendations to the appropriate work unit head and Risk Management.

Electronic Security Systems Committee:

  • Develop a University-wide strategy for the application of electronic security technology.
  • Establish minimum standards for the purchase, installation, operation, and maintenance of electronic security systems.
  • The manager of A.C.E.S. shall be the point of contact for the University regarding committee matters.

Design and Construction:

  • Ensures compliance with Design and Construction Standards and incorporates provisions of the Strategic Security Plan under the auspices of this policy on all new construction and major renovations.  This is based upon a comprehensive S.A.T. review in conjunction with project management and customers.

ARCHIVING OF ELECTRONIC SECURITY SYSTEM INFORMATION:

Electronic security system data shall be archived consistent with the operational needs and technical resources of the University.  In any event, for new installations, access control and security alarm information shall be maintained for a minimum of six (6) months.  Video surveillance information shall be maintained for a minimum of thirty (30) days.

Security sensitive facilities may store electronic security system information for one (1) year or longer depending upon site-specific requirements.  For any facility desiring to archive and retain electronic security system information for greater than one (1) year shall submit a written proposal to the S.A.T. and the University’s Chief Privacy Officer detailing the proposed archiving and retention procedures, as well as the circumstances warranting such extended retention periods.

ACCESS TO ELECTRONIC SECURITY SYSTEM INFORMATION

Access by University units and individuals to information gathered, processed, and archived through electronic security systems shall occur only under the following conditions:

Conditions for Access
Entity Access Purpose
University Police Authorized personnel only Review, investigation, investigation support
A.C.E.S. Authorized personnel only

Review, investigation
support

Risk Management Authorized personnel only Review, investigation support
Chief Privacy Officer Authorized personnel only Review, investigation support
Human Resources Must request through University Police Review, investigation, investigation support
Police/Law Enforcement Agency (external to University Police) Must request through University Police or Court Order Review, investigation, investigation support
Individuals in Category IV Security Standard Facilities Authorized personnel only Review
Any individual Must request through University Police or Court Order Review

POLICY REVIEW:

This policy shall be reviewed on an as-needed basis, but in any event, at least every five (5) years.  The policy steward and the Electronic Security Systems Committee shall be responsible for completing the review of this policy.

FURTHER INFORMATION:

For questions, additional detail, or to request changes to this policy, please contact University Police & Public Safety.

CROSS REFERENCES:

Other policies and procedures may also be referenced, especially the following:

AD20 - Computer and Network Security

AD23 - Use of Institutional Data

AD24 - Identification Cards for Faculty/Staff, Students, and Affiliates

AD35 - University Archives and Records Management

AD53 - Privacy Statement

AD57 - General Regulations on Use of University Property

AD68 - University Access Policy (formerly University Key Policy)

Procedure SY2001, University Access: Clearance Keys and Access Devices; Authorization, Issue and Fees

Effective Date: March 30, 2010
Date Approved: March 29, 2010
Date Published: March 30, 2010 (Editorial changes, January 29, 2014)

Most recent changes:

  • January 29, 2014 - Editorial change in ACCESS TO ELECTRONIC SECURITY SYSTEM INFORMATION to reflect reorganization of Risk Management and Privacy Office as separate offices. Additionally, policy steward information has been added, in the event that there are questions or requests for changes to the policy.

Revision History (and effective dates):

  • March 30, 2010 - Major re-write of the entire policy, to reflect updates and improvements to the policies, practices, protocols and best practices as they relate to electronic security and access systems at Penn State University facilities. Likewise, it has also been renamed as an ADMINISTRATIVE policy because of its newly-expanded format and content.
  • October 6, 2003 - New Policy (SY33).