Secure Computing Facility Access Rule
Purpose
The purpose of this rule is to clearly delineate the roles and expectations for physical access to the secure locations housing network equipment and computing infrastructure.
Scope and Definition
Scope
The scope of this rule applies to all locations housing University-owned networking, server, or storage equipment, including but not limited to, the equipment room (hence, “secure network location”), the backup data center, access to wiring, and networking racks and/or closets throughout WMU facilities.
Definition
- Card key – University-issued photo ID with RFID/magstripe, QR, and NFC capabilities.
- Physical key – Traditional hard keys used with a mechanical lock.
- Secure computing location – Any secure location housing University-owned networking and computing equipment as outlined in the Scope above.
- Incident – An unexpected event that disrupts business operational processes or reduces the quality of a service.
- Criminal Justice Information (CJI) – Data that includes criminal history record information, biometric data, and all other data collected and/or disseminated by law enforcement agencies for the purpose of administering criminal justice and national security.
- CJIS Policy – The Criminal Justice Information Security policy as published by the Federal Bureau of Investigation. This policy defines security controls, requirements, and staff vetting mandates for people and locations handling CJI.
Rules and Required Procedures
A. Roles
- Controller
- A controller is a person who has the authority to make determinations for who is assigned what level of access to secure computing locations as outlined below.
- This role is filled by the Chief Information Officer and/or their designee(s).
- Auditor
- An auditor is a person who is responsible for periodically auditing access lists as outlined below and ensuring access has been removed in a timely fashion.
- This role is filled by the Security and Privacy Officer and/or their designee(s).
B. Access Levels
Please use the following criteria in determining escorted versus unescorted Access:
There are three levels of access to the secure network locations – controlling access, escorted access, and unescorted access.
- Controlling Access is given to employees who have unlimited access authority to the secure network locations.
- Controlling Access is granted to the staff whose job responsibilities require that they have access to the area on a day-to-day basis. These individuals also have the authority to grant temporary access to a secure network location and to enable others to enter and leave a secure network location. People with Controlling Access are responsible for the security of the area, and for any individuals that they allow into a secure network location. Individuals with Controlling Access to a secure network location normally will be granted access via a card key and will be placed on the secure network location Access List. Any individual receiving Controlling Access must successfully pass a criminal background check according to applicable compliance procedures.
- Individuals granted controlling access may, in addition to the card key they are issued, request physical key access. While it is not a best practice to issue physical keys to a secure network location for routine access purposes, requests for this type of access will be considered on a case-by-case basis.
- In addition to card key access, individuals granted controlling access will be required to gain physical access using two-factor authentication. Two-factor authentication uses a PIN in addition to the card key to provide access to some secured areas.
- Individuals with Controlling Access to an area may allow authorized and logged individuals Escorted or Unescorted Access to a secure network location.
- If a person with Controlling Access allows Escorted Access to an individual, the person granting access is responsible for escorting the individual granted access and seeing to it that they sign in and out on the access log. If needed, these duties can be handed off to one of the staff that is on duty in a secure network location.
- Escorted Access is closely monitored access given to people with a legitimate business need for infrequent access to a secure network location. “Infrequent access” is generally defined as access required for less than 6 days per year.
- Individuals with Escorted Access will not be issued physical keys or be granted access via card key.
- A person given Escorted Access to an area must sign in and out on the access log under the direct supervision of a person with Unescorted Access. They must also provide positive identification upon demand and must leave the area when requested to do so.
- A person given escorted access will be given a “Visitor” badge after they sign in, which must be worn visibly at all times.
- A person with Escorted Access to an area must not allow any other person to enter or leave the area.
- Unescorted Access is granted to a person who does not qualify for Controlling Access but has a legitimate business reason for unsupervised access to a secure network location. An example of this would be a Western Michigan University Employee or approved vendor who requires access to perform work on their system(s) for a set period of time.
- Directors and their assigned delegates will be granted Unescorted Access to secure network locations that house equipment under their management.
- Individuals with Unescorted Access to a secure network location will be granted access to the area via card key or, if card key is unavailable, a physical key.
- Persons with Unescorted Access should only enter a secure network location to perform tasks that cannot be performed remotely.
- As many secure network locations are shared spaces and house systems managed by separate groups, persons with Unescorted Access should only perform work on systems directly under their purview and should take care not to interfere with the operations of other systems.
- Unescorted Access personnel cannot authorize others to be granted access to a secure network location. They must alert someone with Controlling Access that they will be escorting a Staff Employee or Approved Vendor that does not have secure network location access.
C. Secure network location doors
All doors to a secure network location must remain locked at all times and may only be temporarily opened for periods not to exceed that minimally necessary in order to:
Allow officially approved and logged entrance and exit of authorized individuals.
- Permit the transfer of supplies/equipment as directly supervised by a person with Controlling Access to the area. Internal and external doors will not be allowed to be opened at the same time except for cases where increased airflow is required (see item #2 below).
- Doors to secure network locations will ONLY be propped open if it is necessary to increase airflow into the secure network location in the case of cooling or other environmental issues. In this case, staff personnel with Controlling Access must be present to limit and monitor access to the secure network location.
D. Security System and Keys
Keys to a secure network location are not generally issued for routine access purposes. The following information pertains to keys and the security system:
If a key is provided, the individual receiving the key may not share, loan, or copy it.
- Only those people who have been granted Controlling Access can request and be issued keys.
- Under no circumstances may an individual attempt to bypass the cardkey system to gain access for them or permit access to another individual by using a key.
- Individuals are not to share their card keys.
- If the cardkey system fails, employees will be allowed into the facility by an employee with Controlling Access who can identify them. The accessing employee must show their card key to the employee with controlling access before entry into the secured facility will be allowed.
Enforcement
A. Review and Removal of Access
Physical access to the secure network locations will be reviewed monthly. If an individual no longer requires access to a secure network location or if the card key has been inactive for more than 180 days, the access will be removed.
For individuals whose access is removed because of inactivity for more than 180 days and who do not have a 180-day exception:
- Notification will be sent to the individual whose access has been removed for inactivity for more than 180 days by OIT Operators.
- In the secure network location Access list, they will be reclassified as Access – Inactive 90 days
- Their keycard and PIN shall be deactivated by OIT Operators.
180-Day Exception Process:
- Any individual with card key access can ask to be part of the 180-day exception group. Examples would be Western Michigan University Employees or Authorized Vendors needed for emergency response, Authorized Vendors that are contractually obligated to respond in a given time frame that may require access during unoccupied times of a secure network location.
- Exception requests for WMU employees must be submitted via a support case in goWMU/University CRM by a person’s supervisor.
- Exception requests for Authorized Vendors must be submitted by the supervisor of the contract.
- Periodic (at least annual) reviews will be performed on the location of physical keys to the secure network locations. If an individual no longer needs a key, it will be collected.
Procedures for removing access to a secure network location include:
- Canceling card key access
- Collecting a physical key
- Removing the person’s name from the secure network location Access List
- The results of periodic reviews will be reported to the Security and Privacy team. The report will include an updated list of those allowed access to secure network locations.
B. Secure network location access log
- Individuals with Controlling Access to a secure network location are responsible for maintaining the secure network location Access Log The following procedures must be followed:
- Each time an individual with Escorted Access to a secure network location is admitted to an area, he/she must properly sign-in on the secure network location Access Log at the time of entrance.
- The person admitting the visitor must countersign and fill out the appropriate section of the form. The visitor must also present a picture identification card for verification of identity.
- Each time an individual with Escorted Access leaves the area, he/she must properly sign out on the secure network location Access Log at the time of exit. NOTE: If an individual will be coming and going throughout the day, they can sign in and out one time for that day.
- The person escorting the visitor when they leave must fill out the “Time Out” section of the Log.
C. Incident Reporting
- All infractions of this procedure as well as high-profile incidents shall be reported to the CIO and Security and Privacy Officer. Examples of high-profile incidents are: an unauthorized individual in the secure network location, any attempt to enter a secure network location forcibly or improperly, missing or damaged equipment, etc.
- If warranted law enforcement should be notified of an incident as soon as is reasonably possible.
- Individuals with Controlling Access to the area are to monitor the area and have individuals who appear to be compromising either the security of the area or its activities, or who is disrupting operations, removed. It is particularly important that individuals with Controlling Access show initiative in monitoring and maintaining the security of the secure network location.
D. Requesting Access to the secure network locations
- Departments that have computer equipment in secure network locations may request access for their employees to those secure network locations through the published goWMU/University CRM support case process.
- In compliance with CJIS policy requirements, personnel with controlling or unescorted access to areas containing CJI are required to complete CJIS-compliant security awareness training, fingerprints, and criminal history checks.
E. Termination of Access to the secure network locations
When a person who has access to secure network locations terminates his or her employment or transfers out of the department, a person’s department, business, etc. must notify the Security and Privacy team as soon as possible so that the person’s access to the secure network location can be removed.
F. Emergency Access
If it becomes necessary to provide emergency access to medical, fire, and/or police officials, the escorted access procedure can be temporarily suspended.
Document Action
Revised Dec. 2023