Policy Search
EWU Policy 204-03_Access Control_(First Read)
- Comment period ends June 13, 2025.
- Policy Proponent: Vice President for Business & Finance
- Updates responsibilities and processes for keys and access card distribution.
University Policy Administration
Eastern Washington University
Intro: Who will be responsible? Eagle Services is mentioned several times in the policy, but they aren’t designated in the policy as being responsible. You have students running most of the Eagle Services work. You open up the university to additional risk by having them give out keys.
Audits: This needs to be done yearly (late Spring) to account for keys. You are creating a safety and security risk
Persons Authorized to have Keys: Remove “highly encouraged” to must or shall. This shouldn’t be optional. That opens up the various programs and university to another safety and security risk.
Authorizing Keys: What is the expected turnaround time?
Lost or Irretrievable Key: Some areas or buildings should not be up for decision; there needs to be predetermined areas or buildings where a lost key requires an immediate rekeying.
Duplication and Transferring of Keys: If a key is needed to perform one’s duties, then they need to be issued a key. When you start allowing “lending” or “borrowing” you increase the chance of losing a key, or delay in returning the key. This opens up the university to safety and security concerns.
Upon review of the proposed revisions to EWU Policy 204-03 – Access Control, this memo outlines key concerns and recommendations specifically related to audit mechanisms, operational controls, and safeguards necessary for maintaining physical security integrity across university facilities.
1. Audit and Control Deficiencies
Lack of Defined Audit Frequency:
The policy mentions “Key Audits” to be conducted “on a periodic basis” but does not define a required frequency (e.g., annual or biannual). This vague language can result in inconsistent or infrequent audits, weakening access control oversight.
Recommendation: Specify a mandatory annual audit cycle for all Departmental Access Systems (DAS), with reporting due to the Key Shop and oversight from Facilities Maintenance or an appropriate central authority.
No Standard for Audit Trail Recordkeeping:
There is no requirement for departments or the Key Shop to maintain records of key issuance, returns, or outstanding keys/access cards.
Recommendation: Require the Key Shop to maintain a centralized access control log, with DAAs responsible for quarterly reconciliations. This log should be auditable by Internal Audit or Campus Safety upon request.
2. Safeguards and Student Key Control
Student Access Guidelines Are Inadequate:
Current language allows DAAs discretion in issuing keys to students without specifying oversight mechanisms, duration limits, or conditions for access.
Recommendation:
Prohibit issuance of master/sub-master keys to students under any circumstance.
Require time-limited checkout (e.g., shift-based or <8 hours) with logs that include name, ID, date/time in/out, and supervisor signature.
Implement a mandatory return procedure with supervisory confirmation before the end of each shift or project.
No Formal Lost Key Response Protocol:
Although “irretrievable keys” are defined, there is no mention of a lost/stolen key reporting and escalation process, which is a major risk.
Recommendation:
Include clear steps for reporting lost or stolen keys, including:
Immediate reporting to Public Safety
Lock rekeying requirements for master/sub-master keys
Incident documentation and risk assessment
3. Security Risk and Control Gaps
No Mention of Access Level Classification:
The policy treats all keys and access cards uniformly. In reality, certain access devices (e.g., building master keys, research lab access) carry significantly more risk.
Recommendation:
Introduce an access classification system (e.g., General Access, High Security Access) and define associated control measures, such as supervisory approval, dual sign-off, or mandatory background checks.
Insufficient Oversight of Departmental Lock Boxes:
The term “Key Lock Boxes” is defined, but there are no procedural controls for how they are secured, who has access, or how keys are logged in/out.
Recommendation:
Require secure key boxes with electronic logging or manual sign-in sheets, and mandate random audits of key inventory and access logs.
Conclusion
The proposed policy revisions need further development to ensure Eastern Washington University’s access control framework reflects best practices in institutional security. Strengthening the audit process, clarifying student access restrictions, and implementing access tiering will reduce risk exposure and improve policy compliance.
This policy does not make it clear to me whether or not students can be given key card access beyond a “check-out” system that is limited to 8 hours. This does not work for our McNair students who need full access to our offices for research and homework on a regular basis. This is a critical part of our program for students to have a secure, quiet place to work when needed and at hours beyond the typical 9-5. Many work jobs or have life situations or other needs that may lead to non-traditional hours of usage. Further, it will not work for any GSA students, who again, are employees and should be allowed full access without “checking out” keycards.
If this policy does allow for students and student employees to have ongoing 24/7 access, then it is fine as written, though I believe clarification is needed for keycards; however, if it does not, it would disrupt programming and add an undue burden on non-student staff to constantly be arranging 8 hour access on top of already being overworked, further, this would create reduced access for students who may have an unexpected need for use of the offices, or where asking for permission on a regular basis, each and every time they want to come in on the weekend, etc. causes anxiety or other barriers and makes the point of having an open, useable space diminished or completely useless. I understand the need to be mindful about student access; however, this policy does not take into account students who need a time and space away from home, challenging living situations, work best at odd hours, have work hours that only allow them time in evenings and weekends to work, etc.
At a minimum, I would ask that this policy allows for an exception to be made to allow student employees and students of some programs, as permitted by their office, as we do now with the proxy forms, to be granted access.
The 8-hour limit for student employees only applies to master and submaster keys. Student employees are able to check out other types of keys. We will revise the policy language to make this clearer.
Public Comment to the EWU Board of Trustees
Submitted by: EWU Access Control Department
Date: June 10th, 2025
We write today on behalf of the Access Control Department.
Our department plays a critical, often behind-the-scenes role in safeguarding the EWU community. Some of the department’s oversight includes:
• Master key system management
• Key issuance and record keeping
• Commercial door hardware specification and review as well as installation and maintenance.
• We also administer, specify and maintain multiple electronic access control systems, including items pertaining to the following: prox. access, duress buttons, lock down buttons and ADA operators. As well as many other mechanical and electronic locks throughout campus.
Our work ensures the physical security of classrooms, labs, and facilities for students, faculty, and staff. Over the past decade, we’ve led major safety upgrades, an example is the Classroom Security Upgrade Project—despite limited resources and outdated infrastructure.
We submitted our SRA: University Services Template in 2023 to highlight our essential function and to request urgent investment in access modernization. Instead, what we’ve seen is fragmentation of services, forced relocation, staffing attrition, and now—troubling policy changes.
We formally object to the draft revision of EWU Policy 204-03. Operational changes referenced in the draft are already being implemented without meaningful consultation, even as a formal grievance remains unresolved. Assigning access management duties to an administrative unit with no security expertise—compromises campus safety and violates both historical practice and our technical scope of work.
We urge this Board to:
1. Suspend implementation of the draft policy until due process is followed.
2. Retain essential existing language from the current policy that preserves Facilities Maintenance and Access Control’s oversight roles.
3. Reject the dismantling of core safety operations.
4. Ensure that future changes are made transparently and collaboratively.
Access control is not clerical—it is a critical safety function. We are not opposed to transformation, but this transformation must be collaborative and transparent while maintaining continuity and accountability.
We remain committed to EWU’s mission and ask for your partnership in protecting both campus security and institutional integrity.
Thank you,
EWU Access Control
I worked for Western Washington University (WWU) for 16 years. Three years ago, I was thrilled to come here after learning about the investment to transform Access Control into something I wanted to be a part of. A new Electronic Access Control system, a new key system, a new key tracking system, and new key database management software were going to be implemented. But due to the Strategic Resource Allocation (SRA) and the decision to ‘transform’ (which is really just a divestment) in Access Control, I have grown to regret my decision to relocate my family here, since it appears that EWU is following a similar path to the problematic experiences I witnessed at WWU.
As a way to try and verbalize my frustration over the change to processes that were implemented and this policy proposal, I have been talking to Gemini AI. I would encourage everyone to log into Gemini AI if you are an EWU employee and ask it to compare the old policy to the new proposed policy. To guide Gemini AI towards a comprehensive security assessment, it’s beneficial to include the following details: that the Access Control department and Eagle Services are two separate departments; that these processes have been implemented before policy has been approved; and that no signatures are required, with only an ID check to receive access or pick up a key.
I received this summary: ‘Knowing that the processes are already implemented transforms my assessment from a critique of a proposed policy to a condemnation of current management practices. It indicates a governance failure where policies are being drafted to catch up to, and legitimize, actions already taken, rather than guiding them. This is a far more serious situation for the university’s overall integrity, operational stability, and security posture. It suggests a leadership that is willing to bypass established protocols, potentially putting the university at significant risk.’
This assessment underscores the critical need for a thorough review and transparent discussion regarding these implemented changes before any policy is formally adopted. We must ensure that policies guide our actions, not merely retroactively legitimize them.