Access Control Policy for University Facilities

Title: Access Control Policy for University Facilities
Effective Date: August 24, 2016
Revision Date: First Version
Responsible Office: Office of  Finance and Administration; Facilities Management

I.  Scope

This policy applies to the College of William & Mary (the university), excluding the Virginia Institute of Marine Science.  It applies to any person granted access to any university property and to all keys, cards and other devices that control access to university property.  

II.  Purpose

This policy supports the university’s efforts to maintain a safe and secure campus while providing necessary access to campus facilities.  The policy governs how mechanical keys are issued and tracked and how access is granted to cardholders.  It distinguishes the access procedures relating to academic and non-academic buildings, and access protocols for different members of the university community.  The policy also helps William & Mary comply with the Code of Virginia (18.2 – 503), which provides:

(a) No person shall knowingly possess any key to the lock of any building or other property owned by the Commonwealth of Virginia, or a department, division, agency or political subdivision thereof, without receiving permission from a person duly authorized to give such permission to possess such key.

(b) No person, without receiving permission from a person duly authorized to give such permission, shall knowingly duplicate, copy or make a facsimile of any key to a lock of a building or other property owned by the Commonwealth of Virginia, or a department, division, agency or political subdivision thereof.

Violation of this section shall constitute a Class 3 misdemeanor.

III.  Policy Statement

Facilities Management (FM), Information Technology (IT), Residence Life and the William & Mary Police Department (WMPD) seek to maintain a safe campus environment for students, faculty, staff and visitors.  These departments shall work collaboratively with members of the community to ensure that university access requirements for keys and electronic cards are met.  Unauthorized use of devices to gain entry to university property and/or failure of individuals to safeguard keys at all times will be addressed promptly.  

IV.  Definitions

Access Control - Control of entry and/or exit to an area by any means (mechanical or electronic).

Access Control Key - Any device used to gain entry and/or exit to a controlled system -- normally a mechanical key, card key, or fob.

Authorized Signatory – University employee empowered to authorize individual access, key issuance, and building lock/unlock schedules for buildings under his/her control. Each of the following positions is an “Authorized Signatory:”

  • Assistant Vice President
  • Associate Vice President
  • Dean
  • Department Chair
  • Department or Unit Head
  • President
  • Provost
  • Vice President                                                                                          
  • Vice Provost

Auxiliary Enterprises – Business units such as housing, dining, and parking that have responsibility for funding operation and maintenance of assigned facilities.

Departmental Access Coordinator - A university employee assigned by a unit administrator and/or Dean or Vice President who coordinates access to facilities within his/her area of responsibility.

Electronic Access Control - Access control using electronic or electromechanical devices to replace or supplement mechanical key access. Electronic access is administered through a computerized card access control system operated by FM and Residence Life and maintained by FM and IT.

Electronic Access Control Application Administrator - University FM employee who is responsible for operation of the electronic card access system and the entering and deletion of access control authorizations.

Electronic Access Software System Administrator - University IT employee who is responsible for maintenance of the electronic card access software.

University Facilities - All buildings owned, rented, leased by, or under the control of the university including residence halls, leased housing, and student activity buildings; all structures owned, rented, leased by, or under the control of the university such as parking garages, amphitheater, stadiums, tents, and trailers; and temporary contractor/subcontractor facilities, tents, and structures located on university property.

V.  Policy and Procedure

The university has two main types of access systems: mechanical keys and locks and electronic access.  Electronic access is a campus-wide card access system consisting of an access control database and server; access control hardware that is installed in individual buildings; and the William and Mary Identification (ID) Cards that are held by individual users.  The electronic access control system is centrally administered by FM with system rights granted to Residence Life for facilities under their purview.  Electronic access is provided by a person obtaining an ID card and that card being granted specific access rights.  This Section V describes the following aspects of the access systems: 

A. General Facility Access – Overview of Access Systems and Opening and Closing Hours

This Section A describes the hours of general access based on type of building/facility.  Section C specifies access typically granted and protocols for granting access to different types of members of the university community, as well as third parties.  There are also access protocols based on type of access – mechanical key versus electronic access, discussed in Section D and E, respectively.

1.  Academic, Administrative, and Auxiliary Buildings.  As a general rule, academic buildings are open Monday through Friday between the hours of 7 a.m. and 10 p.m., administrative buildings are open Monday through Friday between the hours of 7:30 a.m. and 5:30 p.m., and auxiliary buildings are open based on the function of the facility and services provided.   Authorized Signatories may request that FM adjust the hours of buildings controlled by the electronic access system to better suit a specific need, either on an ongoing or one-time basis.  For buildings that are used for events after normal building hours the request will be made to FM by the scheduling office or the organization sponsoring the event.  Daily unlocking and locking of exterior building doors that are not on the electronic access control system are the responsibility of the department(s) occupying the building.

2.  Residence Halls, Greek and Special Interest Housing.  University residence halls, fraternities and sororities are locked at all times and accessible only by access card or key. Any office or authorized individual requiring an exception to the above (e.g. service, construction, move-in, move-out) must get approval from the Director of Housing Operations, Residence Life in advance of the activity.

B.  Authority and Responsibility for Access; Authorized Signatories

1.  Administrative Authority and Responsibility. The FM Department is responsible for the overall administration of the university’s access control system in partnership with the IT Department.  The FM Department is responsible for managing and maintaining the mechanical keying system and for coordinating new and replacement systems.  The FM and IT Departments are jointly responsible for maintenance of the electronic access control system.
The FM Lock Shop is authorized to make and issue mechanical keys for the university’s master keyed systems. Unless specifically approved by the Director of FM Operations and Maintenance, keys manufactured or duplicated by a vendor or through any other source are prohibited.  The installation, changing, or removal of locks shall be performed only by the Lock Shop or by a vendor authorized by the Lock Shop.

The Director of Housing Operations, Residence Life, is responsible for managing the residence hall key and card key systems that ensure security of the residence halls. Residence Life is authorized to issue keys for facilities under its purview and to administer its internal departmental key control policy that restricts access of persons not employed by or otherwise legally affiliated with the university.

2.  Financial Responsibility.  Maintenance and repair of the access control system for Educational and General facilities are funded by FM.  Departments operating Auxiliary Enterprises are responsible for funding maintenance and repair of access control systems for their assigned facilities. Deans/Department Heads will be responsible for funding all costs associated with requests for additional or new keys and rekeying an area when security is compromised or becomes a concern because a key issued to faculty or staff is lost, stolen, or otherwise missing.  Unless other arrangements have been made, card key costs are the responsibility of the faculty or staff member to whom the card was issued.

3.  Authorized Signatories and Departmental Access Coordinators.  It is recommended that university Vice Presidents, Deans and Department/Unit Heads designate a Departmental Access Coordinator.  These coordinators will serve as the primary liaison with FM and Residence Life for access approved by Authorized Signatories and assist departmental staff in obtaining access to their workspaces.

An Authorized Signatory’s right to grant access is limited to his or her assigned areas of responsibility.  No Authorized Signatory will have the authority to grant access to himself/herself.  Authorization must be obtained from the next level of supervision; in the case of the President, the Provost serves as Authorized Signatory.  Authorized Signatory responsibility may not be delegated; staff may perform administrative actions but authorization must be signed by or sent from the Authorized Signatory.  In addition, the following types of facilities have special limitations on access: 

  • Access to occupied residence halls may only be authorized by the Director of Residence Life.
  • Access to mechanical, electrical, and utilities rooms and roofs, attics, crawlspaces and custodial closets may only be granted by Authorized Signatories within the FM Department. 
  • Access to controlled spaces like laboratories, storage, records, etc. may only be granted by Authorized Signatories responsible for those spaces. 
  • Access to IT rooms and closets may only be granted by Authorized Signatories within the IT Department.

C. Access Protocols for Students, Faculty & Staff, Vendors, and Other Types of Users

This Section C describes the type of access typically granted and protocols for granting access to different types of members of the university community, as well as third parties.  There are also access protocols and key holder responsibilities based on type of access – mechanical key versus electronic access, discussed in Section D and E, respectively.

1. Student Access.

Residential Buildings:  Residence Life manages student access card and key authorization and use for all residence halls. Students have 24 hour access to the residential building in which they currently reside.  Additionally, all undergraduate students have access from 7:30 a.m. to 12:30 a.m. to all undergraduate residence halls unless access is otherwise limited or restricted.  Access to fraternities and sororities is typically limited to residents and members.  All mechanical keys must be returned to Residence Life at the end of each academic year or summer session. Residence Life maintains records of issued access cards and keys.

Academic Buildings: General card access to academic buildings is granted to students as determined by the Provost.  If a department requires additional card access or keys for undergraduate or graduate students, a written request from the Authorized Signatory must be provided to the FM Department.  FM issues keys and activates card access directly to authorized students.  

2.  Faculty and Staff Access.  The FM Department manages keys and card access issued to faculty and staff that enable access to academic, administrative and unoccupied residential buildings when these buildings are locked. Faculty and staff requesting keys and/or card access must present to FM a memorandum signed by an Authorized Signatory or an email request from an Authorized Signatory. 

3.  Vendor Access.  Authorized vendors or contractors requiring access to university property should arrange for access through the appropriate department – typically, the department or unit issuing the contract with the vendor.  For electronic access, the responsible department may arrange affiliation through Request IT: https://www.wm.edu/offices/it/itrequests/index.php, card issuance through Tribe Card Services, and card access through FM Work Control.  As with university students, faculty, and staff, access must be approved by the appropriate Authorized Signatory and be arranged through FM or Residence Life.  FM vendors and contractors may check out keys from the Work Control office in the FM Building.  Unless other arrangements have been made, keys must be returned by the end of each working day.  The issuing department is responsible for all charges resulting from lost vendor keys.

4.  Camp and Conference Participants.  Conference Services, with support from Residence Life and FM, authorizes and manages the issuance of access cards and keys for camp and conference participants.  Access cards will be given unique numbers and once enabled for each camp by FM, will be issued directly to participants by Conference Services.  Mechanical keys will be issued to Conferences Services by Residence Life.  Access cards and keys will only be valid for the duration of the camp or conference.  Conference Services will notify Residence Life and FM if access cards or keys are lost.  All access cards and keys will be collected upon the completion of the camp or conference.

D.  Mechanical Keys

Authorized Signatories may request building keys for personnel to use in areas directly under their control.  When approved by an Authorized Signatory, FM will issue a key directly to the person responsible for its custody and use.  Master keys are typically only issued to individuals with responsibilities for access to whole buildings or departments.  Grand and great grand master keys are not typically issued to other than the Director of Residence Life, the Director of Housing Operations, Residence Life, or WMPD.  Annually, Authorized Signatories or their designees shall verify the physical existence of master, grand master, and great grand master keys that have been authorized.  Any missing key must be immediately reported to WMPD Dispatch and the Director, FM Operations and Maintenance.  Keys for Residence Life buildings will be issued by Residence Life to the employee who will control the key.  All master, grand master, and great grand master keys will have stamped on reference numbers applied by the FM Lock Shop.  Custody of all keys is to be recorded in a key management system.

1.  Return of Keys.  When keys are broken or are no longer required, the key holder shall return the key to the FM Lock Shop or Residence Life office, as applicable.  The FM Lock Shop shall document return of the key in the key management system and provide a receipt to the key holder.  Residence Life is authorized to manage residence hall keys in accordance with its internal policy.

2.  Destruction of Keys.  The FM Lock Shop is responsible for the destruction of keys in a manner that prevents duplication. Residence Life is authorized to destroy keys in accordance with its internal policy.

3.  Responsibilities of Key Holders.  All keys to university facilities remain the property of the university.  Individuals with custody of university keys are authorized to use them for access to their work areas.  Key holders are responsible for safeguarding keys at all times and for returning keys to FM when they are no longer needed.  Most faculty and staff will have keys only for those building(s) and personal spaces (e.g., offices) in which they work.  If additional keys are issued to an employee, the employee may not remove that key from campus.  Key holders are also responsible for reporting lost or stolen keys immediately to WMPD Dispatch and Director, FM Operations and Maintenance or Director of Housing Operations, Residence Life, as applicable.  The Authorized Signatory shall investigate the loss and take appropriate action.  Residence Life is authorized to manage keys in accordance with its internal policy.

E.  Electronic Access

The university’s campus-wide card access system consists of an access control database and server; access control hardware (card readers) installed in individual buildings; and the William & Mary Identification (ID) Cards that are held by individual users (such as students and employees).  The electronic access control system is centrally administered by FM with system rights granted to Residence Life for facilities under their purview.  Departments may be granted administrator rights in the electronic access control system when approved by the Provost or responsible Vice President.  When granted, administrator rights in the electronic access system will be limited to only those buildings for which a department has responsibility.  Unless approved as outlined in Section F below, electronic access installations will utilize the university’s access control system.  

The electronic system is operated by FM and jointly maintained by the FM and IT Departments.   All requests for repairs of card access hardware or requests to add access control to a door or building are made through FM Work Control.

Any department wanting to add access points to the electronic access control system must submit a request to the FM Work Control office.

1.  University ID Cards.  The university ID card is used as the card key for the electronic access system.  University ID cards are issued by Tribe Card Services. Replacements cards are issued by Tribe Card Services during normal working hours and WMPD Dispatch after hours. 

FM will activate individual card access to academic, administrative, and auxiliary buildings (or portions of a building) at the request of the appropriate Authorized Signatory.  The Director of Housing Operations, Residence Life is responsible for authorization and assignment of access to residence halls at the request of the appropriate Authorized Signatory.  Card activations are typically performed within three days, but emergency activations can be performed when required. 

2.  Responsibilities of Cardholders; Reporting Lost or Stolen Cards.  Cardholders are responsible for immediately reporting their card key loss via the tribecard.wm.edu website. If unable to access the website, they must immediately contact the Tribe Card Office during normal working hours, or the WMPD Dispatch Office outside normal working hours. These offices will immediately identify the individual’s card as lost in the access control system. Faculty and staff should also notify their supervisor or Departmental Access Coordinator as soon as possible. If the card was stolen, the individual is responsible for filing a report with WMPD as soon as possible and no later than the next working day.  WMPD has the after-hours capability of issuing a new card and disabling the lost card.

F.  Requests for Special Access Control Systems

Specific areas within the university warrant separate, more secure access control system(s). These areas fall under the High Risk or High Security categories (e.g. controlled substance storage rooms, areas where money is stored).   To obtain a separate, more secure access control system, an Authorized Signatory must request, with justification, to remove an area from the university’s master key system or the university’s electronic access control system. The requests will be submitted to FM for consideration by the Senior Vice President for Finance and Administration. 

If removal from the university system is approved, the Director, FM Operations and Maintenance and the Director, EHS (for fire safety) will make necessary changes to support the request.  The requesting department is responsible for:

  • Supplying keys (or a master key or keys) to all areas with the non-standard system to EHS (Fire Safety) for inclusion in the facility’s Knox Box.
  • Providing the WMPD with the names and phone numbers of at least two people who will be available for after-hours call-in if an emergency occurs. If the WMPD is unable to contact the designated personnel and the safety of the building or occupants require forced entry, the requesting department will be responsible for the cost of repairs. 
  • Coordinating access with the university’s electronic access control application administrator, if the system is an electronic system.
  • All costs associated with maintenance and repair of the non-standard system.

Unauthorized locks are prohibited on doors and if found will be removed, discarded and replaced by a standard university key system. Any damage or repair necessitated by the removal of unauthorized locks will be the responsibility of the department installing the non-standard locks.

VI.  Approval, Amendment, and Interpretation

This policy was approved by the Senior Vice President for Finance and Administration.  The FM Department interprets this policy, and is directed to review this policy and its implementation to ensure continued effectiveness no later than August 2019.

VII. Related Laws, Policies and Procedure

Code of Virginia 18.2-503