Physical Building access - reference facility security audit document

Document Sample
Physical Building access - reference facility security audit document Powered By Docstoc
					Cabinet for Health and Family Services (CHFS)
Information Technology (IT) Policies
Category: 030.000 Physical Security
030.100 Physical Building Access Control – Buildings with Electronic Access
Controls and Procedures
Policy: Many CHFS buildings have controlled physical access. Most of those access entry points
are controlled by electronic scan devices with key cards. See Office of Human Resource
Management (OHRM) Personnel Procedures Handbook section 2.7 for detailed list of locations.
For any IT individual (state employee or contractor) who works in a controlled facility, a badge
will be issued. This badge is required to gain entrance to the location and be verified as a CHFS
employee or contractor.
IT Management is responsible for ensuring that employees and contractors are provided with the
appropriate level of access to a building and that departing employees and contractors are
removed from the key card system by notifying the Department Badge Liaison. The CHFS
Office of Administrative and Technology Services (OATS) IT Security and Audit Section is
responsible for auditing the key card database to ensure that all issued badges are removed when
no longer needed.
Scope: This policy and procedure applies to all CHFS IT employees and contractors, including
all persons providing contractor services, who are granted access to any CHFS facilities that are
controlled through an access control key card system (see definitions below.
Policy/Procedure Maintenance Responsibility: The Office of Administrative and Technology
Services (OATS) IT Security & Audit Section is responsible for the maintenance of this
policy/procedure.
Applicability: All CHFS IT employees and contractors shall adhere to the following
policy/procedure.
Exceptions: Any exceptions to this policy must follow the procedures established in Policy
070.203.
CHFS has the ability to track building key card access through electronic databases. The key
card system data may be used as part of a personnel investigation at the request of OHRM.
There are two levels of access: 6 to 6 and 24/7. Regular access is 6 to 6, no weekends.
Management approval (Division Director or above) is required for 24/7 access or for access to
any other building that is not the employees normal working location. This request must be
submitted via email to the Department Badge Liaison.
    6 to 6 access allows an employee to enter a state controlled CHFS building between the
       hours of 6AM to 6PM, Monday through Friday.
    24/7 access allows an employee to enter a state controlled CHFS building any time,
       including weekends.




Page 1 of 6
Employees Responsibilities:
   Badge must be used each time an employee enters their building(s) or controlled
     locations within a building.
   Badges are for badge holders only and are not to be used by another employee or visitor
     entering the building.
   Badges are to be worn at all times within controlled facilities, visibly displaying the front
     of the card.
   Employees must immediately report a lost, stolen or damaged badge to the department
     badge liaison.
   Badges should not be carried in a wallet since credit cards can damage the badge's
     electronic strip.
   Employee responsible for paying the $16 replacement fee for lost or stolen badge.
   Failure to follow the guidelines may be considered misconduct resulting in disciplinary
     action, up to and including dismissal.

Management Responsibilities:
   Send new badge requests to the Department Badge Liaison. Request must include the last
     4 digits of the SSN and building where access is needed.
   Monitor employees to ensure they adhere to this policy.
   Collect badge from employee before they depart (resign, transfer, retire, etc.).
   Forward collected badge to the Department Badge Liaison ASAP.
   Monitor list of personnel who have been granted 24/7 access to IT locations. Remove any
     individual from the higher access level when necessary.
   Approve 24/7 access sparingly. Use alternative means to grant access such as having an
     individual with 24/7 access on site to allow those individuals without 24/7 access into the
     facility.
Definitions:
    Employee: A state full-time, part-time, temporary, summer intern, interim employee or
       contract employee working for the state.
    CHFS Frankfort and other access controlled Locations: (all facilities listed below are
       controlled by the state access system except as noted)
           o CHR Building outside access;
           o CHR Server Room;
           o CHR Telecommunication room;
           o Frankfort Place;
           o L & N Building;
           o Elkhorn Court – (This facility controls their own badges).




Page 2 of 6
Security Badge Authorization Procedure:
      IT employees who do not have an existing security access badge for the CHR Building,
       Elkhorn Court, L & N Building or Frankfort Place must follow one of the procedures
       below (#1A or #1B - depending on which Division the employee is assigned) for
       requesting a new security badge.
      Replacement for lost or damaged access badges are also requested the same way.

1. Requesting Initial Badge OR Requesting Replacement Badge.

      1A. Division of System Management personnel:
      a) For a replacement badge, the individual e-mails request to their immediate supervisor for
         initial security access. Must specify either regular access (6-6) or 24/7 access.
         Justification for 24/7 is required. The request must include the last 4 digits of the
         individuals’ SSN.
      b) For a replacement badge, the supervisor reviews requests to determine validity.
         Supervisor also ensures that 24/7 access is necessary if it was requested. If 24/7 is
         necessary, the supervisor completes a detailed justification.
      c) For an initial badge, the supervisor initiates the request with the same information
         mentioned in a) above. Supervisor forwards request via e-mail to the Division Director
         with the included 24/7 justification.
      d) Division Director reviews the request and justification for 24/7 access (if requested) and
         forwards request via e-mail to the Branch/Division Badge Liaison for processing.
      e) The Branch/Division Badge Liaison processes the request, completes the required form
         and forwards the form to the IT Badge Liaison Coordinator for processing.
      f) The IT Badge Liaison Coordinator processes the request, reviews the form, and the 24/7
         justification and forwards to the Cabinet Coordinator. If 24/7 justification was NOT
         included, the request is returned.
      g) When notification of approval is received by the IT Badge Liaison Coordinator, it is
         forwarded to the Branch/Division Badge Liaison.
      h) The Branch/Division Badge Liaison then notifies the supervisor with the badge
         instructions.
      i) The employee goes to the designated location and obtains the badge.
      j) If the individual works in the Elkhorn Court building, the individual takes the badge to
         the Elkhorn Court Badge Coordinator to have their badge coded for entry.

      1B. Division of Network Management, Division of User Support and Office of
         Information Technology Executive Staff personnel:
      a) For a replacement badge, the individual e-mails request to their immediate supervisor for
         initial security access. Must specify either regular access (6-6) or 24/7 access.
         Justification for 24/7 is required. The request must include the last 4 digits of the
         individuals’ SSN.
      b) For a replacement badge, the supervisor reviews requests to determine validity.
         Supervisor also ensures that 24/7 access is necessary if it was requested. If 24/7 is
         necessary, the supervisor completes a detailed justification.
      c) For an initial badge, the supervisor initiates the request with the same information
         mentioned in a) above. Supervisor forwards request via e-mail to the Division Director
         with the included 24/7 justification.


Page 3 of 6
      d) Division Director reviews the request and justification for 24/7 access (if requested) and
         forwards request via e-mail to the IT Badge Liaison Coordinator.
      e) The IT Badge Liaison Coordinator processes the request, reviews the form, and the 24/7
         justification and forwards to the Cabinet Coordinator. If 24/7 justification was NOT
         included, the request is returned.
      f) When notification of approval is received by the IT Badge Liaison Coordinator, the
         coordinator notifies the supervisor with the badge instructions.
      g) The employee goes to the designated location and obtains the badge.

Security Badge Modification Procedure:
      For employees who already have a CHFS security badge for one of the CHFS buildings but
       needs permanent access to another building, they also follow one of the procedures below
       (#2A, #2B, #3, or #4 - depending on which Division the employee is assigned).

2. Requesting Additional Security Access to the CHR building, L & N Building or
   Frankfort Place. NOTE: Nothing is done to the physical badge. All access processing is
   done electronically at the Finance Cabinet level.

      2A. Division of System Management personnel:
      a) Individual e-mails request to their immediate supervisor for additional security access.
         Must specify either regular access (6-6) or 24/7 access. Justification for 24/7 is required.
         The request must include the last 4 digits of the individuals SSN.
      b) Supervisor reviews requests to determine validity. Supervisor also ensures that 24/7
         access is necessary if it was requested. If 24/7 is necessary, the supervisor completes a
         detailed justification.
      c) Supervisor forwards request via e-mail to the Division Director with the included 24/7
         justification.
      d) Division Director reviews the request and justification for 24/7 access (if requested) and
         forwards request via e-mail to the Branch/Division Badge Liaison for processing.
      e) The Branch/Division Badge Liaison processes the request, completes the required form
         and forwards the form to the IT Badge Liaison Coordinator for processing.
      f) The IT Badge Liaison Coordinator processes the request, reviews the form, and the 24/7
         justification and forwards to the Cabinet Coordinator. If 24/7 justification was NOT
         included, the request is returned.
      g) When notification of approval is received by the IT Badge Liaison Coordinator, it is
         forwarded to the Branch/Division Badge Liaison.
      h) The Branch/Division Badge Liaison then notifies the individual and supervisor.

      2B. Division of Network Management, Division of User Support and Office of
         Information Technology Executive Staff personnel:
      a) Individual e-mails request to their immediate supervisor for additional security access.
         Must specify either regular access (6-6) or 24/7 access. Justification for 24/7 is required.
         The request must include the last 4 digits of the individuals’ SSN.
      b) Supervisor reviews requests to determine validity. Supervisor also ensures that 24/7
         access is necessary if it was requested. If 24/7 is necessary, the supervisor completes a
         detailed justification.
      c) Supervisor forwards request via e-mail to the Division Director with the included 24/7
         justification.

Page 4 of 6
    d) Division Director reviews the request and justification for 24/7 access (if requested) and
       forwards request via e-mail to the IT Badge Liaison Coordinator.
    e) The IT Badge Liaison Coordinator processes the request, reviews the form, and the 24/7
       justification and forwards to the Cabinet Coordinator. If 24/7 justification was NOT
       included, the request is returned.
    f) When notification of approval is received by the IT Badge Liaison Coordinator, the
       coordinator notifies the individual and supervisor.

3. Requesting additional security access to the CHR building Server Room or
   Telecommunication Room.
    Server Room access must be approved by the Division Director, Division of Network
      Management.
    Telecommunication Room access must be approved by the Division Director, Division of
      User Support.
    Access to the Server Room and/or Telecommunication Room retains the access level of
      the original badge, either 6-6 or 24/7. NOTE: Nothing is done to the physical badge. All
      access processing is done electronically at the Finance Cabinet level.
   a) Individual e-mails request to their immediate supervisor for additional security access.
      Justification for access to the server room and/or telecommunication room is required.
      The request must include the last 4 digits of the individuals’ SSN.
   b) Supervisor reviews requests to ensure that the access is necessary. If necessary, the
      supervisor completes a detailed justification.
   c) Supervisor forwards request via e-mail to the Division Director with the included
      justification.
   d) Division Director reviews the request and justification for access and forwards request
      via e-mail to the Branch/Division Badge Liaison for processing.
   e) The Branch/Division Badge Liaison processes the request, completes the required form
      and forwards the form to the IT Badge Liaison Coordinator for processing.
   f) The IT Badge Liaison Coordinator processes the request, reviews the form, and the
      justification. If the justification was NOT included, the request is returned.
   g) The IT Badge Liaison Coordinator will get approval from the appropriate Division
      Director (Server Room or Telecommunication Room).
   h) Upon approval from the appropriate Division Director (Server Room or
      Telecommunication Room), the IT Badge Liaison Coordinator forwards the request to
      Cabinet Coordinator.
   i) When notification of approval is received by the IT Badge Liaison Coordinator, it is
      forwarded to the Branch/Division Badge Liaison.
   j) The Branch/Division Badge Liaison notifies the individual and supervisor.

4. Requesting additional security access to the Elkhorn Court building. NOTE: For all
   personnel regardless of division, personally take your access badge to Elkhorn Court and
   contact the security coordinator to have your badge coded for entry to the building.
   a) Individual initiates access request and forwards the request via e-mail to their immediate
       supervisor.
   b) Supervisor reviews requests to determine validity and forwards request via e-mail to the
       Division Director.
   c) Division Director reviews the request and forwards the request via e-mail to the
       Branch/Division Badge Liaison for processing.

Page 5 of 6
    d) The Branch/Division Badge Liaison processes the request and forwards the request to the
       Elkhorn Court Branch Manager.
    e) The Elkhorn Court Branch Manager approves the request and forwards the returns the
       request to the originating Branch/Division Badge Liaison. The Branch Manager also
       forwards a copy of the request to the Elkhorn Court Badge Coordinator.
    f) The Branch/Division Badge Liaison notifies the individual of approval.
    g) When notification of approval is received, the individual takes the approved form to the
       Elkhorn Court Badge Coordinator to have their badge coded for entry.

Review Cycle: Annual

Timeline:
Revision Date: 04/30/2008
Review Date: 04/30/2008
Effective Date: 04/30/2008

Cross Reference #
 There are no COT policies related to this policy.
 OHRM Personnel Procedures Handbook - 2.7 - Employee Identification Badge
 CHFS IT Policy # 070.203 – Exceptions to Standards and Policies.




Page 6 of 6

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:66
posted:7/17/2012
language:English
pages:6