Skip Maine state header navigation

Agencies | Online Services | Help

State of Maine Seal

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

 

 

Edison Drive Office Complex Building Access Procedures and Standards of Operation

 

I. Statement

It is the responsibility of the Security section of Core Technologies Services (CTS) to provide a secure and stable physical environment. .

 

II. Purpose

The purpose of this document is to clarify and delineate the process by which employees, contractors, vendors, and other individuals are authorized for access, and the conditions for controlling that authorized access.

 

III. Guidelines

A.  The Edison Drive Complex is a controlled access building.  The information, forms, and material handled at this facility are of the most sensitive and confidential nature.  Therefore, it is necessary to limit building access to those people who have a business reason to be there, or who are visiting a specific employee at the facility.

 

B.  Entry to the building must be recorded.  There must be a record maintained of persons who enter the building.  This recording may be accomplished through the use of a card access control system, a sign in log, video monitoring system, or other mechanism.  No one will be admitted to any access controlled area of the building unless they use an authorized access control card, or sign a log and present identification credentials.

 

C.  Employees are responsible for all persons who visit them whether for business or personal reasons.  Employees must provide an appropriate level of supervision of visitors so that security requirements are maintained.  While it is not necessary for an employee to accompany a visitor continuously, the employee must ensure the visitor does not inadvertently compromise security or disrupt essential services.  For example, it is not necessary to accompany a visitor to the rest room, but the visitor must be supervised while in the computer room, and escorted to and from the building exit.

 

D.  All persons in the building must prove identity, whether they are a building employee, contracted employee, or visitor.  Building employees and resident contractors will be issued a photo  identification badge after an access request procedure is followed.  Visitors and occasional contractors will be issued a temporary badge identifying them as a visitor or contractor after presentation of proof of identity.  Because employees, contractors, and authorized visitors are identified, it will be easy to spot an unauthorized individual in the building.  Persons who are unable to present proof of identity must be considered a security risk, and must not be allowed in high security areas.

 

E.  There are areas of the building that require a higher level of security.  The OIT computer room, OIT telecommunications room, OIT Shipping & Receiving, and OIT Server test lab are access controlled.  Access authorization for these areas is granted by the area supervisors, and administered by building security staff. 

 

F.  Every employee has a responsibility to help ensure the security and safety of their fellow workers, and the building.  Although we have a security officer on duty 24 hours a day, and an access control system to prevent unauthorized access, every employee must take responsibility to ensure building security as well. Employees must not compromise building security by propping doors open “to get a breath of fresh air” or holding a door open to let someone in the building.  Taking such actions lessens building security and increases the risk to every employee.  Employees should feel empowered to challenge anyone in the building who is not wearing an identification badge to present their badge.  Individuals who are unable to produce a badge must be immediately escorted to the security office to be authorized.  Employees must also report to the security office any security irregularities such as doors left open.

 

IV. Procedures

A. Access Control System.

1. Access to the Edison Drive Office Complex is controlled through the use of a card access system.  This is a proximity card access system in which the access card is held in close proximity (about 2”) to the reader.  All access attempts, whether successful or failed are recorded and stored by the access control system.  The system is managed by the Bureau of General Services, Building Control Division.

 

B. Access Identification Badges – General

1. All persons in access controlled areas of 51 Commerce Center Drive must wear and display a valid ID badge issued in accordance with this policy.

2. Areas of 51 Commerce Center Drive that are not considered access control areas are the lobby and all areas accessed from the lobby that are not secured by either a card access reader or keyed lock.  Specifically these areas are the lobby, cafeteria, meeting rooms accessed from the lobby and cafeteria, four small interview rooms accessed from the lobby, loading bays, and restrooms.  All other areas are access controlled areas.

3. Employees must immediately escort persons found in access controlled areas without proper identification to the security office, or at a minimum, immediately notify the security office of such persons if they refuse to be escorted to the security office.

C. Personal access badge layout.

1. Badge layout – general

D. Wearing and Care of Identification Badges.

1. All employees, contractors, and visitors must wear their identification badge at all times while in access controlled areas.

2. Badges must be worn by means of a clip attached directly to the clothing, a neck lanyard, or similar device.

3. Badges must be worn on the front of the body in the area above the waist and nearer the midline than toward the sides.

4. Badges must not be worn so as to be hidden in a pocket, worn under an article of clothing such as a sweater, jacket, tie, etc., or worn so that the picture is otherwise not visible, such as wearing the badge reversed, or under another badge.

5. Individuals must not alter their identification badge by obscuring any portion of the badge, drawing on the badge, affixing stickers to the badge, or otherwise defacing the badge in any way.  Access badges which are altered will be disabled and confiscated by Security staff. 

E. Mandatory use of access badges at all doors.

1. Access badge holders must record their entry to any access controlled area including the 1st and 2nd floor main entrances by using their assigned access control badge.  Badge holders must use their badge on every entry, regardless of whether the entry door is locked, unlocked, open, or closed.

2. Access badge holders must not use their access badge to grant another person access to any access controlled area including the 1st and 2nd floor main entrances unless they are directly escorting that person.

3. Access badge holders must not give their access badge to another person for the purpose of granting that person access.

4. Employees and others must not facilitate the entry of another person to any access controlled area by holding the door open unless they are the escort for that person.  Anyone authorized to enter an access controlled area will have either a valid access badge or be accompanied by their escort.

5. Access badge holders must not follow another person through an opened access control door without using their own access badge.  This practice is often referred to as “drafting” or “tailgating” and is prohibited.

F. Requesting Access to OIT areas at 51 Commerce Center Drive

1. A standard access request form must be filled out, approved, and delivered to the Security Office, in accordance with approved procedures when requesting access to OIT areas at 51 Commerce Center Drive.

2. The current form and instructions are available online at:  http://inet.state.me.us/bis/eforms/ (OIT Intranet page / Forms and E-Forms page).   The OIT form (OIT Access and Cancellation Request Form) is an online form that must be filled out online.

3. Requests for new access or changes to access must be made by use of the form only.  Other requests that do not require a change of access such as requests for replacement badges or new photo overlays may be made by an email request to EDOC Security.

G. Lost, stolen, misplaced, and damaged Access Badges.

1. Lost, stolen, or misplaced badges must be reported to the security office as soon as the loss is discovered, so that the card may be deactivated from the access control system.  Failure to notify the security office in a timely manner could result in a breach of building security through the use of the misplaced badge.

2. The security office will produce a monthly management report detailing all cards which are replaced, the cardholder name, and the reason for replacement.

H. Temporary access badges issued for Resident Employee lost or misplaced badges.

1. Resident Employees who arrive for work without their personal access badge, must sign in and out at the Security Office upon entering or leaving the building complex.

2. Resident Employees will be issued a temporary access badge for the day.  This temporary badge will grant access to all areas that the Resident Employee’s badge is authorized for.

3. When a temporary badge is issued, the Resident Employee’s personal badge is disabled.

4. Temporary badges are issued for a 1 day period, and access for these badges will expire at midnight of the day issued.

5. Temporary badges must be returned to the security office before leaving the building at the end of the workday.

I. Temporary access badges issued for Non-Resident Employee lost or misplaced badges.

V. Non-Resident Employees who arrive for work without their personal access badge will be handled in accordance with the rules for OIT business visitors (Item L below).

A. Contractor access.

1. Resident contractors

a. Resident contractors will be given an access badge identifying them as a contractor.
b. This badge will be retained by the resident contractor and handled as an employee badge.
c. Temporary resident contractor access badges may be issued in accordance with the procedure outlined for resident employees under section H.
d. Resident contractor badges will be the same as the basic agency layout for the agency they are contracted to, but will have a green bar with the word “Contractor” in red letters at the bottom of the access control area.

2. Non-resident contractors

a. Non-resident contractors will be pre-authorized within the access control system, but will not be issued a personal access badge.
b. Non-resident contractors will be required to sign-in.  They will be given a temporary contractor badge, and access will be enabled for the day based on their pre-authorized access level.
c. Non-resident contractors who have not been pre-authorized in the access control system will be given an ID only badge.  They must be accompanied at all times while in the building.
d. The contractor must return the access badge to Security and sign-out when leaving the building.

B. Building visitors – General Policies.

1. All visitors to EDOC areas must enter the premises through the 1st floor main entrance only. 

2. Visitors will be required to sign a log form indicating their name, whom they represent, person to be visited, date and time in and out, and form of ID presented.

3. All visitors must present a current picture ID when signing in.  The photo ID must have a validity date, photo, and signature.  Acceptable IDs and form of ID (Form) are:

a. Passport (P)
b. Valid Motor Vehicle Operator’s License (L)
c. State personal identification card. (I)
d. State of Maine photo ID access badge (M)
e. Federal or other governmental ID (G)
f. A company photo ID.  (C)
g. Any other photo ID showing the face, ID expiration date, signature, and issuing agent information such as organization name. (O)

4. The Security Officer on duty will note the form of the photo ID presented in the space provided on the sign in log.

5. Visitors who are unable to present a current photo ID, or refuse to present a photo ID, must not be permitted access to high security OIT areas.

6. Visitors must sign out when leaving the building.

7. Temporary ID badges will be issued to visitors who will be visiting access control areas.  Temporary ID badges are not required for visitors to non-access control areas (Lobby, Cafeteria, and adjacent conference rooms).

8. Temporary badges must be turned in to the security office when signing out.

9. It is not necessary to sign out if leaving the building temporarily to have a smoke break, take a brief walk, get something out of the car, etc. 

10. It is necessary to sign out if leaving the building complex for an extended period such as attending a meeting at another location, going out for lunch, etc.

11. Employees who admit visitors to the building without ensuring they are properly signed in will be deemed in violation of this access policy.

C. OIT Business Visitors

1. OIT business visitors who present a valid photo ID, and have a scheduled appointment with an OIT employee, will be given a badge indicating “OIT Visitor” These visitors must however still be accompanied while in OIT high security areas.  The badge color is blue.  The badge is an access control badge and may be enabled to permit access to the OIT lobby doors only.

2. OIT business visitors who do not have a scheduled appointment with an OIT employee, who have an appointment with a contractor only, must not be permitted access to any high security OIT area regardless of identification presented, and must be accompanied at all times while in other parts of the building.  Such visitors will be given a badge indicating “OIT Visitor – must be escorted.”  The badge is blue with a red horizontal stripe on it.

3. OIT business visitors who are unable to present a current photo ID or refuse to present a photo ID, must not be permitted access to OIT high security areas, and must be accompanied at all times while in the building.  These visitors will be given a badge indicating “OIT Visitor – must be escorted.”  The badge is blue with a red horizontal stripe on it.

4. The Security Officer on duty will call the person to be visited.  If the person to be visited is not available, the Security Officer on duty will contact the OIT administrative staff to let them know the visitor has arrived.  OIT staff will find the person to be visited, find an alternate, or escort the visitor themselves.

5. The person to be visited or OIT administrative staff member must notify the security officer on duty when they take charge of the visitor in the lobby and if the visitor will need access to the OIT office area.  If access is needed, the security officer on duty will then enable the “Authorized OIT Visitor” badge to allow access to the OIT lobby doors.  If the business visitor does not need access to the OIT office areas, the badge will not be enabled.

6. OIT business visitors may not visit MRS areas unless escorted by someone authorized to be in those areas.

7. Visitors must sign out and return the temporary badge to the security office upon leaving the building.

D. OIT Personal Visitors

1. OIT personal visitors such as family, friends, etc. must sign in with the Security Officer.

2. Personal visitors will be issued “OIT Visitor – must be escorted” visitor badges regardless of ID presented. 

3. All personal visitors must be supervised and escorted at all times while in the building.

4. Personal visitors are not allowed access to MRS areas at any time.

5. Personal visitors must sign out and return the temporary badge upon leaving the building

E. Card holder termination procedures

1. Supervisors must collect the access badge from any terminating employee under their supervision, and return it to the security office for destruction.

2. Supervisors must, at a minimum, notify the security office of employee termination immediately upon termination, or of the expected date and time of termination whether the access badge is collected or not.

3. Supervisors must notify the security office to disable access for an employee expected to be out for an extended period such as maternity leave, extended illness, sabbatical, or any other extended period when the employee is not expected to report for work.

4. Contract administrators must collect access badges from all contracted employees when they have finished their work.

5. Contract administrators must collect access badges from contracted employees if they leave the contracted project, even if they are expected to return at a future date.

6. Contract administrators must immediately inform security if a contracted employee is leaving for any reason including a scheduled vacation or other interruption of work where the contractor is not expected for some period of time.

7. Employees and contractors are not permitted to retain any access badge, access badge overlay, or other form of photo identification issued under this policy after termination.

F. Use of emergency exits restricted to emergency events only

1. Employees must not use emergency exits except:

a. During an actual event when emergency alarms are activated.
b. During a fire or evacuation drill when emergency alarms are activated.

2. Security personnel and building management personnel may use the emergency exits in the performance of their assigned job duties such as performing periodic checks to ensure the door will open, and to see that the door is locked.

G. Use of kitchen door restricted

1. Use of the second floor kitchen door is restricted to the following groups:

·         contracted cafeteria service employees.

·         food service delivery personnel when delivering food stuffs or conducting other related business.

·         contracted repair service employees performing repair work in the kitchen and food service area of the cafeteria.

·         Security and building management personnel in the performance of their job duties.

2. No other individual regardless of employment status is authorized to use the kitchen door for purposes of entry or exit.

3. Cafeteria service employee visitors are prohibited from using the kitchen door for entry or exit.  Such visitors must register at the security office before entering the building and enter through the interior cafeteria entrance.

4. No other building visitor may use the kitchen door for entry or exit.

5. Cafeteria service employees must not permit any unauthorized persons from entering or exiting the building through use of the kitchen door.

6. The kitchen door must be kept secured at all times.  To relieve excess heat in the kitchen, the outer kitchen door may be opened provided the inner screen door is kept closed and locked.

H. Policy violations.

1. Any employee who notes a violation of this policy must report the violation to the security officer on duty or appropriate management level personnel as soon as possible.

2. Security will record information regarding the violation and forward the report to the appropriate management personnel. 

3. Management will contact the violator and apply disciplinary action as appropriate.

I. Special Events

1. Persons attending special events open to the public that are confined to the cafeteria and lobby areas may be subject to discretionary rules administered by the Security Manager. 

2. The Security Manager must approve each event as qualifying under this section.  Examples of special events are Blood Drives, Employee Recognition events, and Retirement parties.

3. The Security Manager may, at his discretion, suspend any or all of the following rules for event participants during these events:

 

VI. Applicability

These procedures apply to access to the 51 Commerce Center Drive complex. These procedures and standards must be adhered to by any and all persons who may have occasion to enter complex for any reason.

 

VII. Responsibilities

 

VIII. Definitions

A. Access Controlled Area:  Any area of the building which is secured by an access controlled door or key locked door.  This excludes the 1st and 2nd floor lobby areas, cafeteria, loading bays and adjacent hall accessible from the lobby, 2nd floor conference rooms directly accessible from the lobby and cafeteria, restrooms, and the four small interview rooms directly accessible from the lobby.

B. Building Complex:  The building, parking lot, and area surrounded by the chain link security fence.

C. Business Visitor:  A visitor to the facility who is here to meet with an employee for the purpose of conducting business such as attending a business related meeting or performing work.

D. Card Holder:  Any individual who has been issued a personal access badge.  A Card Holder may be an employee or a contractor.

E. Normal Business Hours:  Normal business hours for the building are 6:00 a.m. to 6:00 p.m. (06:00 to 18:00) Monday through Friday, exclusive of scheduled state holidays and other shutdown days.

F. Non-resident Contractor: Someone under contract to OIT, the building owner, or other State of Maine agency who has some need to access the facility but does not have a permanent assigned workspace at the facility.  This includes contractors who are on-site at the facility for less than 11 consecutive working days.

G. Non-resident Employee: Any State of Maine employee who has frequent or occasional need to access EDOC facilities but whose primary work location is not the EDOC facility. 

H. Off Hours:  Any time other than the above defined normal business hours.

I. OIT high security areas:  Computer room, HSP room, Telecommunications Equipment room, Server/Test Lab, and Shipping and Receiving room.  These areas require special authorization for access.  Visitors must be accompanied at all times while in these areas.  Visitors who do not present valid photo ID must not be allowed any access to these areas.

J. Personal Access Badge, Personal Badge:  An access control badge issued to an individual for their exclusive use to enter the facility and any authorized access controlled areas of the building.

K. Personal Visitor:  A visitor to the building who is here visiting an individual or the building for a social purpose, such as having lunch, visiting a relative, attending a party, giving blood, etc.

L. Policy, access policy, access control policy:  This document, “Edison Drive Office Complex Building Access Procedures and Standards of Operation” may also be referred to as the policy, the access policy, or the access control policy.

M. Resident Contractor:  A person contracted to perform work for OIT who is provided with a workspace at EDOC.  Resident contractors maintain a work schedule and work habits that are similar to those of employees.

N. Resident Employee:  Any State of Maine employee whose primary work location is the Edison Drive Complex.

O. Visitor:  Any other person who is not an employee or contractor as defined above.

 

IX. References

 

1.      OIT Access request form: http://inet.state.me.us/OIT/EForms/Net/AccessRequest/Default.aspx

2.      On-Call Duty Roster http://csn.state.me.us/login.php (You must log in with your AD credentials to access this information).

 

 

X. Document Information

 

1.      Document Reference Number: 41

 

2.      Category: Security and Privacy

 

3.      Adoption Date: 18-Nov-09

 

4.      Effective Date: 25-Nov-09

 

5.      Review Date: 18-Nov-10

 

6.      Point of Contact:  Robert L. Witham, Jr., Information Systems Security Analyst, State House Station 145, Augusta, ME 04333-0145, (207) 624-9439

 

7.      Approved By:  Greg McNeal, Chief Technology Officer, State House Station 145, Augusta, ME 04333-0145, (207) 624-9471

 

8.      Position Title(s) or Agency Responsible for Enforcement:  Robert L. Witham, Jr., Information Systems Security Analyst, State House Station 145, Augusta, ME 04333-0145, (207) 624-9439

 

9.      Legal Citation: 5 MRSA, Chapter 163, Section 1973, paragraphs B and D, read in part: [The Chief Information Officer shall] "Set policies and standards for the implementation and use of information and telecommunications technologies, including privacy and security standards…" and "Identify and implement information technology best business practices and project management".

 

10.  N/A