Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Effective Date: 2023-05-01

Anchor

...

policy

...

To prevent unauthorized physical access or damage to the organization’s information and information processing facilities.

...

All CloudCard offices and locations. This Policy applies to all employees of CloudCard, and to all external parties with physical access to CloudCard owned or leased facilities.

...

Physical Security Perimeter

Physical offices and processing facilities shall meet all local building codes for construction materials for walls, windows, doors, and access control mechanisms. Some interior zones may be identified as secure areas where physical access is further restricted to a subset of CloudCard personnel; such as private offices, wiring closets, print and server rooms, and server racks.

Physical Entry Controls

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Where possible, CloudCard access control systems shall be tied to a centralized system that provides granular access control for individual personnel. Access events shall be appropriately logged and reviewed as needed according to risk. Cameras and intrusion detection systems shall be used at facilities that store or process production or sensitive internal company data.

Securing Offices, Rooms & Facilities

Physical security for offices, rooms and facilities shall be designed and applied to protect from theft, misuse, environmental threats, unauthorized access, and other threats to the confidentiality, integrity, and availability of classified data and systems.

Protecting Against External & Environmental Threats

Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. Secure areas shall be monitored through the use of appropriate controls, such as intrusion detection systems, alarms, and/or video surveillance systems, where feasible. Visitor and third-party access to secure areas shall be restricted to reduce the risk of information loss and theft.

Production processing facilities shall be equipped with appropriate environmental and business continuity controls including fire-suppression systems, climate control and monitoring systems, and emergency backup power systems. Physical information system hardware and supporting infrastructure shall be regularly serviced and maintained in accordance with the manufacturer’s recommendations.

Working in Secure Areas / Visitor Management

Visitors, delivery personnel, outside support technicians, and other external agents shall not be permitted access to secure areas without escort and/or appropriate oversight. Third-parties in secure areas shall sign in and out on a visitor log and shall be escorted or monitored by CloudCard personnel. CloudCard personnel observing unescorted visitors should approach the visitor, confirm their status, and ensure they return to approved areas, or report the observation to the responsible authority as needed. External party access to secure areas shall be confirmed with appropriate CloudCard personnel prior to being granted access. CloudCard personnel providing access to external parties into secure areas are responsible for ensuring that the third-party personnel adhere to all security requirements, and are accountable for all actions taken by outsiders they provide with access. Visitors may be allowed to work unescorted provided that the CloudCard sponsoring party can ensure that they will not have unauthorized access to CloudCard information systems, networks, or data.

Delivery & Loading Areas

...

policy
Policy

All CloudCard employees are remote employees. Physical access to company devices should be secured in the same manner that someone would secure their own home.

Employees must ensure that no unauthorized individuals may view, overhear, or otherwise have access to CloudCard’s customer or confidential data, especially when working from a public location such as a coffee shop or airport.

All end user devices containing access to internal CloudCard resources must be protected at all times and may not be left unattended.

Supplier, Vendor, and Third-Party Security

Suppliers, vendors, and third-parties shall comply with CloudCard physical security and environmental controls requirements. CloudCard shall assess the adequacy of third-party physical security controls as part of the vendor management process, in accordance with the Third-Party Management Policy. Third party security controls shall be sufficient to prevent unauthorized physical access to systems processing or storing CloudCard data.

Anchor
exceptions
exceptions
Exceptions

Requests for an exception to this policy must be submitted to the Managing Director Management for approval.

Anchor
enforcement
enforcement
Violations & Enforcement

Any known violations of this policy should be reported to the Managing Director. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

Version

Date

Description

Author

Approved by

1.0

2023-03-26

First Version

Ryan Heathcote

Luke Rettstatt

2.0

2024-07-26

Annual Review

Ryan Heathcote

Luke Rettstatt