Guidelines, procedures and standards
Access management policy
All departments and colleges should use ISAAC to meet their electronic access control needs. Implementation of physical security infrastructure with electronic access control is optional, except in areas with significant life-safety issues or elevated security concerns.
Physical security infrastructure standards are issued under strict build requirements. The ASU Project Guidelines specify the requirements for all system components that are installed on any ASU-owned or occupied facility.
ASU Sun Devil Card Services issues all cards used in the ISAAC system.
Access managers
Access to spaces assigned to units can be managed in ISAAC by the units themselves, who designate a segment manager. The delegated unit becomes the primary security agency for that area and must be willing to ensure that all university security requirements are met.
Distributed management authority requires the appointment of a segment manager. Segment managers must be full-time employees. For security reasons, ASU part-time employees and student employees may only be assigned alarm-monitoring responsibilities, including the ability to unlock and relock selected doors remotely. Individuals may not have segment-level administrative authority over their offices, labs and other spaces.
Privacy management
Those who manage the ISAAC system shall comply with all acts associated with personal information, and, as ASU policy, the ISAAC system is not allowed to be used as a timekeeping system.
Alarms policy
Panic alarms
When visiting a site for a new project, personnel shall identify and document the location of any panic buttons and inform the ASU end user or project manager accordingly.
When providing services to ASU departments, staff must not uninstall or remove any identified panic buttons. Panic buttons may only be removed by the company that originally installed the device. Responsibility for coordinating any removal or service rests with the end user, who must contact either Bosch or ISAAC Services as applicable.
Alarm monitoring
Any activated intrusion alarms must be monitored at all times by the ASU Police Department or an outside contractor. It is possible to group alarms from segments to facilitate the sharing of alarm-monitoring responsibilities.
ASU's security policy defines the areas whose alarms may or must be monitored and responded to by ASU PD. Any other activated alarms must be monitored and responded to by the units responsible for the doors or access points that generated them. The segment manager may or may not have this responsibility.
Units may specify the access points and alarm types they wish to monitor, the notification type, and the notification recipient for each alarm.
Alarm escalation and law enforcement notification
When an alarm event requires escalation to a call center, the call center shall notify ASU PD as the first point of contact before activating any additional call center notification lists. ASU PD will document the call and determine whether a police response is necessary. Additional procedures and requirements are outlined in the ASU Security Policy.
Exceptions
All emergency response personnel accessing laboratories during emergency situations.
Data governance
The ISAAC system data governance shall be maintained in accordance with the ASU Enterprise Technology Data Governance Standards.
Any ISAAC system data, including database fields, transaction logs, encryption protocols, card formats, communication protocols, event logs, and configuration data, shall be considered sensitive data and shall be isolated and protected in accordance with all university guidelines.
All student data elements in the ISAAC database are protected under FERPA.