University Policy 8.1
Physical Security Systems
Introduction
Cornell University is committed to providing a safe and secure environment for all students, faculty, staff, and visitors. This policy outlines the responsibilities and procedures regarding physical security systems and public safety at all Cornell campuses, locations, and facilities for the protection of the Cornell community, as well as university-owned grounds, buildings, and property and the state buildings and property under the supervision, administration, and control of the university, and to aid in the prevention of crime and enforcement of applicable laws and Cornell policies.
All members of the Cornell community have a shared responsibility for promoting community safety, as well as the security of university property, buildings, and assets. Security is defined as protecting the university, its people, and its assets against threats and risks, including but not limited to physical, environmental, or cyber/digital threats or risks. An essential element of security is maintaining adequate controls to restrict access to campus facilities to authorized individuals. Campus security controls, systems, and procedures established by the Division of Public Safety are designed to support the safe and continuous operation of the university.
Security measures should promote the following objectives:
- an open, safe, and welcoming campus.
- the personal safety of individuals.
- the reduction of security incidents and the minimization of risk.
- the protection of premises and physical assets, including personal property and vehicles.
- and the protection of personal data, information, and research.
Scope of Policy
Policy 8.1, the security systems procedures, and the university’s Design and Construction Standards establish minimum security standards that must be maintained throughout the university. This policy and the accompanying procedures apply to every Cornell staff member, faculty member, student, and sponsored affiliates across all university-owned or operated facilities or property on the Ithaca campus, Cornell AgriTech campus, and other remote locations administered centrally from the Ithaca campus. Security systems (e.g., card access, video surveillance, key management, and intrusion detection, when applicable) must be incorporated into the design elements of all new construction and renovations and when existing facilities components are updated, renovated, or replaced (see procedural documents for specific requirements). System-specific content of this policy does not apply to the Cornell Tech campus in New York City due to their dissimilar systems and procedures.
To Who This Policy Applies
This policy applies to
þ Cornell University þ Cornell Tech ☐ Weill Cornell Medical
1.0 Policy Principles
- 1.1 Division of Public Safety operates and maintains centralized security systems for the use of campus units in support of their physical security obligations. All card access hardware, keys, surveillance, and intrusion systems must be integrated with the university’s central security systems, able to be accessed by the Division of Public Safety, and adhere to Policy 8.1, Security System Procedures and the Design and Construction Standards 281316.
- 1.2 Each academic or business unit is responsible for developing security controls, systems, and procedures to ensure their facilities are safe and secure. This plan, submitted annually at the beginning of each fiscal year by the unit to the Access Control Program, must address the following: designated building and operational hours, guidelines for building use, surveillance of these facilities and locations, the tracking of university key systems, access devices, and credentials, as well as the locations they access and the individuals to whom they are issued.
- 1.2.1 Authorizations and appointments - College/Unit Deans, Vice Provosts, Vice Presidents, and Associate Vice Presidents must authorize people within their organizations who will assume responsibility for facility access and video surveillance (Access Control Coordinators, Key Control Coordination, and Network Video Surveillance System Operators). These authorized people are responsible for the development of security plans and the audit requirements for each system.
- 1.3 Cornell requires that departments and units maintain control of all devices and systems that provide access to their university facilities and vehicles. This includes possession, issuance, and storage of devices or credentials, as well as security through timely access audits. The issuance of access devices should be systematic, need-based, and in accordance with university policy and procedures. Authorized College or Unit Access Control Coordinators (ACCs) and Key Control Coordinators (KCCs) must determine the need for access device issuance based on job functions, research needs, and class requirements. Issuance of access devices should be kept as infrequent as possible, with consideration given to hours of work, workspace, alterna¬tives, frequency, urgency, and sensitivity. Access devices should be retrieved, and card access revoked, after such a time that an indi¬vidual has no valid need for access to a university space. ACCs and KCCs must perform audits each semester to ensure that access is still warranted and should remain in place. Documentation of these audits must be kept for three years and provided to the Associate Vice President for Public Safety, or the Director of the Access Control Program, upon request.
- 1.4 Device or credential holders are required to maintain control of access devices and credentials issued to them, ensure their proper use, report lost devices or compromised credentials, and return devices to their supervisors or authorized personnel when no longer required. Individuals are prohibited from unauthorized possession or duplication of access devices to university facilities or vehicles, from disabling or circumventing access devices, and from making changes to access without following the procedures set forth in university policy and procedures.
- 1.5 Privacy - Cornell University aims to provide its community with a safe and secure environment, which is achieved, in part, through judicious use of network video surveillance systems and card access technology. The university is also sensitive to the privacy and freedoms of expression and assembly of members of its community. As a result, this policy limits the use of approved equipment and the circumstances in which recorded material may be released. Card access events and video captured from university security systems cannot be viewed or shared with unauthorized individuals unless explicit approval has been attained through the Division of Public Safety Access Control Program. Furthermore, networked video surveillance and card access technology is not intended to be used as a tool for routine performance management of university employees.
- 1.6 Building Access – Centralized Card Access/Key Management
- 1.6.1 Card access is required on all exterior doors, areas of high risk or high institutional value, areas where critical infrastructure or sensitive records reside, and areas where specialized training or authorization is required.
- 1.6.2 All campus buildings must remain secured, and access must be restricted to authorized individuals after established business hours, on weekends, and when the university is closed.
- 1.6.3 Residential facilities must always be secured, requiring card access by residents and authorized staff only.
- 1.6.4 Cornell requires that departments and units maintain control of all devices and systems that provide access to university facilities and vehicles. This includes possession, issuance, and storage of devices or credentials, and security through timely access audits. In addition, device or credential holders are required to maintain control of access devices and credentials issued to them, ensure their proper use, report lost devices or compromised credentials, and return devices to their supervisors or authorized personnel when no longer required.
- 1.6.5 Individuals who are temporarily without their access device(s) and locked out of spaces to which they have authorized access must follow their individual department/college/unit procedures to obtain access.
- 1.6.6 The Cornell University Police Department may provide access to authorized individuals who are temporarily without access to a particular space after confirming the individual has authorization to access that space with a primary or secondary building coordinator, department manager, unit director, or college dean, or when emergency access, as defined in this policy, is required.
- 1.7 Emergency Responder Access
- 1.7.1 Access must be granted to designated personnel responsible for providing emergency response and critical service response to facilities and spaces. These individuals must abide by the principles of this policy and individual department/college/unit policy (which may be more restrictive).
- 1.8 Security Video Surveillance
- 1.8.1 Security camera installations are intended to provide a safe and secure campus environment and to protect personal safety, property, and research by delivering recorded, usable images along with an audit log of events at each location to assist with criminal and other administrative investigations, risk assessment, and loss prevention and recovery (material and financial) incidents.
- 1.8.2 Cornell requires that departments and units install video surveillance in support of a safe and secure facility. Authorized College or Unit Network Video Surveillance System Operators (NVSSOs) are responsible for determining the need for internal review of video recordings in support of the college/unit operations.
- 1.8.3 Security cameras must be installed at egress points of a facility (internally and externally). Surveillance is required at facility loading docks, inside elevator cabs, areas of high traffic, event spaces within campus facilities, and along major pedestrian and vehicular routes. All new construction must include these requirements. For existing buildings, these requirements should be included during renovations, expansions, or as units identify funding.
- 1.8.4 Security cameras will be installed in areas required to satisfy regulatory and compliance requirements, including areas deemed high risk.
- 1.8.5 All cameras (including academic and research) must be integrated into the university’s centralized security video surveillance system (unless an exemption is granted). All cameras must be viewable by the Division of Public Safety Communications Center, the Cornell University Police Department, and the Access Control Program. All cameras must be maintained and operational to comply with IT policy and performance standards.
- 1.8.6 The Chief of Cornell Police may authorize a video installation in the following situations:
- 1.8.6.1 When it is required for an impending visit by a dignitary.
- 1.8.6.2 For a criminal investigation, by order of CUPD or Audit.
- 1.8.6.3 For an emergency (e.g., a significant, imminent risk to public safety and/or university property or a campus emergency).
- 1.8.6.4 In the event of a criminal investigation or an emergency video installation, the Chief of Police, in consultation with the Associate Vice President for Public Safety or designee and the vice president or dean of the affected unit(s), may approve the use of portable and/or hidden surveillance equipment (as opposed to a fixed location installation).
2.0 Responsibilities
2.1 Responsible Offices
- 2.1.1 The Division of Public Safety Access Control Program is responsible for the effective operation and implementation of this policy and procedures, administration, and maintenance of the security systems, and for compliance with this policy, operating procedures, design and construction standards, and all associated laws and legislation.
2.2 University Management
- 2.2.1 Associate Vice President of Public Safety: Responsible Executive for this policy. Reviews any denied policy exemption requests and makes final determinations.
- 2.2.2 Policy Sponsors: Chief of Police and Director of Risk Management – Provides policy guidance to the Access Control Program. Reviews policy exemption requests.
- 2.2.3 College/Unit Leadership: Deans, Vice Provosts, and Vice Presidents are responsible for complying with the standards outlined in this policy. Authorize people (security liaisons) within their organizations who perform the duties and responsibilities of Access Control Coordinators, Key Control Coordination, and Network Video Surveillance System Operators.
- 2.2.4 College/Unit (ACC, KCC, NVSSO): An individual specifically authorized to perform the responsibilities related to the university’s physical security systems (e.g., card access, key management, intrusion detection, or video surveillance). These individuals may delegate authority for a subset of duties to other authorized individuals within the unit.
2.3 Individuals
- 2.3.1 Device or credential holders must maintain control of access devices and credentials issued to them, ensure their proper use, report lost devices or compromised credentials as soon as possible, and return devices to their supervisors or authorized personnel when no longer required.
- 2.3.2 Individuals are prohibited from unauthorized possession or duplication of access devices to university facilities or vehicles, from disabling or circumventing access devices, and from making changes to access without following the procedures set forth in university policy and procedures.
3.0 How to request an exemption
If a college or unit wishes to pursue a course of action that does not adhere to this policy, it must make a request for exemption to the Access Control Program (ACP). ACP will assist in framing the request to send forward to the Chief of Police and the Director of Risk Management. This request must include Information such as the need, the hardship, the location, the timeframe, and the proposed hardware.
Increased recording retention requests must be submitted in writing to the Access Control Program and approved by the policy sponsors. This will add additional cost to installations for the increase in storage hardware needs.
Once the request has been reviewed, the requester will receive written notification either approving the request or denying it. The approval will contain any stipulations that must be adhered to for the installation. If the request is denied, the requester has the option of appealing the decision to the Associate Vice President for Public Safety, who will review and make a final determination.
4.0 How to Report a Concern
The Cornell Ethics and Compliance Hotline is the primary mechanism to confidentially or anonymously report ethics, integrity, or compliance concerns to the University.
Other reporting options are also available.
5.0 Record Retention
Records associated with this policy shall be maintained by the Division of Public Safety Access Control Program. Records shall be retained or disposed of in accordance with University Policy 4.7, Retention of University Records.
- 5.1 Card Access Events: Card access information is retained for three (3) years.
- 5.2 Recorded Video: Recorded security video is retained for fourteen (14) days.
Data captured from these systems can be used in the event of suspected criminal activity, or other incident which could create a liability for the university. These data must be made available and may be seized as evidence or supporting institutional documentation and held until the conclusion of any judicial/legal/administrative proceeding or analysis. Deidentified data may be utilized for institutional purposes such as space planning, occupancy analysis, and other legitimate business needs.
6.0 Compliance
- 6.1 Non-compliance with university policies is addressed by applicable disciplinary policies and procedures and is subject to progressive disciplinary action up to and including termination.
- 6.2 Where standards of behavior do not meet the expectations set out by the university, actions may result in the invocation of Cornell’s conduct or disciplinary procedures. Where behavior on our campuses may constitute a crime, the university will work collaboratively with law enforcement to support any criminal investigations.
7.0 Related Resources
- Access Control Program Video Surveillance Procedures for Adherence to Policy 8.1
- Access Control Program Key Management Procedures for Adherence to Policy 8.1
- Access Control Program Card Access Procedures for Adherence to Policy 8.1
- Access Control Program Intrusion Procedures for Adherence to Policy 8.1
- College/Unit Authorization Forms
- DCS Cornell University Design and Construction Standards Division 28 281316 - Electronic Safety and Security Systems and all its referenced documents
- DCS Cornell University Design and Construction Standards Division 8 – Door Hardware and all its referenced documents
8.0 Definitions
| Term | Definition |
|---|---|
| Facilities | University-owned or operated land; a building, room, array of equipment, or a number of such things, designed to serve a particular function. |
| Central Security Systems | Electronic and physical solutions deployed and managed centrally by the Division of Public Safety, intended to promote common physical security implementations among facilities. |
| Access Control Coordinator (ACC) | Individuals specifically authorized by College/Unit leadership (Dean, Vice President, Vice Provost) to manage access devices related to card access systems and operating configuration for the building/space. An ACC may delegate authority for a subset of access levels to one or more cardholder manager (CHMs). |
| Key Control Coordinator (KCC) | Individuals specifically authorized by College/Unit leadership (Dean, Vice President, Vice Provost) to be responsible for requesting, issuing, receiving, and maintaining key assignments, key inventories, transaction systems, forms, performing key audits, and lost key analysis, and records. A KCC may delegate authority for a subset of keys to one or more associate key control coordinator(s) (AKCCs). |
| Network Video Surveillance System Operators (NVSSO) | Individuals specifically authorized by College/Unit leadership (Dean, Vice President, Vice Provost) for viewing a network video surveillance system within their unit/space. |
| University Key Systems | Physical brass keys and related hardware. |
| Access Device | A mechanical or electronic device or credential used to gain access to a university facility or vehicle. |
| Credentials | An electronic identification component such as badge, password, username, etc. |
9.0 Responsible Office and Policy Administration
| Policy Clarification and Interpretation | Contact | Phone | Email/Web Address |
|---|---|---|---|
| Division of Public Safety Access Control Program | David Brooks, Director | 607-255-4865 | dtb26@cornell.edu |
10.0 Responsible Executive
| Unit | Title |
|---|---|
| Division of Public Safety | Associate Vice President |
11.0 Revision History
| Date Issued: | April 2, 2009 |
|---|---|
| Date of Full Review: | January 28, 2025 |
| Date Last Updated: | January 28, 2025 |
| Revision Notes: | Substantial Revisions - Transfer to new template and HTML |