SECTION 226: Card Access and Enhanced Security for University Areas
I. Implementation and Role of the University Safety and Security Committee
- Implementation Plan Goal
The installation of electronic security card access and implementation of enhanced security measures and protocols is intended to mitigate the appropriate and highest risk areas of the campus related to health, safety, and security. Criteria for determining levels of risk and determining those instances where the installation of card access is necessary have been developed for the exterior of campus buildings including the farms areas. Similarly, criteria has also been developed for the interior of campus buildings including the following areas: research and research support; technology server rooms; rooms necessary for the major systems operations of buildings; and other areas that may be categorized as sensitive due to the nature of the information, activity, or equipment stored. These criteria guide decision-making with regard to implementing card access or enhanced security measures and/or protocols on the campus.
- Role of the University Safety and Security Committee:
The mission of the University Safety and Security Committee is to:
- Serve as a repository for tracking facility related safety and security issues,
- Provide collective consultation and advice on safety and security matters,
- Review, prioritize, and facilitate execution of projects based on potential risk factors.
As a part of this role, the Committee will also review and recommend priorities for the installation of security card access within available financial resources. Priorities will be determined based on the criteria outlined for both exterior and interior spaces as well as individual risk assessments that may be conducted for a more in-depth analysis of a given area or space (See ‘Card Access and Enhanced Security Checklist’). In those instances where a judgment is required between competing priorities, the Safety and Security Committee will review the issues and recommend a course of action. Periodically, the group will also review and update the criteria used to guide the setting of priorities for the installation of security card access.
II. New Construction (Buildings & Additions) and Major Renovations
- Installation and Installation Costs
MSU construction standards state that all new construction (buildings and additions) and major renovations will include electronic security card access at the exterior entrances of the facility. Further, and dependent on the space program, interior security card access may be required if the room use falls within the all-campus criteria that indicates such an installation is necessary (See ‘Card Access and Enhanced Security Checklist’ ). For all other interior spaces, the building user may request the installation of electronic card access. In either case (required or elected) the cost of the installation will be planned as a component of the total project cost and included in the funding plan.
- On-Going Operating Costs
The source of funds used to cover on-going operating costs will vary depending on whether or not the costs are related to exterior versus interior spaces. Exterior card access operating costs will be covered centrally and requested by the Department of Police and Public Safety as part of the funding requests made through the annual budget planning and development process. Inasmuch as interior card access is driven by the user and the selected use of space, operating costs for the interior of facilities will generally be assumed by the unit and budgeted through the annual unit budget development process.
III. Existing Space:
- Installation and Installation Costs:
The installation of exterior and interior electronic security card access for existing facilities will be based on the all-campus criteria that may require this level of security (See ‘Card Access and Enhanced Security Checklist’).
Costs for installation of exterior card access will be covered centrally. Costs for the installation of interior card access can be shared with the central campus if the installation is determined to be necessary by the all-campus criteria. Cost sharing requests are made by the unit through the annual Alterations and Improvements request process and will be reviewed by the University Safety and Security Committee.
- On-going Operating Costs
The source of funds used to cover on-going operating costs will vary depending on whether or not the costs are related to exterior versus interior spaces. Exterior card access operating costs will be covered centrally and requested by the Department of Police and Public Safety as part of the funding requests made through the annual budget planning and development process. Inasmuch as interior card access is driven by the user and the selected use of space, operating costs for the interior of facilities will generally be assumed by the unit and budgeted through the unit annual budget development process.
- Space Moves/Relocations
- Elected by the Unit
Should card access be required for a space or set of spaces and subsequently installed due to the all-campus criteria and the room functions are moved to a new location, the security recommendation will follow the functions and card access must be installed at the new location. Funding to cover the installation costs will need to be arranged by the unit.
- Required by the Campus
Should card access be required and subsequently installed for a space or set of spaces due to the all-campus criteria and the room functions are moved at the request of the university to a new location, card access will be installed. The installation costs will be covered by the central campus.
- Spaces with Existing Card Access
Should a move result in a vacant space that has card access installed, the new occupants will use the system and assume any annual operating costs. An existing card access system will generally not be removed or disabled for a new tenant. It is the policy of the University to equip as many areas as possible with secure access control.
In either case, and inasmuch as room use is determined by the user, operating costs will be covered by the unit.
- Elected by the Unit
- Alterations and Improvements of Existing Space
For all alteration and improvement projects of existing space, card access will be reviewed as one of the planning components. Should it be determined that card access is either required by the all campus criteria or elected by the user, installation costs will be included as part of the total project cost and funded accordingly. Operating costs will be covered by the unit.
IV. Assessments and Exceptions
- The MSU Police Department (MSUPD) and the Office of Environmental Health and Safety (EHS) are available to campus units to help with assessing the merits of installing electronic card access to enhance the security of certain functions. In some cases this can be accomplished through administrative controls and electronic card access will not significantly add to the security of a given function. In others, this may be the reverse. In either case, MSUPD and EHS can provide the assessment expertise and a recommendation.
- In those instances where the unit believes that circumstances warrant an exception to this policy and/or the criteria for the installation of security card access, consultation assistance will be sought from the MSU Police Department and EHS security review teams. Following a thorough review, a recommendation will be made to the Chief of the Police Department who has the authority to grant or deny the exception.
V. Card Access and Enhanced Security Measures Criteria
This document is designed to help personnel assess their security requirements for Michigan State University rooms, suites, laboratories, facilities and areas. The results of this checklist will help determine if card access is required, enhanced security measures and/or protocols are required, or if no additional security is needed.
If it is concluded that a card access control system is required, please refer to the MSU Construction Standard for Card Access for system requirements.
Enhanced security measures and/or protocols can include any equipment or system that adds increased protection against theft, damage, tampering or personal injury. This includes, but is not limited to, card access, locks, video cameras, motion detectors, fencing, the separation of animals and humans, gates, lighting, posted hours of operation, warning-related signage and administrative security protocols.
Prior to assessing the need for enhanced access security control, units and individuals should:
- Read and understand the descriptions and definitions provided in this document
- Know all legal, regulatory and/or external requirements pertaining to the assessed space
- Know the approximate value of cash and equipment in the assessed space
- Consolidate storage and processing of all confidential and proprietary data (CPD) necessary to academic and business operations to systems and locations that may be properly and optimally secured
- Destroy any CPD which are not needed for academic and business purposes
- Provide appropriate layers of security for any CPD which must remain in distributed locations (e.g., locked cabinets for paper records)
The following checklist contains questions addressing five major areas: research areas, server rooms, sensitive interior areas, farm areas, and physical plant rooms.
PLEASE REVIEW ALL CRITERIA BEFORE MAKING A DECISION TO IMPLEMENT CARD ACCESS AND/OR ENHANCED SECURITY MEASURES.
- Descriptions and Definitions
- Agricultural Chemicals
- Fertilizers, herbicides, fungicides, insecticides, rodenticides, pesticides and other materials with similar characteristics and applications.
- BSL 2, 3, 4
- Biosafety Level 2 or 3 and 4 facilities are those subject to standards contained in the NIH Biosafety in Microbiological and Biomedical laboratories, Section IV, Laboratory Biosafety Level Criteria. See: NIH Biosafety in Microbiological and Biomedical Laboratories
- Card Access
- See ‘MSU Construction Standard for Card Access’.
- Chemicals of Interest
- The Department of Homeland Security (DHS) has issued Chemical Facility Anti-Terrorism Standards (CFATS) for all facilities that manufacture, use, store, or distribute certain chemicals above a specified quantity. The federal government has recognized that research universities may have chemicals of interest (COIs) to terrorists, and the legislation requires detailed chemical inventory reporting.
- Communications Rooms
- Rooms that are utilized to terminate fiber optic and other types of cabling and to house computing, telecommunication and related equipment. In order of priority, three levels have been determined:
- Level 1. Termination point for cabling and equipment which support multiple floors or wings of the facility. Typically contains the main distribution frame (MDF) and is often the primary communications entry point for the facility. Potential outage impact is high.
- Level 2. Termination point for cabling and equipment which support an entire floor or wing of the facility. Typically contains an intermediate distribution frame (IDF) and is connected to one or more Level 3 rooms. Potential outage impact is medium.
- Level 3. Termination point for cabling and equipment which support one or more office areas within a floor. Typically serves as demarcation point for local on-premises wiring. Potential outage impact is low.
- Confidential or Proprietary Data (CPD)
- Data, regardless of the form (electronic, paper, other), in which the data are stored or processed in the subject space. The checklists are based on the current University definitions of Confidential and Proprietary Data.
- Controlled Substances
- Drugs and certain other chemicals, both narcotic and non-narcotic, which come under the jurisdiction of federal and state laws regulating their manufacture, sale, distribution, use and disposal, which include any substance listed in the Controlled Substances Act, Code of Federal or Substance Regulations (21 CFR, part 1300 to end).
- Controversial Research
- Research that due to its characteristics or nature presents an increased security risk or hazard to the University.
- Dual Use Research
- Research that has the potential to be misused for nefarious purposes is said to be “dual-use”. The techniques needed to engineer a bioweapon are the same as those needed to pursue legitimate research.
- Enhanced Security
- Any equipment or system that adds increased protection against theft, damage, tampering or personal injury. This includes, but is not limited to, card access, locks, video cameras, motion detection, fencing, the separation of animals and humans, gates, lighting, posted hours of operation, warning-related signage and administrative security protocols.
- Environmental Hazard Areas
- Situations or state of events that pose a threat to the surrounding environment - potential hazards might include a chemical spill or dumping, but also various emissions of pollutants or the leaching of pesticides and fertilizers into the surrounding environment.
- Export Control Laws and Regulations
- Export control laws and regulations are those federal laws and regulations that control the conditions under which certain information, technologies, and commodities can be transmitted over-seas to anyone, including U.S. citizens, or to a foreign national on U.S. soil. For example, programs are implemented by both the Department of Commerce through its Export Administration Regulations (EAR) and the Department of State through its International Traffic in Arms Regulations (ITAR).
- High-Energy Radioactive Sources
- Positron Emission Tomography (PET) and Cyclotrons are examples of facilities that utilize high energy radioactive sources.
- High Replacement Cost Instruments/Equipment/Materials/Contents
- Individual pieces of instrumentation, equipment, materials or contents with a replacement value in excess of $250,000. A security assessment will be made by the Department and Police and Public Safety Security Team to determine the appropriateness of required enhanced security measures and/or protocols.
- Material Quantity
- Program-scale or department-scale storage of such data (for example, that would be associated with a director’s or chairperson’s office, or workspace of a related administrative associate), or larger.
- Note regarding Confidential and Proprietary Data: It is the intention of these criteria to describe conditions under which due consideration should be given to enhanced means of physical access control for spaces in which “material quantities” of CPD are stored or processed. These criteria recognize that many types of CPD (for example, student educational records, copies of personal personnel records) exist in small and even significant volumes on faculty and staff computers and office files, and that it would be impractical to apply expensive security controls to every office or laboratory space in which this may be the case.
- Proprietary Information
- Information, records, or data whose value would be lost or reduced by disclosure or by disclosure in advance of the time prescribed for its authorized public release, or whose disclosure would otherwise adversely affect the University financially.
Examples of proprietary information include but are not limited to:
- Research data or results prior to publication or the filing of a patent application.
- Non-patentable technical information or know-how that enhances the value of a patented invention or that has independent commercial value.
- Information about the University’s intention to buy, sell, or lease property whose disclosure would increase the cost of that property for the University or decrease what the University realizes from that property.
- Research Laboratories
- Research laboratories that utilize normally expected research practices, protocols and materials that, while potentially hazardous, may not fall within the guidelines established for other categories
- Select Agent
- A microorganism (virus, bacterium, fungus, rickettsia) or toxin listed by the CDC (7 CFR Part 331, 9 CFR Part 121, and 42 CFR Part 73). This term also includes:
- Genetically modified microorganisms or genetic elements from organisms listed as select agents, shown to produce or encode for a factor associated with a disease, and
- Genetically modified microorganisms or genetic elements that contain nucleic acid sequences coding for any of the toxins listed as a select agent, or their toxic submits.
- Sensitive Interior Areas
- Rooms or areas that contain a variety of materials, equipment and/or services that are essential to the function of the University, including south campus farms and other University facilities. Should unauthorized persons gain access to these areas; they could create a risk of public or personal and/or institutional harm.
These areas may be support areas storing equipment and supplies or the main area for a function that is not directly research related. These rooms are critical to the operation of an individual 5 department or the University as a whole. The nature and use of these areas suggests that they be considered for access control.
- Server Room
- A room that has enhanced power and/or cooling infrastructure installed specifically to support computing equipment.
- Significant Cash Operation
- Location whose primary operation is dealing with amounts of cash, checks or credit card sales over $5,000. These areas do not include “petty cash” kept in various offices.
- Significant Chemical Hazard
- This category comprises chemicals that by their nature or volume (or combination thereof), present a substantial and quantifiable hazard to campus health or safety, as determined following the completion of a comprehensive risk assessment of the facility. This category may extend to facilities containing chemicals and/or other materials using quantities that exceed statutory or regulatory thresholds established by federal or state agencies, such as USEPA, OSHA, CDC, DOT MDEQ, MIOSHA, MDOT, etc.
- Weapons (not including culinary service items)
- Firearms, knives, swords, explosives and any other items typically thought of as weapons.
- Criteria for Required Card Access
My room/suite/laboratory/facility/area:
- □ utilizes select agents or exempt select agents including related support and office areas
- □ is subject to Export Control Laws and Regulations, International Trade in Arms Regulations (ITAR), Export Administration Regulations (EAR), including related office and data management facilities
- □ is a BSL 2 or 3 or 4 Facility or uses materials that fall into the BSL 2 or 3 or 4 category
- □ uses Recombinant DNA and is subject to Biosafety Committee Review (i.e., non-exempt research) including related support and office areas
- □ is a Level 1. or Level 2. communications room.
- □ is a research animal facility, including related support and office areas
- □ stores controlled substances
- □ is licensed to use radioactive materials
- □ conducts potentially controversial research, including related support and office areas
- □ stores information relating to research involving human or animal subjects
- □ has operations that present a significant chemical hazard to the University community, or uses chemicals on the DHS “Chemicals of Interest” list above screening threshold quantities
- □ is a main electrical vault with switch gear or contains air handling equipment
- □ Health Information – (any quantity) as defined and governed by the Health Insurance Portability and Accountability Act (HIPAA)
- □ Stores weapons
- Criteria for Enhanced Security Measures and/or Protocols
My room/suite/laboratory/facility/area:
- □ is a standard research facility
- □ houses animals other than research animals
- □ has manure pits
- □ has bunker silos
- □ has spaces with research freezers/growth chambers located in common and/or public areas
- □ houses an emergency generator
- □ is a fuel storage area
- □ is a residence hall
- □ is an area for storing large amounts of fertilizer, pesticide storage or anhydrous ammonia
- □ is a significant cash operation
- □ contains water wells, either potable or irrigation wells
- □ is a server room
- □ contains the main water feed to the building
- □ has the main natural gas feed to the building
- □ contains sump pumps
My office/room/laboratory/area contains material quantities of:
- □ Records describing security measures
- □ Payment (credit/debit) card account numbers and related information
- □ Bank account numbers, Automated Clearinghouse (ACH), Electronic Funds Transfer (EFT) account numbers and related information
- □ Personal financial information – as defined and governed by the Gramm-Leach-Bliley Act (GLB)
- □ Research information – as defined and governed by federal regulation (45 CFR 46, 21 CFR 50, 21 CFR 56) and MSU’s Internal Review Boards. See: VP Research and Graduate Studies - Compliance
- □ Employment data such as benefits enrollment, beneficiary data, and certain grievance, arbitration, or legal proceedings documentation (other than individual personal copies of such)
- □ Social Security numbers (SSNs) – the use of which is controlled by the Michigan Social Security Number Privacy Act, and institutional policy. See: University Policy on Social Security Number Privacy
- □ Student educational records – as defined and governed by the Family Educational Rights and Privacy Act (FERPA) and MSU’s Guidelines Governing Privacy and Release of Student Records (www.reg.msu.edu), including student number and student name pairings
- □ Driver’s license numbers
- □ Names, addresses and phone numbers when used in conjunction with any of the above data and other personal data such as date of birth, mother’s maiden name, or when restricted or protected by the individual
- Criteria for a Security Assessment
A security assessment can be requested and will be made by the MSU Security Review Team to determine the appropriateness of required and enhanced security measures and/or protocols for the campus. Examples of when a security assessment may be most beneficial include but are not necessarily limited to spaces that:
- □ meet any of the criteria listed under the “Card Access Required”.
- □ contain high value equipment, instruments, materials or contents
- □ is an area or room where its loss would represent a major material or business continuity loss to the University, unit, or individual department
- □ has information described by the University as “Proprietary Information”
- □ has had several occurrences of theft or vandalism in the last five years
VI. Construction Standard
- Facility Protection
- Protective systems involving fire, security, and access control shall be reviewed with the Department of Police and Public Safety regarding the scope of work and the type of systems to be implemented.
- Automatic Sprinklers: All new major buildings will have automatic sprinklers throughout. (See Construction Standards Division 21 – Section 211313 WET-PIPE SPRINKLER SYSTEMS).
- Detection and Alarm: All new buildings will have a protected premises fire alarm system consisting of pull stations, area and duct smoke detectors, and evacuation alarms/strobes throughout the building. (See DESIGN GUIDELINES – ELECTRICAL DESIGN and Construction Standards Section 283100 – Detection and Alarm).
- Fire Hose Standpipes
- Threading on hose connections shall match MSU equipment.
- All new buildings over two stories above ground will have fire hose standpipes in accordance with NFPA Code and as follows:
- Standpipes will normally be wet systems placed in stairwells, and be interconnected. Intermediate risers may be needed in long buildings.
- Hoses will not be provided. Provide both Siamese and O.S. & Y. connections.
- Fire Extinguishers: Fire extinguishers will be furnished and installed by the MSU Department of Police and Public Safety, unless otherwise specified. (See Construction Standards Section 104400 – Fire Protection Specialties)
- Miscellaneous: The following items are commonly installed wherever conditions warrant their use:
- Breather Mask Cabinets (See Section 104400 – Fire Protection Specialties)
- Valve Cabinets: For emergency shut-off of laboratory gas.
- Fire Blanket Cabinets
- Emergency Showers (See Construction Standards Section 224500 – EMERGENCY PLUMBING FIXTURES)
- Access Control
- A Siemens access control system compatible with the access control system located in the Department of Police and Public Safety shall be implemented on building doors as follows:
- Exterior Doors:
- All exterior doors (personnel, overhead, access, etc.) shall be equipped with a magnetic position switch, request to exit, electric strike, and be prepared for electronic access control.
- The accessible door to the building and any other designated exterior doors shall be equipped with electronic accessible control; a reader, electric strike, magnetic position switch and request to exit.
- If this door is the automatic swinging door, then activation of the access control shall cause the door to open automatically.
- Interior Doors:
- All interior doors shall be prepared for access control with boxes and conduit for future magnetic position switch, request to exit, electric strike, and reader.
- Interior doors designated in the building program or subsequently determined shall be equipped the same as Exterior Doors above. The list of interior doors to be equipped with access control shall be reviewed with the MSU Department of Police and Public Safety.
- All interior and exterior Mechanical Room, Electrical Room, and Communication Room doors shall be equipped the same as Exterior Doors above.
- Exterior Doors:
- A Siemens access control system compatible with the access control system located in the Department of Police and Public Safety shall be implemented on building doors as follows: