Definitions:

Electronic Access Device Coordinator - the employee in the Unit assigned the responsibility for coordinating electronic access device requirements and permissions within the Unit. This is a functional description, not a position title.

Access Control System - refers to an electronic/electro-mechanical locking system that consists of hardware and software. Access privileges are controlled via software, and door release/lock mechanisms are activated by the system based on an electronic access device and associated access privileges.

Access Group - a door grouping assigned to departments in the key and electronic access systems. Once a user is added to an Access Group, they will have access to all the doors within that group.

Appropriate Authority - The Appropriate Authority on each campus refers to the designated position or entity responsible for overseeing access control and management within their respective campus.

Facilities Maintenance Unit - refers to the Unit(s) at each campus responsible for the management of facilities and capital work.

Change Key - a key that operates a single door or multiple doors in a building.

Electronic Access Devices - includes programmed cards, key fobs, and any other electronic devices that are programmed to disengage an electronic locking mechanism, thereby permitting access to a building or interior area that is otherwise locked.

Electronic Locking Mechanism - refers to a programmable locking device that requires power to operate (wired or battery), is activated by an electronic access device with a magnetic stripe or proximity chip and may have a key override.

Grand Master Key - a key that operates all door locks within the University campus, with each individual door lock having its own individual change key.

High Risk (Restricted): This level of security is the most sensitive. Additional safeguards, such as background checks, may be required before being provided access to Restricted.

Intrusion Alarm System: uses motion sensors, door/window contacts, and other devices to detect an unauthorized entry into an alarmed area. The area is armed and disarmed with a code on a keypad device assigned to the room or building. It sends a signal to assigned security services when one occurs.

Key - a device inserted into a lock that allows the lock to be disengaged mechanically, thereby permitting access.

Key Coordinator – the employee in a Unit assigned the responsibility for key control, requisitioning, distribution, retrieval, and recordkeeping within the Unit. This is a functional description, not a position title.

Key Holder – someone with a key or Electronic Access Device.

Locking System – is any mechanical or electrical system that secures a door. The door can be locked or unlocked with a key or Electronic Access device.

Low Risk (Non-Restricted): Areas that do not have risks identified with access to the space as outlined on the access Risk Matrix. These areas still require authorization from the Departmental Authority to gain electronic access or to request keys.

Master Key - a key that operates all door locks within a building, with each individual door lock in that building having its own individual change key.

Risk Matrix - defines the criteria for the risk's likelihood and severity, from insignificant to severe. It is also color-coded to show the priority of each of the risks charted on the Matrix.

Risk Register – is used to document risks identified using the Risk Matrix. The access register details all room categories for the Unit, description of the risk, inherent risk factors, the risk rating, the controls required, and the residual risk rating. This is used to assess the risk of access to different spaces and place controls on the space to reduce the risk.

Submaster Key - a key that operates all door locks within a department within a building, with each individual door lock in that building having its own individual change key.

Roles and Responsibilities:

General

• The Appropriate Authority on each campus shall ensure that the Unit responsible for facilities and maintenance for the campus will be responsible for all physical installations of locking and access control measures in University buildings that restrict access to locked space. This includes, but is not limited to, doors, frames, locks, Keys, door and frame hardware, electrical and fiber optic cabling, and access control hardware and devices (e.g., proximity reader, electronic strike, door contacts/magnets, electronic latches, power transfer hinge, motion sensor, etc.)
• The Appropriate Authority on each campus shall ensure that the Unit responsible for facilities maintenance is solely responsible for installations, repairs, or modifications to locks and associated hardware. Only those authorized by the University may install, repair, or replace any portion of an Access Control System.
• The Unit responsible for facilities maintenance shall be responsible for central Key production, issue, control of Master Keys, and distribution of regular/change Keys and Master Key rings to the Units. They shall keep up-to-date records of the following:
  1. Master Key (MK) and/or Submaster (SM) Key holders across the University;
  2. Mater Key rings;
  3. Keys manufactured for and given to the Units to control.
• The Appropriate Authority on each campus shall ensure that a common template for managing Key control processes is implemented by every Unit.
• Space is allocated and assigned to Units according to the Space Policy.
• The Appropriate Authority on each campus shall maintain a current record of each Departmental Authority and the person responsible for electronic access control (Electronic Access Device Coordinator) and Key control (Key Coordinator) in each Unit.
• The Appropriate Authority on each campus, in partnership with the OCRO, shall monitor the issuing of Master Keys and shall, from time to time, undertake an audit of all Master Key types.

Office of the Chief Risk Officer

• Establish and maintain University-wide policy, procedure, standards, and guidelines and oversight of access control and related security system measures;
• Provide advice and recommendations to departments regarding the development and maintenance of Access Control Systems and measures for their respective areas.
• Provide adequate communication and resources to all Departmental Authorities for the purpose of collecting information for Electronic Access Device distribution;
• Provide unit reports to designated authorities for departmental auditing of the Access Control Program, where applicable.
• The OCRO is responsible for conducting audits to ensure compliance with the policy and procedure.

Unit Responsibility

• Responsibility and accountability for identifying and controlling interior building spaces and recommending access to those spaces rests with the Unit.
• The Unit shall undertake this control in compliance with standards and procedures established by the OCRO.
• Each Unit shall name a Departmental Authority responsible for access management and Key control within their Unit. This person will have the authority to request changes to locks, decide who gets access, and ensure that the Electronic Access Device Coordinator and Key Coordinator functions are assigned.
• Ensuring controls are in place for high-risk spaces as outlined in the University access control Risk Register.
• The Unit shall ensure that the exit process for employees leaving the University is followed and that all Keys for employees who are no longer employees shall be returned and electronic access is revoked.
• A Unit seeking an electronic or other Access Control System to replace a mechanical lock system shall request their campus facilities maintenance Unit.
• Report lost or stolen Keys and Electronic Access Devices within their Unit using the online for reporting.
• In conjunction with the Departmental Authority, the space owner is responsible for auditing the Access Control Program for their areas and departments each semester.
• Units that sponsor contractors, visitors, and guests shall make all arrangements for access with the department(s) responsible for the space.

Housing Services

• Housing Services for each campus is responsible for managing, issuing, and maintaining all Keys and Electronic Access Device requests to residence buildings and student housing on each campus of the University.

Key/Electronic Device Holder

• People who have been issued with an Electronic Access Device/Key are authorized to use it to gain access only to the areas and facilities necessary for the performance of their work/studies.
• Electronic Access Devices/Keys are only used by the person to whom they were issued.
• People who have been issued with a University Electronic Access Device/Key accept responsibility for the following:
  1. appropriate and legitimate use; and
  2. safe keeping.
• Electronic Access Devices/Keys that are no longer required (e.g., when a person changes location within a Unit or is no longer employed at the University) must be returned by the holder to their Unit or line manager.
• Master Keys must be kept in person and not in offices unless held in a suitable key safe or approved Electronic Access Device/Key issuing system.
• Lost, stolen, damaged, or found Electronic Access Devices/Keys must be reported immediately to the department/Unit/University.

Procedure:

Access Structure

• Each campus shall maintain business hours to identify when they are open to the University community. Buildings will be locked and unlocked during these times.
• Perimeter doors to major buildings are preferably fitted with electronic access, with a manual Master Key override system to primary perimeter doors.
• Access control guidelines must address the needs of faculty, staff, and students, including persons with disabilities.
• Various areas or spaces on campus are deemed “High Risk” areas and have restricted access for general staff, students, and maintenance staff because of the health and safety risks that these areas pose or because they house valuable equipment.

Typical High-Risk areas include:

• Student and on-campus housing;
• labs with biological, radiological, and chemical hazards;
• roof access and panels through external walls;
• ITS data centers and data rooms;
• central utilities (mechanical, electrical, and boiler rooms);
• substations;
• rooms that house valuable/lucrative assets; and
• confined space zones.

• The framework for controlling and authorizing the issuance of Keys and Electronic Access Devices is presented in the chart below:

• Building entrance Keys (for buildings without an Electronic Access System) and Electronic Access Devices with after-hours authorization will be issued only to people with a demonstrated need for after-hours access to a building. This could include critical research or access to services that require 24/7 oversight.
• The University’s keying is established under a registered key system managed by the facilities and maintenance Unit for the campus.
• Independent keying outside of the Master Key structure is not permitted.
• Lessees of University spaces are not to change University Key or access system infrastructure unless authorized by the University.

Intrusion Alarm System

• Access control systems are not Intrusion Alarm Systems. Units requiring specialized alarm response/monitoring for secure facilities should install an Intrusion Alarm System with the Access Control System if required.
• This service should be requested through the facilities maintenance Unit assigned to your campus to ensure it is assessed using a physical security assessment and integrated with University infrastructure.

Request for Access /Key

• Employees and students requiring access to buildings shall be granted access only based on need due to their conditions of employment, program of study, or extra-curricular club or association. Any access request must be from a designated Departmental Authority.
• Students living in residence are given standard building access to their associated residence building and interior access to the bed space they have been assigned.
• Electronic Access Control for students will expire at the end of each semester unless otherwise informed by the designated authority.
• Any employee or student's access to a restricted space must meet all control measures and training requirements before access is approved.
• Employees on an employment term contract should only have access to the building for the term of employment, and access should expire once the term has ended and Keys returned to their Unit.

Request for Access - External Contractors, Visitors and Affiliated Organizations

• If an individual is not an employee or student of Memorial and requires building access, the department responsible for the individual must request a means of access for that individual.
• Expiry dates are required for all access requested for visitors, contractors, and affiliates.
• Building Access and Interior access for residence buildings will be managed by Student Housing and Conference and Event Services.

Revoking Access

1. The University is authorized, on the direction received from the Unit or for a due cause to revoke/deactivate, at any given time, building access or interior access to University-managed facilities for any Key or Electronic Access Device holder.
2. At the University's discretion, building and interior access may be revoked/deactivated due to changes in the department, faculty, individual business needs, or misuse of an Electronic Access Device.

Key and electronic access should be removed upon:

• Termination, resignation, or retirement;
• Completion of a fixed term of employment or contract;
• Completion of studies and research;
• Upon notification of a death; or
• Upon contravention of this procedure.

Misuse of Key or Electronic Access Device

Once issued, Electronic Access Devices/Keys are not transferrable. The individual to whom the Electronic Access Devices/Keys were issued is responsible for their security.

Misuse of an Electronic Access Device or Key can include but will not be limited to:

• Unauthorized propping open of locked doors;
• Purposely causing doors or locks to become inoperable;
• Transferring or loaning Electronic Access Devices to other individuals;
• Attempting to duplicate Electronic Access Devices or Keys;
• Unlocking doors for unauthorized individuals, except police, fire, or other public safety personnel, during an emergency.

Lost or Stolen Keys and Electronic Access Device

When an Electronic Access Device is lost or stolen, it is the responsibility of all individuals who have knowledge of the incident, whether it is the device holder or report the access device missing.

• A lost or stolen Key or Electronic Access Device must be reported to the Unit, or the local security Unit for the campus and documented. In the absence of building security, the loss must be reported to the Unit.
• The University shall normally reissue a lost, stolen, damaged, or nonfunctioning Key after the identity of the holder has been validated and a request has been submitted.
• The OCRO shall decide if Key replacement or lock/cylinder change is required. The University and the OCRO shall together determine appropriate action should any type of Master or Submaster Key be lost or stolen. If replacement is required, the expense is the Unit’s responsibility.
• The OCRO will immediately disable all building access programmed on Electronic Access Devices that have been reported lost or stolen.

Repairs and Changes to Physical Access Control Systems, Keys and Door Hardware

• Routine maintenance of locks and lock cores is the responsibility of the University. These services are provided without charge.
• Specific or specialized security needs are met by providing alarm devices, electronic access locks, and other advanced locking devices. These categories of services will be charged to the user department.
• In exceptional cases such as space relocation, renovation, or construction, capital/project accounts will be charged for locks installed, removed, or rekeyed as part of capital or departmentally-funded alterations projects.
• Upgrades required due to lost or stolen Keys or a department’s failure to maintain adequate key control will be charged to the department.
• Requests to replace Keys shall be directed to the Departmental Authority of the Unit.
• Any level of Master Key that is broken or damaged must be reported to Campus Enforcement and Patrol (CEP) and shall be replaced by Campus. The University is under existing approval processes for the level of Key upon written request by the Departmental Authority. All damaged or broken Keys must be returned to the University before the new Master Key is issued.

Device Return -  Keys and Electronic Access Devices

• The Unit shall ensure that the exit process for employees leaving the University is followed and that all Keys for employees who are no longer employees shall be returned and electronic access revoked.
• All students, staff, and visitors to the University are permitted to keep their campus cards as they are often used for other purposes in addition to building access. If the employee or student status changes, a new card is required. All other Electronic Access Devices shall be returned.
• All Electronic Access Devices should be deactivated, have an expiry date, or have the access level removed once the access is no longer needed. It is the Unit’s responsibility to ensure that all access in their department is managed properly each semester when they are no longer required.
• All Keys must be returned to the University and will not be reissued within the department unless a Key transfer request has been submitted to the facilities maintenance Unit.
• Unidentified Keys should be returned to the Unit for identification and/or destruction by the facilities maintenance Unit.

Assurance

Departmental/Unit Audits

• Reports will be sent to Departmental Authorities at the end of every semester of their Electronic Access Device holders and annually of their key listings. It is the department's responsibility to ensure that all electronic access is up to date at the end of each semester, their key lists are updated annually, and records are maintained.
• Keys that are lost or not returned to the University must be reported to the Appropriate Authority.

Audit of Program

• The OCRO may conduct access audits for compliance purposes, as necessary. All authorized approvers must comply with periodic or random audits. Audit reports shall be generated and shared promptly with relevant stakeholders to track and address any non- compliance issues.
• The Access Control Procedure shall be reviewed at least annually and updated as needed to reflect changes in standards and operations and the evolving security landscape of the University.

ANNEX A - Risk Matrix