Facility Security Policy

Transcription

1 1. PURPOSE 1.1 The New Brunswick Institute for Research, Data and Training (NB-IRDT) is located in the University of New Brunswick. It consists of: (i) employee offices in Singer Hall and Keirstead Hall, and (ii) a Secure Facility that houses the NB-IRDT data resources and equipment located within Keirstead Hall. 1.2 The Secure Facility consists of three areas: (i) laboratory area with a series of workstations for researchers (lab); (ii) office with computers; and (iii) the Database Administrator s office containing computers and the servers (contained in a steel cage). A locked fireproof safe, which contains CDs of data is also housed in the Database Administrator s office. 1.3 The purpose of this policy is to describe the security protocol regarding entry into the Secure Facility. 2. SCOPE 2.1 This policy applies to NB-IRDT employees, approved users, visitors, UNB security personnel, cleaning and other service personal and all other persons with respect to accessing the Secure Facility. 3. DEFINITIONS 3.1 Approved Users: Individuals who have been issued an access code and a swipe card following the approval of access according to relevant procedures, including police background checks. Approved users may include students and trainees, researchers and other approved users of NB-IRDT such as government officers. 3.2 Employees: All full-time and part-time persons currently earning wages or salary from NB- IRDT (including the Director). 3.3 Secure Facility: The physical infrastructure housing the NB-IRDT data resources and equipment for accessing resources, located within units 316, 317 and 317-A Keirstead Hall, 38 Dineen Drive, on the University of New Brunswick campus. This building and external areas including the hallway are under University of New Brunswick security surveillance. 3.4 Security Personnel: Members of the UNB campus security team. 3.5 Service Personnel: Cleaning, maintenance or other servicing personnel who are either employees of UNB or contracted through UNB who require occasional access to carry out custodial or maintenance duties. 3.6 Visitor: Persons requesting access to the Secure Facility who are not NB-IRDT employees, service or security personnel, or approved users are deemed visitors regardless of the reason for their access. Approved by Vice President, Research, UNB: June 2017 Page 1 of 5

2 4. POLICY STATEMENTS 4.1 Access to the workstations, staff computers, server and the safe containing the CDs/flash drives of data is protected by multiple levels of security as described in the Table below: Physical Safeguards Protecting Access to Secure Facility Security Feature Type of Access Who has access* Main Door: Security Alarm Code Database Administrator Door Deadbolt Key ( Do not copy key) Database Administrator Door Keypad Entry System Code (PIN) Database Administrator NB-IRDT Staff (working hours) Approved Users (working hours) Electronic ID card access swipe pad Card Database Administrator NB-IRDT Staff (working hours) Approved Users (working hours) Office: Door Lock Key Database Administrator Database Administrator Office: Door lock Key Database Administrator Safe Combination Administrative Officer s assigned backup Safe Key Database Administrator Assigned Data Analyst backup Server Cage Key Database Administrator * UNB Security has access to all security features Approved by Vice President, Research, UNB: June 2017 Page 2 of 5

3 4.2 NB-IRDT employees and approved users must use their assigned key code and swipe card for each and every entry to the Secure Facility and must not share with or loan to anyone else. 4.3 NB-IRDT employees and approved users can only access the Secure Facility when the alarm is disabled and the deadbolt opened. 4.4 Cleaning, maintenance and any other services will only occur during regular business hours and when an NB-IRDT employee is present. Service personnel must have appropriate photo identification. 4.5 Access to the office and Database Administrator s office is only permitted when explicit permission is given and the person is accompanied by an NB-IRDT employee. 4.6 Approved users are limited to accessing the Secure Facility only during regular opening hours when an NB-IRDT full-time employee is physically present in the Secure Facility. 4.7 Approved users are not permitted to answer the door, regardless of identity of person. 4.8 Employees or approved users are not permitted to bring guests or visitors with them when accessing the Secure Facility unless they obtain approval in accordance with the process outlined in section 5.2 below. 4.9 Security personnel have authority to access the Secure Facility anytime throughout the day or night when called for emergency or when there is suspicion of unauthorized activity At the end of the day, the Database Administrator and/or employees follow a close-out checklist to ensure that: all workstations are shut down, all internal doors are locked, the safe and the server are locked, the main door deadbolt is locked, and the alarm is engaged. 5. PROCEDURES 5.1 Access by Employees and Approved Users Upon notification of a new employee or approved user, the Database Administrator will enter the approved start and end dates governing access in the access card system and give the individual an electronic swipe card. The individual is also assigned a 6 digit unique code for the keypad. This code cannot be changed without the assistance of the Database Administrator Upon notification that an individual has lost their swipe card, the Database Administrator will disable the access associated with the card Upon termination of an employee or an approved user, the Database Administrator will deactivate the access card and keypad PIN (if this occurs before the scheduled automated deactivation time). Approved by Vice President, Research, UNB: June 2017 Page 3 of 5

4 5.2 Access by Visitors All visitors MUST apply for access to the Secure Facility by submitting the Visitor Access Form to NB-IRDT. The Visitor Access Form must be completed prior to entry and can be submitted by , or other electronic means or in person at the NB- IRDT Administration Office. The Visitor Access Form must clearly indicate: the purpose of the visit, the employee who will be supervising their visit (visit coordinator), and the requested date and time of the visit The supervising employee will review the requirements and restrictions contained in this policy and the NB-IRDT Mobile Device Policy with the visitor before access occurs On the day of the visit, the visitor will first go to the NB-IRDT Administration Office and present one piece of photo identification to the Administrative Officer (or delegate). The Administrative Officer (or delegate) will contact the supervising employee and then escort the visitor to the Secure Facility The visitor will sign the Access Log Book and indicate the date and time of the entry The visitor will restrict their visit to the purpose described in Visitor Access Form and remain in the company of the supervising employee at all times Upon exit, the visitor will indicate the time in the Access Log Book. 5.3 Entry by Service Personnel Service personnel will arrange a time with the NB-IRDT Administration Office prior to arriving on site. A member of the NB-IRDT administration will await the service person in the hall outside the Secure Facility. Upon presenting appropriate photo identification the NB-IRDT employee will permit entry into the secure area An NB-IRDT employee will inform the personnel of the NB-IRDT Mobile Device Policy and will remain present in the secure facility while the services are being provided The service personnel will sign the Access Log Book and indicate the date and time of the entry and the purpose of visit The service personnel will restrict their visit to the original purpose indicated and be supervised by an employee Upon exit, the service personnel will indicate the time in the Access Log Book. Approved by Vice President, Research, UNB: June 2017 Page 4 of 5

5 6. ACCOUNTABILITY 6.1 The Administrative Officer is responsible to ensure that only the approved NB-IRDT employees obtain office keys. The Database Administrator is responsible to ensure that only NB-IRDT employees and approved users obtain electronic key cards and keypad codes. 6.2 NB-IRDT employees and approved users are accountable for the proper use and protection of any keys, key cards and keypad codes used at the Secure Facility or any of its offices. Employees and approved users are responsible to immediately report the loss or theft of keys or electronic swipe cards to the Database Administrator. 6.3 Supervising employees are responsible to ensure that: any visitors have been approved to visit, relevant policies have been explained, identification has been checked, Access Log Book entries are completed, mobile devices are not used, and that they remain in the area while the visitor is present. 6.4 NB-IRDT employees are responsible to check identification, remain in the area while service personnel are present and report to the Privacy Officer any attempted or actual breaches of this policy. 6.5 Visitors and service personnel are responsible for compliance with the applicable sections of this policy. 6.6 The Database Administrator is responsible to report any security breaches (actual or attempted) to the and/or Privacy Officer. 6.7 The Director or Privacy Officer is responsible to report any security breaches to the UNB Security Department. 7. MONITORING, AUDITING & REPORTING 7.1 The Database Administrator will regularly monitor the activities of approved users while in the Secure Facility. 7.2 On a weekly basis, the Database Administrator will review the electronic access control system log to review all access to the Secure Facility. 7.3 The Database Administrator will provide monthly reports to the Director with the numbers of individuals who accessed the Secure Facility. 7.4 All visits to the Secure Facility are recorded and Visitor Access Forms are retained by the Administrative Staff in accordance with the appropriate record retention schedules. Visitor Access Forms are also scanned and ed to UNB s Vice President (Research). 7.5 The Access Log Book is kept at the Secure Facility and retained in accordance with the appropriate record retention schedules. 7.6 The Privacy Officer will conduct random audits to compare the Visitor Access Forms with the Access Log Book to ensure: (i) compliance with the requirement for prior approval and (ii) that the proper information has been written in the Access Log Book. Approved by Vice President, Research, UNB: June 2017 Page 5 of 5