LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 551.02 Facility Access Control
 
  Procedures
  1. Contingency Operations
     
    1. Identify systems and data and their location that, if lost, will be reestablished and/or restored as a part of the DMH Disaster Recovery Plan or Emergency Mode Operation Plan. (DMH Policy 550.03, Information Technology Contingency Plan Policy)
       
    2. Identify workforce members who need facility and/or system access in the event of a disaster or emergency.
       
    3. Create and implement a backup authentication scheme to regulate facility access in the event of a disaster or emergency.  Since electronic means cannot be relied upon during an emergency, a manual authentication scheme must be developed.
       
    4. When determining these access means, emergency communication means must be considered to ensure that authorized access is granted in the event an obstacle is encountered.
       
    5. The contingent access scheme must be tested periodically to ensure operational functionality.
       
    6. These procedures must be coordinated with other DMH contingency plan components, including DMH Policy 550.03, Facility Information Technology (IT) Contingency Plan Policy.
       
  2. Facility Security Plan

    The intent of the Facility Security Plan is to limit physical access to a facility's electronic information systems and the areas in which they are housed, while allowing workforce members continued access for the furtherance of County business.

    To accomplish this purpose, DMH is taking a layered approach, which means the more sensitive an area or system, the more restrictive the access control.
     
    1. Exterior of Premises
       
      1. The Facility Security Plan must:
         
        1. Clearly define the security perimeter of the premises and buildings;
        2. Ensure the perimeter is physically sound (i.e., no gaps in which a break-in is relatively easy);
        3. Ensure all external doors are adequately secured against unauthorized access by installing locks, alarms, or other access control devices;
        4. Ensure sensitive areas are monitored as necessary (e.g., video surveillance cameras with video recording capabilities);
        5. Provide a reception area staffed at least during business hours which visitors may access through a single building entrance;
        6. Define instances in which visitors are allowed and include areas they may visit and any escort requirements; and
        7. Ensure fire doors on the security perimeter are alarmed, have a self-closing mechanism, and are compliant with fire regulations.
           
      2. If any of the measures listed above are determined not to be feasible, the plan must provide a justification and ensure the security of the premises through other sufficient means.
         
    2. Interior of Premises.
       
      1. The Facility Security Plan must ensure the following:
         
        1. Necessary physical barriers are extended from real floor to real ceiling;
        2. All doors to interior areas requiring compartmentalization or added security are adequately protected against unauthorized access by installing locks, alarms, or other access control devices;
        3. Sensitive areas are monitored as necessary (e.g., video surveillance cameras with video recording capabilities);
        4. All doors and windows lock by default and adequate security measures are in place for windows at ground level;
        5. Intrusion detection systems are included where appropriate to provide additional security to interior premises and buildings; and
        6. Vacant secure areas are locked and periodically inspected.
           
      2. If any of the measures listed above are determined not to be feasible, the plan must provide a justification and must ensure the security of the premises through other sufficient means.
         
    3. Facility Equipment
       
      1. The Facility Security Plan must:
         
        1. Ensure facility equipment requiring additional levels of protection be isolated from other equipment to the extent possible;
        2. Position workstations so that monitor screens and keyboards are not directly visible to unauthorized persons;
        3. Provide controls to guard against equipment theft, such as closed-circuit television monitoring devices, alarms, locks, and controlled access;
        4. Provide controls to guard against fire damage, such as smoke detectors, fire alarms, and fire extinguishers as reasonable to protect the electronic information systems;
        5. Provide controls to guard against water damage, such as elevating workstations and other equipment as reasonable to protect the electronic information system;
        6. Provide controls to ensure air quality is maintained as is reasonably appropriate for the equipment, such as air conditioning, heating, dust filters, and air dehumidifiers/humidifiers, to protect the electronic information systems;
        7. Provide controls to guard against damage caused by vibrations or electrical supply interference; and
        8. Provide controls to guard against power surges and outages, such as multiple power feeds, backup generators, and uninterruptible power supplies.
           
      2. If any of the measures listed above are determined not to be feasible, the plan must provide a justification and must ensure the security of the information through other sufficient means.
         
  3. Access Control and Validation
     
    1. The DMH Chief Information Officer (CIO) or designee must ensure that system managers/owners and/or facility managers:
       
      1. Configure facility access controls to allow workforce members access based on the latest approved access rights and privileges;
         
      2. Include a means to update the facility access control settings to reflect workforce member status changes;
         
      3. Ensure visitors sign in upon entering the facility;
         
      4. Ensure visitors are escorted by appropriate personnel where required by the Facility Security Plan; and
         
      5. Ensure workforce members testing and/or revising software programs are identified, authenticated, and authorized to perform those activities.
         
  4. Maintenance Records
     
    1. The CIO or designee must:
       
      1. Identify physical components of the facility that are relevant to IT security (e.g. hardware, walls, electronic systems, doors, and locks);
         
      2. Approve and oversee any IT security-related physical modifications to the facility;
         
      3. Create a maintenance record or log and ensure it is updated for each such modification;
         
      4. Ensure proper chain-of-custody for pertinent items such as keys and access codes; and
         
      5. Ensure all computing device removals including workstations, facsimiles, scanners, and printers are documented and performed by Chief Information Office Bureau (CIOB) authorized staff.
         
      6. Ensure the internal storage component is disassembled, set aside, and maintained securely by CIOB authorized staff should there be a need to remove a vendor-managed device from a facility.