Access Control Policy

Summary of Policy

This Access Control Policy ensures that practices for access to the Dartmouth Facilities that make up the Dartmouth Campus are applied consistently to each user of the facilities within predefined Access Groups (faculty, staff, students, visitors, and sponsored entities) and subgroups (visiting faculty, alums, family members, parents, vendors, contractors, and others). Authorization to access Dartmouth Facilities carries certain responsibilities and obligations related to the appropriate and sanctioned use of the facilities and to the inherent risk of access to controlled spaces.

Whereas this policy refers to existing Dartmouth Policy ID 054-0006 Access to User-Related Electronic Information at Dartmouth as related to data records created by the access control system, this policy does not cover access to computer systems (e.g., email, websites, networks); see instead Policy ID 054-0003 Dartmouth Information Technology Policy for information.

Reason for Policy

Introduction

In its effort to foster a welcoming sense of community belonging, provide for the safety and security of all community members physical and intellectual property, and promote a safe and secure campus environment that supports academic excellence, independent thought, and cultural collaboration, Dartmouth has established this Access Control Policy to grant its authorized community members access to its properties, physical buildings, and facilities. This policy accounts for the activities of faculty, staff, students, visitors, sponsored entities, and the operational needs of the various schools, divisions, departments, and programs. Terms in bold+Italic are defined in the 'Definitions' section below.

Affected Parties

All Groups

Policy Statement

This Access Control Policy assumes the use of traditional physical locks and keys for all existing Dartmouth Facilities and, where already installed, a legacy access control system. Furthermore, it establishes, as a standard, the implementation of an Electronic Access Control System for all upcoming/new Dartmouth Facilities or the renovation of existing ones, whereas, at a minimum, Dartmouth Facilities used for academic or administrative functions or student housing, shall be equipped with electronic access controls for all exterior doors. Access control and greater security provisions (including cameras, motion detectors, intrusion alarms, panic alarms, card readers, or other physical controls) for internal and sensitive areas shall be implemented where determined by a security assessment that the provision is commensurate with the risk posed by the use or intended use and occupancy of the location, and the desirability, feasibility, and availability of alternative solutions.

Physical access via an Electronic Access Control System for a Dartmouth Facility and interior spaces, when applied, requires that all card or credential reader-controlled doors, as well as all doors that make up the perimeter of the secured building or interior space, be equipped with access-control lock cores and mechanical key override, such that doors can be opened by emergency personnel, using an access-control lock core key if the Electronic Access Control System were to fail.

Dartmouth grants Authorized Users access to Dartmouth Facilities for sanctioned purposes, as approved by authorized Dartmouth officials. Dartmouth access is managed via a combination of traditional locks and keys and an Electronic Access Control System, which uses a combination of physical controls and Identification Processes to establish who has authorization to enter Dartmouth Facilities and to grant them access. Authorized Users are provided with Access Credentials to expedite their access.

Sharing or reproducing Dartmouth-issued keys or Access Credentials is strictly prohibited; such keys and credentials are the property of Dartmouth, and any misplacement should be immediately reported to the Department of Safety and Security.

Access control system records shall not be used as a time and attendance tool to verify working hours and whereabouts of individuals, unless related to authorized investigations.

The installation or integration of any Electronic Access Control System, physical controls, safety and security systems, and equipment, including exterior or interior installations such as card readers, intercoms, cameras, motion detectors, intrusion alarms, duress or panic alarms glass break sensors, and other controls, must be done in compliance with this policy and based on a security assessment coordinated by the Department of Safety and Security to determine applicability.

Definitions:

Access Control Administrator: Dartmouth staff member of the FO&M Access Control Shop or the Department of Safety and Security responsible for operations and maintenance of the access-control system software and hardware and for creating access procedures, groups, users, and assigning access privileges, etc., within the Electronic Access Control System.

Access Control Area Administrator: Dartmouth staff assigned by division or department and given elevated rights within the Electronic Access Control System software to administer account credentials, grant/revoke access rights to account credentials, set door schedules, etc., for facilities within their areas of purview.

Access Credential(s): An access instrument (physical or intangible) provided to Authorized Users to expedite their access to Dartmouth facilities. This credential may establish the individual holder's identity, affiliation to Dartmouth, and facility access level/authority. The credential can be a password or Personal Identification Number (PIN) (something one knows); a device (something one has) such as a physical ID card or a digital credential loaded into a smartphone; a biometric measure (something one is); or some combination of these (multi-factor authentication). When using a password or PIN for entry into Dartmouth Facilities, and to prevent the sharing of credentials, it is best practice to request two or more-factor authentication to allow access (e.g., password or PIN, plus a biometric).

Access Groups: A set of individuals, organized by their institutional affiliation, who will interact with the Electronic Access Control System to gain access to Dartmouth Facilities. Dartmouth has five main groups: faculty, staff, students, visitors, and sponsored entities. Each of these main groups can be split into subcategories or subgroups.

Authorized Requestor: Includes Dartmouth staff or faculty approved to request access authorization for credentialed individuals to Dartmouth Facilities and their interior areas (if applicable) via Work Order.

Authorized User(s): An individual or group, directly or indirectly affiliated with Dartmouth, who has been granted/authorized access to Dartmouth facilities for appropriate and sanctioned purposes in support of Dartmouth's academic and operational needs as related to its various schools, divisions, departments, and programs.

DartCard: The official Dartmouth Access Credential could be provided as a physical Identification Card (similar to the card used with the legacy system) or a digital credential for loading into a smartphone (as it may be in the future). In either form, the DartCard shall be unique to the holder (photo, description, affiliation, etc.), coded with the holder's facility access level/authority, resistant to forgery or surreptitious alteration, distinctive and easily recognizable Dartmouth brand design, limited duration of validity, and adaptable for display as a badge when provided as a physical Identification (ID) card. In principle, the DartCard could be used for most services on campus, including dining plans, checking out library books, attending athletic events and performances, etc.

Dartmouth Campus: All Dartmouth Facilities in Hanover, NH. When the principles of this policy are applied to any Dartmouth Facilities located elsewhere, it will be clearly communicated to the Access Control Area Administrator and users of that location.

Dartmouth Facility: A Dartmouth-owned or controlled property, building, room, electronic data storage closet (which houses, computers, computer servers, network equipment etc.), and other physical spaces under Dartmouth's control.

Electronic Access Control System: An electronic digital system used for managing entry and exit at a Dartmouth Facility, with a combination of physical controls (doors; DartCard Readers and electronically controlled locks on ingress/access doors; active alarms on egress/exit-only doors; intercoms; cameras; motion detectors; intrusion alarms; duress/panic alarms; glass break sensors, and other controls) and Identification Processes with Access Credentials. Effective electronic access control requires that the Dartmouth Facility implement a closed loop (where all exits and entries are connected) and that an access-control core replaces all door lock cores to avoid system bypass by the use of a key.

Identification Processes: Provide the means (initially and thereafter) to determine who may (has authorization to) enter a facility and, by default, who may not (has no authorization to) enter a facility. Such processes combine policies and procedures with Access Credentials for authorization determination, ascertaining that such determination is valid (establishes the actual identity of the individual involved), reliable (consistently proves valid), easy to use (as simple as possible given a specific situation), resists counterfeiting (not easy to substitute or trick), and durable (should function for an appreciable period of time).

Responsibilities:

Divisions:

  • Athletics and Recreation;
  • Chief Financial Officer: Dartmouth Card Office;
  • EVP: Department of Safety and Security, Human Resources;
  • Provost: Baker/Berry/Carson Library, Burke Chemistry, Computer Science, Computer Store, Campus Services' Tech Services, Geisel School of Medicine, Hood Museum, Hopkins Center, Irving Institute, Information Technology and Consulting, Life Science Center, Moore Psychology, Office of Entrepreneurship and Technology Transfer, Rauner/Webster Library, Student Life, Thayer School of Engineering, Tuck School of Business;
  • SVP Campus Services: FO&M (Access Control Shop, Building Automation Shop, Residential Operations, Troubleshooters, Work Control), Childcare Center, Dining Services, Real Estate Office.
  • Note: This list will be adjusted from time to time to reflect institutional changes in reporting lines, changes in facilities, access control operational needs, and other variants.

Office of Primary Responsibility: The Department of Safety and Security is responsible for policy development; authorization and access policy enforcement; privacy of access records enforcement; physical security assessment and recommendations for electronic access and all security provisions (cameras, motion detectors, intrusion alarms, panic alarms, card readers, and other physical controls) for new and existing facilities; system response triggered incidents; reports of malfunctions; and issuance of temporary access authorization and DartCards.

Office of Secondary Responsibility: Campus Services (FO&M and the Access Control Shop), whereby the Access Control Shop would have direct responsibility for installing hardware, maintaining system software, repairing equipment, and controlling schedules.

Standardization:

In the implementation of its Electronic Access Control System, Dartmouth shall use standardized technology for access control, including Open Hardware Standards (including Open Supervised Device Protocol standard for wired access control methodologies; IP-based door controller technologies; Encrypted wireless door locksets; Single software platform capable of integration with back-office systems and management of open hardware standard field devices; Encrypted credentials delivered via mobile phone and card; as well as others) while adhering to prescriptions of the Construction Specifications Institute (CSI) MasterFormat Division 28 – Electronic Safety and Security Manufacturers as coded in the DARTMOUTH DESIGN & CONSTRUCTION GUIDELINES, Section 28 10 00 on ACCESS CONTROL.

Applicable Areas:

Dartmouth has chosen to standardize the implementation of electronic access control to facilities and areas within the Dartmouth Campus and other identified facilities (including student residential facilities not within the Dartmouth Campus) based on function, usage, and occupancy as follows:

Dartmouth Owned/Managed Properties: All upcoming/new construction or renovation projects used for academic or administrative functions or student housing shall have, at a minimum, electronic access control for all exterior doors for entry and exit. Entry doors shall be equipped for access with card readers, while exit-only doors shall be equipped with door position switches and local alarm sounders.

Electronic access control and other security provisions shall also be implemented for the interior areas of new facilities (and certain existing facilities) based on function and/or occupancy, for example:

  • Telecom Rooms (housing an Individual Distribution Frame [IDF] or a Main Distribution Frame [MDF])
  • Executive offices
  • Classrooms or labs housing sensitive research or equipment
  • Data Centers (dedicated suites, offices, or building areas)
  • Pharmacy and medication supply rooms or closets
  • Hazardous materials, chemicals, or waste storage and recycling areas
  • High-value book storage areas/rooms
  • All Museum areas and other areas housing (for exhibit or storage) acquired art
  • Underground/controlled parking facilities.
  • Individual dorm rooms or suites for student residential housing
  • Mechanical rooms and other areas (for emergency generators, switchgear, plumbing, security equipment, freight elevators, mechanical penthouses, etc.)
  • Student spaces which are open or accessible 24/7 (Novak, 1902 Room, and others)

Dartmouth Occupied Non-Owned/Managed Properties: In buildings occupied by Dartmouth but owned or controlled by others and with access-control technology provided by those other organizations, Dartmouth shall give the organization managing the access-control system directives related to Authorized Users in accordance with this policy.

Records of Access

The Electronic Access Control System shall retain a record of administrative events and access events pursuant to Dartmouth records management policies, procedures, and retention schedules. All data records created by the access-control system (including entry/exit records, video, and images, alarm activations, etc.) are the property of Dartmouth and part of its internal, private, and confidential records and shall be safeguarded and accessed in accordance with established procedures related to the Department of Safety and Security operations and to existing Dartmouth Policy ID 054-0006 Access to User-Related Electronic Information at Dartmouth.

Effectiveness of Policy, Amendments and Dispute Resolution

This Policy is effective as of March 12, 2024. This Policy may be revoked or amended by Dartmouth, in whole or in part, from time to time via the Provost (or the Provost's designee), who is authorized to make revocations or amendments on behalf of Dartmouth, in consultation with a committee composed of representatives from the Department of Safety and Security, Campus Services (FO&M and the Access Control Shop), Risk Management, Environmental Health and Safety (EHS), Residential Life, and the dean(s) or director(s) of any potentially affected area. Any such revocation or amendment shall become effective upon adoption by the Provost or the Provost's designee, or as of such other time as such person shall specify and will be reflected in the current version of the Policy posted within The Dartmouth Policy Portal.

Questions or disputes regarding the application, interpretation, or implementation of this Policy shall be resolved by the Provost or the Provost's designee; the decision of such person on the matter shall be binding on Dartmouth and all individuals subject to this Policy.

Approved By:

Provost
Executive Vice President for Strategy / Special Counsel to the President
Senior Vice President of Capital Planning and Campus Operations

Policy ID

001-0005

Effective Date

March 12, 2024

Last Revised Date

March 12, 2024

Division

Office of the President

Office of Primary Responsibility

Office of the President

Last Reviewed Date

May 2, 2024

Next Review Date

2027