The URL can be used to link to this page

Home My WebLink About04.b. Security Policy+ne Central Contra Costa Sanitary District ' BOARD OF DIRECTORS POSITION PAPER Board Meeting Date: November 20, 2014 Subject: CONSIDER ADOPTING BOARD POLICY (BP) 016 REGARDING SECURITY Submitted By: Initiating Dept /Div.: Shari Deutsch, Safety & Risk Administration /Safety & Risk Management Administrator Management REVIEWED AND RECOMMENDED FOR BOARD ACTION: D. Heath — Director of Administration Roger S. Bailey General Manager ISSUE: The Administration Committee has recently expressed interest in establishing a Board policy on District security. Staff has developed the attached draft policy for the Committee's consideration and comment. This policy is modeled after East Bay Municipal Utility District (EBMUD)'s Board policy on security. It establishes the intent and expectations of the District's security measures, while authorizing the General Manager to implement the procedures, practices and systems needed to meet those expectations. RECOMMENDATION: Adopt Board Policy (BP) 016 (ATTACHMENT 1). FINANCIAL IMPACTS: None at this time. ALTERNATIVES /CONSIDERATIONS: The Board may choose not to adopt the Security Policy. BACKGROUND: The purpose of the policy is to ensure that adequate security measures are in place to provide a secure workplace for District employees and visitors and to protect District property and systems from external or internal threats, especially those that could compromise the operation of essential District services. The proposed policy specifies publicly accessible areas of District facilities and considers all other locations to be non - public areas subject to access control procedures. The proposed policy requires that all employees wear their District - issued badges while on the premises and requires the implementation of access control systems to restrict access to others as appropriate. The procedures, tools and systems used to control facility access are detailed in the attached Access Control Procedures (ATTACHMENT 2). This administrative procedure was recently updated to support the draft Board Security Policy under consideration. The updated version of the Access Control C: \Users \cgee \Desktop \PP Security Policy.docx Page 1 of 2 f -- 4 �f POSITION PAPER Board Meeting Date: November 20, 2014 Subject., CONSIDER ADOPTING BOARD POLICY (BP) 016 REGARDING SECURITY Procedures will be implemented when the Board adopts a final version of a security policy. Staff is currently drafting a Physical Security Procedure to complement the Access Control Procedures. Information security issues will be addressed in a third administrative procedure when the Information Technology (IT) security evaluation is complete. Staff will review and update these procedures regularly and will propose new ones as needs, circumstances and facilities change over time. COMMITTEE RECOMMENDATION: Recommend approval of the proposed Board Security Policy to the full Board of Directors. RECOMMENDED BOARD ACTION: Adopt Board Policy (BP) 016 regarding Security, effective November 20, 2014. Attached Supportinq Documents: 1. Proposed Board Security Policy, BP No. 016 2. Administrative Procedure — Access Control C: \Users \cgee \Desktop \PP Security Policy.docx Page 2 of 2 D)?AF;r Number: BP 016 Authority: Board of Directors Effective: November 20, 2014 Reviewed: Initiating Dept. /Div.: Safety & Risk Management BOARD POLICY SECURITY PURPOSE Attachment 1 Central Contra Costa Sanitary DistricE To maintain a level of security sufficient to provide a secure workplace for District employees and visitors and to prevent or mitigate loss or damage to District assets and critical infrastructure from internal or external threats. POLICY • It is the District's policy to proactively protect its employees, systems, facilities and property from threats, loss and damage. The District will monitor and maintain systems, contracts and procedures to address security issues on a daily basis. The District will also create, maintain, and enforce access control procedures for employees, visitors, contractors and vendors to limit access based on appropriate authorization. The District will employ these and other physical and procedural controls to prevent, reduce and mitigate the impacts of such risks. • The District will prioritize security for critical assets to minimize impacts on the ability to collect and treat wastewater. The District will utilize appropriate capital facilities and equipment to enhance the District's ability to deter, detect, delay and assess criminal actions. Public Areas: The following areas of CCCSD are open to the public during normal business hours: • HOB Lobby • HOB Permit Counter • Household Hazardous Waste Collection Facility drop -off site and driveways Number: BP 016 SECURITY Page 2 of 2 The following areas of CCCSD are open to the public during public meetings or pre - approved scheduled events: • Board Room • Multi- Purpose Room All other areas of District facilities are considered private property. All visitors and guests with business beyond the public areas must be escorted by an authorized District employee. Identification: • All District employees will be issued ID cards upon hire. Employees are required to display their ID cards on their outermost garment of clothing while on site. • ID cards for separated and terminated personnel shall be deactivated immediately. • Contractors and visitors whose business with the District extends beyond the public areas shall receive and display District - issued identification on their outermost garment of clothing while on site. Access Control: • The District shall maintain an access control system to allow appropriate access to employees or other authorized persons where access is needed to perform their duties. The system shall be configured to limit access to areas and times as designated by management. • The District shall develop and implement a master key system for all doors and perimeter access points within the Martinez and Walnut Creek campuses. • The District provides ID cards, keys and other access control tools to employees and other personnel in order to facilitate performance of their duties. These items remain District property and shall be surrendered upon the request of authorized personnel. RESPONSIBILITIES The General Manager is authorized to establish and implement procedures to support this policy. rAttachment 1 Access Control Procedures Established by: Shari Deutsch, Safety & Risk Management Administrator Effective Date March 1, 2009 Approved by: Jim Kelly, General Manager , Updated: TBD Purpose: Approved by: Roger S. Bailey, General Manager It is the District's intent to provide appropriate security for its personnel and property while balancing the need to perform daily operations efficiently and to provide timely responses in case of emergency. Scope: This procedure applies to all: • District personnel including board members, regular employees, temporary employees, co -ops, summer students and selected long -term contractors; • Access control facilities and equipment at the Martinez and Walnut Creek campuses. Access control facilities and equipment include access card readers, ID cards locks, locksets and keys to doors and gates. This policy does not apply to keys or locks to storage cabinets, desks, equipment or vehicles. Introduction: Safety & Risk Management (SRM) is responsible for access control systems at the Martinez and Walnut Creek campuses including all card readers, access control software, ID cards, gate and door locks, lock hardware, and associated keys. Directors, managers and supervisors are responsible for keys to any equipment, desks, cabinets and vehicles under their control. No employee, supervisor, manager or director is authorized to disable or reset access card readers, to change door or gate lock hardware, locks or keys or to make copies of keys without the express approval of the General Manager and in coordination with SRM. REVIEW DRAFT 10/30/14 General Control Procedures: • All employees will be issued an ID card upon hire. An ID card shall consist of a photo ID including the person's name, department and job title, and an access card programmed with approved access to District facilities. • Employees must display they ID cards on their outermost garment of clothing at all times while on District premises; • Employees are not permitted to share ID cards or to allow others to access the facilities with them (often called `piggy backing). • Visitors with business at the District extending past the HOB Lobby, permit counter or the Board Room, shall be escorted by authorized District personnel at all times. • Visitors with business at the District extending past the HOB Lobby, permit counter or the Board Room, shall wear a visitors badge on their outermost garment of clothing at all times while on District premises. • SRM shall maintain the access control software and keep a record of keys issued to all District personnel. • The access control software shall be configured to limit access to areas and times as designated by an employee's manager. • Temporary personnel shall be issued ID cards that expire on the day their work with the District ends. If that date is unknown, ID cards will be issued with a maximum activation term of 90 days. • ID cards for separated and terminated personnel shall be deactivated immediately. • Keys to building perimeter doors shall not be issued except when specifically required to perform a specific job function. Such keys will be issued to the Department Director who assumes responsibility to secure the key appropriately. Responsibilities: Safety & Risk Management (SRM) • Develop and implement a master key system for all doors and perimeter access points within the Martinez and Walnut Creek campuses; • Maintain a log of all door and gate keys issued to individuals as well as all door and gate keys stored in shared access key cabinets; • Periodically audit the key logs to ensure compliance with this policy and accuracy of records; • Coordinate installation, repair and replacement of all door and gate lock components in accordance with equipment standards; • Coordinate installation, repair and replacement of all card readers or other access control measures; • Maintain access card reader and ID card production software; 2 REVIEW DRAFT 10/30/14 • Issue keys and ID cards with approved levels of access to District personnel; • Provide visitor badges for distribution at the HOB Lobby; • Provide photo identification badges to contractors working in private areas of District facilities; • Review this policy periodically and recommend changes as needed. HOB Lobby Receptionist • Issue visitor badges to all persons whose business at the District extends beyond the HOB Lobby, permit counter or the Board Room; • Track badge numbers on the daily sign in sheet; • Collect badges from visitors during the sign -out process. Project Managers with On -Site Contractors • At least one week before on -site work begins, provide SRM with the names of contractor personnel expected to be working on District property and the duration of the on -site work; • Distribute badges to on -site contractor personnel; • Advise SRM when contractor personnel have completed work or will no longer be on -site; • Collect all badges from contractor personnel when their work is complete and return them to SRM. Employees • Properly use and protect all issued ID cards and keys; • Report the loss of ID cards and keys and any lock problems to SRM as soon as possible; • Surrender ID cards and keys as described in this policy. Supervisors • Initiate and route Access Request Forms and Key Request Forms for appropriate signatures and forward to SRM; WK REVIEW DRAFT 10/30/14 • Ensure that keys are issued only to employees who need them to perform their duties; • Forward any requests to change locks and /or locksets to SRM; • Forward requests to issue new or additional keys to SRM; • Report any damage, needed repairs or maintenance to locks or locksets to SRM; • Be responsible for the content and use of door and gate keys stored in shared access key cabinets; • Periodically review the access granted to their employees for accuracy and propriety; • Advise SRM to extend the activation of ID cards issued to temporary personnel as needed. Managers /Directors • Establish access control guidelines for positions and /or employees under their supervision; • Advise SRM of any proposed changes to access control guidelines within the work group; • Sign and submit Access Request Forms and Key Request Forms to SRM in a timely manner; • Train supervisors and employees on their responsibilities under this Access Control Procedure. EOC First Responders • Access for EOC staff and emergency response personnel is addressed in the District's Emergency Operations Plan. Procedures: Issuing Keys • Supervisors may authorize the distribution of new or additional keys to areas within their control to current employees via submission of a signed Key Request Form to SRM. • Upon receipt of an approved Key Request Form, SRM shall issue keys to new employees in accordance with the access control guidelines established by the work group supervisor. • Upon receipt of any new key or keys, each employee will sign the Key Request Form to acknowledge all keys received. 4 REVIEW DRAFT 10/30/14 Issuing ID Cards • Requests for new ID cards must be made using the Access Request Form. Managers shall sign and forward Access Request Forms to SRM, indicating the locations and hours of access needed to allow personnel to perform their duties. • Upon receipt of a Access Request Form, SRM staff will program the ID card and provide it to the designated individual. Returning ID Cards and Keys ID cards and keys to District property are provided to employees to facilitate performance of their duties. These items remain District property and shall be surrendered upon request of an employee's supervisor, manager or department director, or SRM. Keys must be surrendered under the following circumstances: • Termination of employment • Leaves in excess of 30 days • Change of Duty/ Work Group • Change of Lock ID cards must be surrendered under the following circumstances: • Separation or termination of employment • Leaves in excess of 30 days Supervisors, managers or directors shall collect ID cards and keys and forward them to SRM. Lost ID Cards or Keys • All lost ID cards and keys shall be reported to SRM as soon as possible. • SRM will discuss whether or not to re -key areas affected by lost keys with the supervisor or manager of the reporting work group. • If re- keying is found to be necessary, costs to perform such work will be charged to the responsible work group. Re- keying locks 4 REVIEW DRAFT 10/30/14 • Requests to re -key locks shall be submitted to SRM. SRM will review the request with the supervisor or manager of the requesting work group and evaluate any impacts to the master key system. • Costs to perform re- keying work will be allocated based on the reason for change. Shared Access Key Cabinets • Shared access key cabinets containing door and gate keys will be audited periodically by SRM staff. • Managers and supervisors of work groups with shared access key cabinets are responsible for tracking removal and replacement of all keys stored in the cabinets covered by this policy. Attachments: Key Request Form Access Request Form Related Policies and Procedures: Board Policy 15 - Security On -site Contractors Badging Procedures (forthcoming) District Visitors Badging Procedures (forthcoming) Information Technology Security Policies and Procedures (forthcoming) Operations Security Procedures (forthcoming) 6 REVIEW DRAFT 10/30114 NAME: JOB CLASS TITLE: CENTRAL CONTRA COSTA SANITARY DISTRICT KEY REQUEST FORM Regular Employee❑ Temporary❑ Co -op❑ Other❑ Estimated time period Temps will work: DEPARTMENT /DIVISION: (Check one only) MANAGEMENT/ BOARD OF DIRECTORS ADMINISTRATIVE ENGINEERING - CAPITAL PROJECTS. ENGINEERING - ENVIRONMENTAL SVCS COLLECTION SYSTEM OPERATIONS PLANT OPERATIONS DEPARTMENT Other — Specify (Janitorial, Contractor, Guards, etc.): Key Description Quantity Date Recipient Date Recipient Issued Issued Initial Returned Initial I z � Authorized by Supervisor: (please print) Signature of Supervisor: Date: Employee Acknowledgement understand that by signing below, I assume responsibility for the above keys and their use. I will follow the District's Key Control Policy, including not loaning my keys to others, reporting lost keys immediately and returning the above keys upon the end of my employment or as outlined in the Key Control Policy. Signature of Employee: Date: Please return this form to Safety & Risk Management 7 REVIEW DRAFT 10/30/14 CENTRAL CONTRA COSTA SANITARY DISTRICT ACCESS REQUEST FORM NAME: ❑ Regular Employee ❑ Temporary ❑ Co -op ❑ Other Estimated time period Temps will work: JOB CLASS TITLE: DEPARTMENT /DIVISION: (Check one only) CARD READER ACCESS AREA: (Check alt that apply): MANAGEMENT/ BOARD OF DIRECTORS ADMINISTRATION ENGINEERING - CAPITAL PROJECTS ENGINEERING - ENVIRONMENTAL SERVICES OPERATIONS - COLLECTION SYSTEM OPERATIONS - PLANT OPS / MAINTENANCE OTHER — Specify (Janitorial, Contractor, Guards, etc.): CARD READER ACCESS AREA: (Check alt that apply): A. SCHEDULE OF ACCESS TIME (Check only one): HOB LOBBY DOOR (Open 8:00 a.m. — 5:00 p.m. M -F) HHWCF D. Wyatt HOB BACK DOOR (Open 7:30 a.m. — 5:00 p.m. M -F) MECHANICAL MTCE. BUILDING (Open 6:00 a.m. — 3:00 p.m. M -F) T.P. Mgr. HOB ACCOUNTING — COMPUTER T. Vassallo MATERIALS CONTROL BUILDING (Open 6:00 a.m. — 4:00 p.m. M -F) S. Kin HOB RECORDS —VAULT T. Vassallo SUB - STATION 82 T.P. Mgr. HOB GARDEN LEVEL Sign off required if not HOB employee D. Heath LABORATORY FRONT DOOR (west door) LAB. BACK DOOR TO PLANT (east door) M. Esparza POD N.E. DOOR (After -hours door controlled by Operations Dept.) MAINTENANCE & RELIABILITY CENTER (MRC) I (Open 4:00 a.m. — 5:00 p.m. M -F) T. P. Mgr. POD S.E. BACK DOOR (Open 7:30 a.m. — 5:00 p.m. M -F) (Between POD & HOB back door) T.P. SOUTH GATE T.P. Mgr. POD N.W. DOOR (POD OFFICES) T.P. Mgr. MARTINEZ PUMPING STATION GATE _ D. Rhoads POD TRAINING ROOM (Open 6:00 a.m. — 5:00 p.m. M -F) T.P. Mgr. CSO LOBBY ENTRY P. Seitz CSO LOWER ENTRY P. Seitz POD IT STAFF OFFICE R. Li POD BASEMENT NETWORK ROOM (MDF) R. Li CSO WAREHOUSE P. Seitz PLANT MAIN GATE (Open 7:30 a.m. — 5:00 p.m. M -F) T.P. Mgr. CSO SOUTH GATE P. Seitz A. SCHEDULE OF ACCESS TIME (Check only one): B. OR, ALTERNATE SCHEDULE (Check only one, then indicate time period): MONDAY thru FRIDAY MONDAY thru SATURDAY MONDAY thru SUNDAY TIME PERIOD: Approved by: Approved by: SUPERVISOR Date Approved by: Approved by: DEPARTMENT DIRECTOR Date REVIEW DRAFT 10/30/14 DIVISION MANAGER Date SAFETY & RISK MANAGEMENT Date ADMINISTRATOR 24 HOURS /DAY, 7 DAYS/WEEK MONDAY thru FRIDAY - 6:00 AM to 7:00 PM (Managers, Supervisors & Special Schedules MONDAY thru SATURDAY - 5:00 AM to 10:00 PM MONDAY thru FRIDAY - 7:00 AM to 7:00 PM (Regular Employee - General Access MONDAY thru FRIDAY - 6:30 AM to 3:00 PM CSO - General Access Non CSO Staff OTHER: B. OR, ALTERNATE SCHEDULE (Check only one, then indicate time period): MONDAY thru FRIDAY MONDAY thru SATURDAY MONDAY thru SUNDAY TIME PERIOD: Approved by: Approved by: SUPERVISOR Date Approved by: Approved by: DEPARTMENT DIRECTOR Date REVIEW DRAFT 10/30/14 DIVISION MANAGER Date SAFETY & RISK MANAGEMENT Date ADMINISTRATOR