Access management policy
All departments and colleges should use ISAAC to meet their electronic access control needs. Implementation of physical security infrastructure using electronic access control is optional, except in those areas that have significant life-safety issues or elevated security concerns.
Physical security infrastructure standards are issued under strict build requirements. The ASU project Guidelines specify the requirements for all components that make up systems installed on any ASU owned or occupied facility.
All cards used in the ISAAC system are issued by the Sun Devil Card Services Card office.
Access to spaces assigned to units can be managed through ISAAC by the units themselves, by designating a Segment Manager. The delegated unit becomes the primary security agency for that area and must be willing to ensure that all the security requirements of the university are met.
Distributed management authority requires the appointment of a Segment Manager. Segment Managers must be full-time employees. For security reasons, ASU part-time employees and student employees may only be assigned alarm monitoring responsibilities, including the ability to remotely unlock and relock selected doors. Individuals may not have segment administration authority over their offices, labs, and other spaces.
Those who manage the ISAAC system shall comply with all acts associated with personal information, and as an ASU policy, the ISAAC system is not allowed to be used as a time keeping system.
When visiting a site for a new project, please point out the panic buttons to the ASU end user or project manager.
When providing a service to the ASU departments, and a panic button is noticed, do not uninstall it. Panic buttons should only be uninstalled by the company that installed them. The end user is responsible for contacting Stanley or ISAAC and Transaction Services.
Any activated intrusion alarms must be monitored at all times by ASU PD or an outside contractor. It is possible to group alarms from segments to facilitate sharing of alarm monitoring responsibilities. ASU's security policy defines the areas whose alarms may or must be monitored and responded to by ASU PD. Any other activated alarms must be monitored and responded to by units responsible for the doors or access points that generate the alarms. The segment manager may or may not have this responsibility. Units may specify the access points and types of alarms they wish to monitor, the type of notification and the notification recipient for each alarm.
Handling of alarms
If an alarm warrants being directed to a call center, then the call center must be directed to notify ASU PD first and before all other call center lists are activated. ASU PD will record the call and make a determination if they will send an officer. See ASU Security Policy for more information.
All emergency response personnel accessing laboratories while in response to emergency situations.
The ISAAC system data governance shall be maintained in accordance with the UTO Data Governance Standards.
Any data from the ISAAC system including database fields, transaction logs, encryption protocols, card formats, communication protocols, event logs, and configuration data shall be considered as sensitive data and isolated and protected under all guidelines set forth by the University
All of the student data elements in the ISAAC database are protected by FERPA.
Segment Manager policies
Using ISAAC, controlled spaces are grouped together into logical segments. Segments can be comprised of any number of access controllers and readers that are located anywhere at ASU.
However, reader controllers - physical devices - are assigned to segments, and readers attached to an access controller must all belong to that controller's segment or segments. This means that if a card reader needs to be moved from one segment to another because, for example, control of a space is changing from one organization to another, it will likely be necessary to purchase and install a new reader controller and re-wire the card reader so that it is attached to the new controller.
Departments, colleges or schools may be delegated authority and responsibility to administer their own segments, so long as those spaces do not fall into the higher risk category that requires continuous monitoring. With this delegation comes a set of responsibilities and policies that must be adhered to. The delegated unit becomes the primary security agency for that unit and must be willing to ensure that all the security requirements of the university are met. Only full-time employees with fingerprint background authorization should be considered for this role.
Segment managers are responsible for:
Administering access for the assigned segments
Ensuring that ISAAC segment hardware and software failures are identified and resolved, and that interim hard key control is implemented when necessary
Ensuring a yearly audit is conducted to identify invalid users or cardholders and remove their access
Producing access and event reports on demand for constituents and/or ASU PD
Ensuring that access is granted only through proper routing of an access request with the required approvals, including access by the segment manager or those whom the segment manager reports
Ensuring the integrity of the system as defined by the ISAAC segment manager manual
Reporting violations of this and related policies or procedures to proper authorities including the ASU PD or members of the University Security Committee as appropriate
Complying with the procedures identified in the ISAAC segment manager manual
Some of these duties may be delegated to others, particularly alarm monitoring and area access management duties
Alarm Monitoring Managers are responsible for:
Monitoring events and reporting on discrepancies, changes needed, and alarms to an appropriate person of authority over the area in question
Locking or unlocking doors as directed by an appropriate person of authority over the area
Masking or unmasking alarms as directed by an appropriate person of authority over the area
Producing access and events reports as directed by an appropriate person of authority over the area
Some of these duties may be delegated to others (such as third party service providers), particularly alarm monitoring and area access management duties. Third party service providers operate under the oversight of the governing segment manager.
Department or College heads are responsible for:
Assigning segment managers and designating one or more backup segment managers for when the segment manager is unavailable
Authorizing the issuance of card access to faculty, staff, or students as necessary in accordance with these guidelines
Ensuring that the appropriate segment manager is notified of terminating and transferring employees on a timely basis
Ensuring the integrity of the system by reporting violations of this and related policies or procedures to the proper authorities, including the University Police or members of the University Security Committee as appropriate
Creation or Division of an ISAAC segment
New segments are created at the request of space owners. See the ISAAC segment manager manual for specifics of the procedure
It may be necessary to share spaces with - or release spaces to - the Facilities Segment or to a Specialty Control Segment. These areas may include: Datacom closets, restricted use laboratories, utility access closets, roof access, etc. Typically, owners of these spaces will initiate and direct these efforts. If spaces are to be moved to a new segment, new ISAAC hardware may have to be installed.
Video policy and signage
Video security policy
The video surveillance of university areas is intended to deter and detect crime and assist in protecting the safety and property of the ASU community. Cameras being used for security require maintenance by a central enterprise application, database and private network as an ASU Enterprise video management system. If cameras appear to be security cameras and are capturing video which can be used for inspection, situational awareness, or used for deterrence then the cameras shall be made to function in the ASU enterprise video management system.
To get started, refer to policy PDP 201-06 that references:
Inoperative, placebo or dummy systems
New system installations, modifications and upgrades
Operating responsibilities, limitations and training
We use the 6'' x 6'' decal only and displayed at a buildings entry points. Order them at the ASU Sign shop.