Standard Number: 188.8.131.52.4
Category: Information Security
Owner: Information Technology Services
Effective: October 5, 2021
Revision History: None
Review Date: October 4, 2024
PURPOSE, SCOPE AND RESPONSIBILITIES
- Pursuant to the Access Control Standard and Protocols document maintained by the University Police Department, access to University Facilities is a privilege and is determined and assigned based on the specific needs and requirements of the University and the user. Physical security of University Facilities must be maintained to reduce potential loss, theft, damage, interruption, and unauthorized access.
- Physical access to University Facilities is granted via mechanical and electronic methods. The purpose of this Standard is to establish the rules that govern granting access to and removing access from University Facilities within the University Identification Card System (“CS Gold”). Additional procedures that identify the specific activities conducted by the University to grant and remove access to employees and students have also been developed and are addressed in the Procedures for Mountaineer Card Access System section of the Access Control Standard and Protocols.
- This Standard applies to all individuals granted access to University Facilities that utilize electronic locks as well as all Building Supervisors with the ability to grant/remove facility access within CS Gold. This document does not address access to University Facilities granted via Millennium Xtra on the Health Sciences Center Campus or the Galaxy card system utilized by WVU Medicine. Additionally, this document does not address access to University Information Systems, which is governed by the Access Management Standard.
- The Chief Information Officer, supported by the Executive Director for Enterprise Support, is responsible for implementation and enforcement of this Standard. Campus Application Administration (“CAA”) is responsible for administration of CS Gold as well as conducting annual account audits within CS Gold.
- Building Supervisors are responsible for activating/deactivating an individual’s access to the building they supervise. Building Supervisors are also responsible for conducting regular access audits and retaining a record of audits for three years.
- Pursuant to the University Identification Card Policy, University Identification Card Holders granted access to a University Facility are responsible for care and safekeeping of their University ID Card.
- Pursuant to the Access Control Standard and Protocols, the safety and security of the University’s community, physical space, and assets is a shared responsibility of all members of the University community.
Physical Access Management
- Physical access to a University Facility is granted one of two ways within CS Gold: Patron Groups and Direct Access.
- Patron Groups are the primary way to grant access to University Facilities to ensure uniform access for all employees and students.
- Patron Groups must have at least one defined owner/manager who is either the Building Supervisor or a Building Supervisor designee.
- Direct Access must only be used to grant immediate, short-term access to a University Facility (e.g., conference attendee).
- Direct Access accounts:
- May not be granted for more than 30 days; and,
- Must have an expiration date.
- Monthly, CAA conducts the following account audits of Direct Access and Patron
Group accounts to ensure only Authorized Individuals are granted access to
University Facilities via CS Gold:
- CAA automatically end dates Direct Access accounts within CS Gold that do not have an expiration date;
- CAA automatically end dates Direct Access accounts older than 30 days; and,
- CAA provides a report to Building Supervisors identifying employees with a termination date to remove from any Patron Group they manage.
- Annually, Building Supervisors must review the entire list of Authorized Individuals who have access to their building and verify that the individual requires continued access.
- Direct Access accounts established via automatic feeds from other University Information Systems into CS Gold may be granted for longer than 30 days.
- “Authorized Individual” means an individual the University deems to have equivalent status of an employee or student including, but not limited to, contractors, guest researchers, and individuals from another organization or University.
- “University Facility” means any facility and/or grounds owned or maintained by the University. These include but are not limited to: dining halls, University-owned or controlled buildings, library and athletic facilities, and any other facility so deemed by the University.
- "University Information System" means an information system or University-owned device that is on the campus network, requires Authentication, and is used to support the academic, administrative, research, and outreach activities of the University such as Office 365, Mix (Gmail), eCampus, STAR, and MAP.