Versions Compared

Old Version 1

changes.mady.by.user Ryan Heathcote

Saved on

compared with

New Version 2

changes.mady.by.user Ryan Heathcote

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Vanta policy template instructions

This Vanta policy template represents a complete, compliance-ready policy with placeholders for company specific text. Each policy section represents a policy-specific topic that you should consider and/or modify to match your company’s practices.

For each policy section

  • Consider if this section and its corresponding risks applies to you. If it does not, remove it and/or replace it with your organization’s corresponding practices.

  • Replace any highlighted text in angled brackets < >1 with your own language

  • Rewrite the policy language such that it reflects the practices of your organization

Policy completion checklist

  1. Use Find to make sure that all text in angled brackets is replaced

  2. Proofread your policy for spelling and grammar mistakes

  3. Confirm that the policy’s content reflects your organizations practices

  4. Add any company-specific letterhead, branding, and formatting

  5. Remove this instructions page

  6. Export this document as PDF — File > Save As > Change “File Format” to PDF

  7. Upload the PDF to Vanta at https://app.vanta.com/policies

More questions?

A good rule-of-thumb is to keep your language high enough level such that it stays representative for at least a year. If you have more questions about how to use this template, please reach out to support@vanta.com or your auditor for additional guidance.

Physical Security Policy

Policy Owner: <Policy owner>

...

Policy Owner: Managing Director

Effective Date: 2023-05-01

Anchor
purpose
purpose
Purpose

To prevent unauthorized physical access or damage to the organization’s information and information processing facilities.

Anchor

...

scope

...

scope
Scope

All <Company Name> CloudCard offices and locations. This Policy applies to all employees of <Company Name>CloudCard, and to all external parties with physical access to <Company Name> CloudCard owned or leased facilities.

Anchor

...

policy

...

policy
Policy

Physical Security Perimeter

Physical offices and processing facilities shall meet all local building codes for construction materials for walls, windows, doors, and access control mechanisms. Some interior zones may be identified as secure areas where physical access is further restricted to a subset of <Company Name> CloudCard personnel; such as private offices, wiring closets, print and server rooms, and server racks.

...

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Where possible, <Company Name> CloudCard access control systems shall be tied to a centralized system that provides granular access control for individual personnel. Access events shall be appropriately logged and reviewed as needed according to risk. Cameras and intrusion detection systems shall be used at facilities that store or process production or sensitive internal company data.

...

Visitors, delivery personnel, outside support technicians, and other external agents shall not be permitted access to secure areas without escort and/or appropriate oversight. Third-parties in secure areas shall sign in and out on a visitor log and shall be escorted or monitored by <Company Name> CloudCard personnel. <Company Name> CloudCard personnel observing unescorted visitors should approach the visitor, confirm their status, and ensure they return to approved areas, or report the observation to the responsible authority as needed. External party access to secure areas shall be confirmed with appropriate <Company Name> CloudCard personnel prior to being granted access. <Company Name> CloudCard personnel providing access to external parties into secure areas are responsible for ensuring that the third-party personnel adhere to all security requirements, and are accountable for all actions taken by outsiders they provide with access. Visitors may be allowed to work unescorted provided that the <Company Name> CloudCard sponsoring party can ensure that they will not have unauthorized access to <Company Name> CloudCard information systems, networks, or data.

...

Suppliers, vendors, and third-parties shall comply with <Company Name> CloudCard physical security and environmental controls requirements. <Company Name> CloudCard shall assess the adequacy of third-party physical security controls as part of the vendor management process, in accordance with the Third-Party Management Policy2.

Anchor

...

exceptions

...

exceptions
Exceptions

Requests for an exception to this policy must be submitted to the <approver of requests for exceptions to this policy, e.g., CHRO> for Managing Director for approval.

Anchor

...

enforcement

...

enforcement
Violations & Enforcement

...

_gjdgxs_gjdgxsAny known violations of this policy should be reported to the <receiver of reports of violations to this policy, e.g., CHRO>. Managing Director. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.anchor_30j0zll_30j0zll

Version

Date

Description

Author

Approved by

<1

1.

0>

0

<29

2023-

Apr

03-

2020>

26

<First Version>

<OWNER>

<APPROVER>

1 All fields in this document marked by angled brackets < > and highlighted must be filled in.

...

First Version

Ryan Heathcote

Luke Rettstatt