Policy Statement: The Card Access Security System provides access to building entrances and special facilities as determined by the appropriate policy makers. The records generated by the card access system (e.g., the card used to gain entrance and when) are to be considered sensitive information and controls must in be in place to protect the confidentiality, integrity, and access of such records. The records can be retrieved for purposes of: general system maintenance by the Card Access Administrator; life-threatening emergencies; investigations into criminal and student code of conduct violations; monitoring of ingress to and egress from areas designated as data centers; investigations into violations of this policy or unauthorized access of the records; or other emergencies as defined by College policy. Retention of records will be limited in duration as per predetermined schedules. Violators of the Card Access Security System Policy or unauthorized access of the records will be subject to disciplinary action.
The Card Access Security System is not a time-and-attendance system and will not be used to enforce time and attendance for employees or students.
All records generated by the system are subject to all Federal and State statutes and other college privacy policies and procedures. Access to these confidential records by outside entities will be denied unless subpoenaed or used in court proceedings. Any authorized information obtained is to be used solely for the purpose for which it was authorized.
Rationale: The intent of the Card Access Security System is to provide greater safety, security, and convenience for all students, faculty, staff and sensitive institutional data. The system generates detailed records and as such, policies and procedures are necessary to govern access to and retention of.
Applicability of the Policy: This policy applies to all SUNY Oneonta staff authorized to access the Card Access Security System.
Policy Elaboration: N/A
Data Center – locations that store sensitive data and require monitoring of physical access to comply with standards or other regulatory requirements.
Permission to retrieve the records for the purpose of investigations into criminal and student code of conduct violations and investigations into violations of this policy or unauthorized access of the records must be granted by the College President or his/her designee.
Records of ingress to and egress from data centers will be reviewed regularly for unexpected activity by the manager of the area. Exceptions to expected activity will be logged and reported to the IT Security Administrator. Logs may be audited at any time by the IT Security Administrator. The records and logs of data center access will be kept online and available for 90 days and maintained for 1 year, at which time they will be erased. Card access permission lists for data centers will be reviewed by area managers quarterly.
All other records will be maintained, stored and erased by the Card Access Administrator. All such records will be retained for no more than two months, one month active on the system and one month stored. After this period, the stored data is erased. The storage and erasure will take place the first business day of every month.
Prior to storage of the monthly records, a report will be generated by the Card Access System Administrator and made available to the President or his/her designee, documenting with explanation, who has requested and was granted access to the history information.
Any proposed alternations of the above characteristics and conditions must involve prior consultation with appropriate administrative and governance groups.
Contacts: Questions related to the operational interpretation of this policy should be directed to:
Facilities Planning Office at Extension 2710
Payment Card Industry Data Security Standard https://www.pcisecuritystandards.org/security_standards/documents.php
Approved by the President: September 13, 2011
Reviewed by College Senate; September 26, 2011