Access Control Policy
- Related Documents: Access Control - Safety and Security Community Guidelines
- Owner: Community Safety and Security (CSS)
- Approver: Vice-President, Administration and Operations
- Approval Dates: September 2011
I. Purpose
To facilitate access to space and equipment by authorized users (staff, students, faculty, community guests and external parties) and in particular, to safeguard the community members of Toronto Metropolitan University (the "University") and its physical assets, a policy on access control has been established. This policy and supporting guidelines sets out specific responsibilities, conditions and practices which are designed to address critical access needs in a manner which minimizes risks to personal safety and maximizes physical asset and private information protection.
II. Scope
This policy applies to all members of the University having responsibility for decision making regarding the use of space or equipment and authorized access to any University owned or leased space.
III. Policy Statement
The safety and security of the physical space and assets is a shared responsibility of all members of the University community. To meet this obligation, the University has established access control policy provisions to address the design, administration and management of access control systems and measures to ensure their integrity.
IV. Policy
1. Access control, both allowing and restricting access to space and equipment, will be administered by the departments that are responsible for the space and / or the equipment contained therein and the safety of staff, faculty or students having authorization to use such space or equipment.
2. Access control for building perimeters will be under the direction of Security and Emergency Services.
3. The appropriate level of access control for the protection of users, property and private information will be determined by each department, in consultation with Security and Emergency Services and in accordance with safety and security guidelines established by the Department of Integrated Risk Management and the University’s Personal Information Protection Guidelines.
4. Factors which must be considered in developing access control plans shall include:
a. isolated areas where people work alone or during low-traffic hours.
b. expensive devices, equipment or other property that could be targeted for theft;
c. sensitive information that should remain confidential;
d. equipment of which use must be restricted to authorized / trained users;
e. essential functions or processes which require uninterrupted conditions; and
research or other activity that should not be disturbed;
5. The level of access control is based on risk assessment and individual departmental needs, and will subsequently define the following levels of control measures:
Low level access control measures may include:
a. installing locks and door plates that make unauthorized access more difficult;
b. issuing keys to all room users, in accordance with conditions set out in the University Key Control Policy; or
c. keeping rooms open and placing audible alarms or monitored alarms on equipment.
Medium level access control measures may include:
a. issuing keys only to an access control designate within the department/office, who provides key access when needed; or
b. installing security systems that are monitored by Security and Emergency Services on all access points.
High level access control measures may include:
a. appointing staff such as lab monitors who are present while rooms are accessible;
b. installing security systems that are monitored by Security and Emergency Services; or
c. installing card readers on the perimeter as well as individual rooms.
All security systems and devices and related plans must be pre-approved by Security and Emergency Services
6. Every department shall appoint a person in the department who is responsible for coordinating access control and liaison with Security and Emergency Services on matters relating to the integrity of the related access control systems and measures.
7. Access during designated University closures, will be determined by the Executive Group, in consultation with Deans and Senior Directors. Departments will need to ensure that appropriate arrangements for access are in place for persons who are authorized to enter the University during designated closures. Such authorization must be approved by the appropriate Dean or Senior Director and include submission of an access control plan to Campus Safety and Security, by the Chair, Academic Director or Manager.
8. Access control plans must address the needs of faculty, staff and students with disabilities.
V. Roles and Responsibilities
Security and Emergency Services
Security and Emergency Services shall:
a. direct and coordinate building perimeters access;
b. be responsible for unlocking and securing all perimeters on campus;
c. provide on-going assistance on matters relating to building and room access;
d. establish and maintain current university-wide guidelines regarding access control and related security system measures;
e. provide advice and recommendations to departments regarding the development and maintenance of access control systems and measures for their respective areas;
f. provide advice, recommendations and project coordination for security systems design and installation; and
g. respond to intrusion alarms that are monitored by Security and Emergency Services.
Individual Departments/Offices
a. Chairs, Academic Directors, Managers and representatives of Unions and Associations shall:
b. establish an access control system, in consultation with Security and Emergency Services;
c. provide access control for all the spaces that they are responsible for in accordance with the guidelines established by Security and Emergency Services; and
d. implement the related provisions made under the Security System Alarm Protocol and Security Systems guidelines.
Departments who book space on behalf of internal or external client shall:
a. make arrangements for access with the department(s) that are responsible for the space;
b. establish an access control plan for the event or activity;
c. communicate the access control plan at least 48 hours in advance of the event, to Security and Emergency Services, indicating perimeter access needs; and
d. ensure that persons who have booked space are familiar with their obligations under the Security Systems Alarm Protocol Guidelines, where appropriate.
VI. Jurisdiction
This policy is under the jurisdiction of the Vice President, Administration and Finance and is administered through Integrated Risk Management (IRM).