Thousands of keys to thousands of doors at Simon Fraser University’s Burnaby Mountain campus are missing, according to an internal campus safety and security review.
The report, completed in July 2015 by the university’s internal audit department and obtained by the NOW through a freedom of information (FOI) request, revealed “significant problems” with access control at the Burnaby campus.
Analysing the university’s key control system database, auditors found 5,014 keys belonging to former employees had not been returned.
Auditors also identified 275 master and sub-master keys (with access to 4,166 doors in 28 buildings) that had been reported lost.
They also sampled 50 master keys that, according to key control system records, should have been in the key inventory: 28 were missing.
“Due to inaccurate data in the KCS (key control system) and the fact that a comprehensive key inventory count has never been conducted, it is difficult to determine the exact number of keys that have been issued, lost, become obsolete, or still remain in inventory,” states the report.
Security managers wouldn’t comment on what specifically is in the buildings corresponding to the lost keys, and the list is blacked out in the FOI report for security reasons, but it wouldn’t have included dorms, according to campus safety and security services senior director Steven Mac-Lean, because the campus residence department has its own key control system.
“Generally an academic building may have labs, scientific labs, computer-engineering labs… potentially there could be drugs; there could be hazardous materials, for instance, chemicals etc.; there would also be a lot of teaching spaces with computer systems, this type of thing,” he told the NOW.
There is “a vulnerability attached” to the lost keys, according chief safety officer Mark Lalonde, but so far he said there is no record of the university “suffering a consequence” related to them.
Because the keys are unmarked, he said the chances of someone finding them and then locating the doors they open would be slim.
“Could we have done a better job? Certainly. Is it embarrassing? Oh yeah,” Lalonde said. “It’s certainly an alarming story when you look at the report and how many keys are out there and how many doors, but one thing I would emphasize is we haven’t had a loss event linked to an outstanding key.”
The large number of lost keys is more of a record-keeping problem than a security or privacy threat, according to MacLean.
“Knowing what is physically out there, I don’t have any concerns with the safety, security of people or assets on campus because of administrative issues with the key system,” he said. “What this report did speak to me about is that we need to review our administrative processes.”
The data in the key control system goes back 50 years, MacLean explained.
Some of it may not have been properly transferred from physical to computer files in the first place, he said, and some of the missing keys may no longer correspond to actual doors because of renovations or because the doors have been rekeyed.
Newer buildings, meanwhile, are equipped with electronic key card systems that allow security personnel to delete access with a few keystrokes when employees leave without returning their cards.
“Nobody’s got the budget to go back to all the old buildings and make them electronic cards,” Lalonde said.
For the buildings that still use traditional locks and keys, however, safety and security services needs better procedures for lost keys, according to the internal audit.
In the past, for example, some locks were re-keyed because of lost master keys, but which locks were replaced was not documented, according to the report.
One of the recommendations in the report calls on the safety and security department to conduct a thorough key audit that would: confirm who holds which keys to the campus; count all the keys held at the safety and security office; reconcile those numbers with the data in the key control system; and follow up on discrepancies.
Lalonde said the university has improved its key control/inventory process since the internal review.
“The actual key audit suggested in the audit report is ongoing and is a continual process – focusing specifically on master keys at this point,” Lalonde said.
Even before the review, Lalonde said SFU had started addressing the historical problem of keys not being returned and master keys going missing.
“A prioritized approach was taken to lock replacement/re-keying based on the level of risk associated to areas most impacted by lost master keys and unreturned keys. That was done in consultation with affected departments,” he said.
While the chief safety officer said sexual violence on campus and the expansion of Kinder Morgan’s Burnaby Mountain tank farm rank higher on his list of current concerns, he said the university takes the issue of key and access control seriously and remains committed to improvement.
“The auditor report from the summer of 2015 is one part of helping us improve our practices and specific procedures,” Lalonde said.
With files from Stanley Tromp
