Note: The purpose of this document is to define the processes and procedures you have in place to add and remove personnel to your physical space, your computers, and any other system programs or applications you use, as well as to ensure that once they transfer or terminate, they no longer have access. Where physical space covers multiple lab areas, please discuss with your Information Security team on the best way to document. Please populate the template according to the processes you follow. Thank you in advance.

<LabName> at <Building Name>

Standard Operating Procedures (SOP)

for Physical and Logical (Electronic) Access Controls

Overview

The purpose of this SOP is to set forth processes and procedures related to physicaland electronic access security for <insert lab name>.

Roles and Responsibilities

Drs. Name1> and <Name2, Title1> and <Title2, respectively,will have the supervision of these procedures. The <Lab Name Manager>will manage the compliance of these processes and procedures insert contract name if required.

Physical Access to <Lab Name
Lab Type:<Human Subject, Basic Science, Both, Other>

Access to the labis controlled by Institution’s Security through <choose 1: ID cards or key. For each staff member, the specific access to each entrance door is controlled individually. The principal Investigator, or a delegate, communicates with Physical Security to grant access to each staff member.Lab Name> office doors are locked at all times whenworkforce members are not present. Access is revoked, and ID card is returned, at termination or transfer. (Note to Lab Manager: An Access List which requires manual updating is indicated as a sample in Appendix B).

The principal investigator, or its delegate, performs an access review to <insert Lab Name’s> on a <select one: semi-annual, quarterly, annual basis. (Note to Lab Manager: The frequency of these reviews should be relative to the level of sensitivity of the systems and the risk involved.) In order to conduct the physical and electronicaccess audit;

Physical Access Procedures

  1. Request Access List from Institution Security Office
  • Mechanical Lock (Individual’s issued keys)
  • Electronic Lock (Access Control List)
  1. Request Transfers/Termination list from HumanResources
  2. Documentation involved in thereview should include reviewing thephysical access control list or a list of individuals’ issued keys if mechanical locks are used.
  3. Review should confirm thatphysical access to lab has been authorized and that there is a legitimate business need.Confirm with workforce member’s manager/supervisor as needed.
  4. Disable access for workforce member if
  5. User has been terminated
  6. User has changed roles and access is no longer needed, or
  7. User is a contractor that is no longer engaged to provide services that required access.
  8. Contact building security office if lock needs to be rekeyed or card access needs to be revoked.

Electronic Access Procedures

  1. Workforce members requesting access to Laboratory systems and/or specific applications (i.e. RedCap, StudyTrax), will contact Business Owner or ApplicationBusiness Owner (e.g. RedCap) for access.
  2. Business Owner conducts the following;
  3. Verifies user should have access by confirming with their Supervisor or Manager.
  4. Sets up username and password for user and schedules training session.
  5. Username follows this naming convention (include-i.e.mwynne).
  6. All user activity will be tracked upon login to the system or application.
  7. Business owner will initiate an account review process which coincides with the physical access audit described above.
  8. In order to conduct the logical (electronic access) review and audit;
  9. Review all System accounts for the appropriate lab
  10. Servers, Workstations, Applications
  11. Verify that users with active system accounts continue to be active Hospital workforce members and have remained in the same department. Audit this list against the physical access list (Keys, Card)
  12. Review access appropriate to role.
  13. Users who are no longer on the Physical Access List should be disabled on the systems (Workstations, Applications,Servers) unless they are remote users who still require access, which should be indicated.
  14. If access is no longer required, business owner will disable user’s access.
  15. Request to disable access will be done by <include process or responsible personnel>

Visitor Procedures

Visitors are defined as non-Partners Healthcare Workforce Members or individuals who require an escort. Visitors who enter through the Building Name> entrance utilize the Visitor Log contained in Appendix A. Other Building Name entrances also require card or key access. Building Name Visitors are escorted regardless of entry point.

Physical Access to Information Systems

AllLab Name computers are located in locked offices or within a locked area>. Mobile systems are encrypted and all systems are password protected.To request or remove laptop device encryption, submit a request to the IS Help Desk.

Physical Access to Paper Records

Folders containing any hard copies ofConfidential Data,are securely stored by the <insert lab name in locked offices. Outdated Confidential Data older thanxx years may be sent to an off-site with a secure storage company (insert vendor name, Partners approved) if there is a need to make space for newly acquired records. LabName staff will have access to these documents. Insert Records Facility Name is responsible for secure transportation of documents from their facility to the LabName and viceversa.

Retention

Retain all auditable records in conjunction with the institution’s Records Management policy.

  • The PHS Records and Information Management schedule (PHS-1512) indicates 2 years from the creation of the record. Record Class Code: ISY160 in Excel Spreadsheet (Compliance & Business Integrity Policies)
  • Retention requirements for Research Data indicate contract closure + 7 years.
  • Reference Partners Human Research Committee Guidance for Investigators

Termination

Ensure institution termination process is built into the Access Control Standard Operating Procedure to ensure timely removal and collection of all hospital business.

Appendix A

Lab Manager: Request copy of building security’s visitor log template and insert here.>

If a visitor log does not exist, utilize this sample>

Visitor Log

Print Name: / Sign Name: / Date: / Time In/Out: / Point of Contact:

Appendix B

<Lab Manager: Request copy of building security’s visitor log template and insert here.>

( If a visitor log does not exist, utilize this sample)

Access List- <insert Laboratory Name

Workforce Member Name / Date Added: / Point of Contact:

1

<insert date>