The purpose of this document is to define basic rules of behavior regarding physical security in the secure areas of Resolver sites.
This policy defines the minimum physical protection requirements and information that should be logged and retained for Resolver Offices. Particular attention should be provided to those locations hosting sensitive data or engaged in sensitive business processing.
This document is applied to all secure areas in the Information Security Management System (ISMS) and in which the personal data processing activities take place.
Users of this document are all Resolver employees.
|
Since there is no data center, no customer data, and no business-critical services to protect, the scope of this document is access control to Resolver facility in order to prevent theft of company assets like:
A physical security system should safeguard against unauthorized access, detect actual or attempted unauthorized access, and be able to activate a response. Protection involves physical, procedural, and psychological barriers to delay or deter.
Detection refers to devices and methods designed to show and, possibly, verify attempted or actual unauthorized access.
Response refers to reactions such as the involvement of guards or police forces, damage assessments, and measures to prevent the failure of other elements of the system.
All Resolver employees have responsibilities in respect of physical security requirements, including:
All Resolver facilities implement access control based HID Smart fob readers to enter the premises.
The front entrance to Resolver office buildings outside of working hours: from 9:00 AM to 5:00 PM from Monday to Friday is blocked and requires HID Smart fob authorization.
Each fob has a Global Unique Identifier and Resolver manages the assignment of specific HID fob accounts.
In any building, there should be as few points of exit and entry as possible (allowing for the functions of the building and safety).
Physical access logs/records are saved for at least one hundred and eighty (180) calendar days.
Resolver facilities are equipped by closed-circuit televisions (CCTV) cameras on all entrances and the recordings are saved at least for one hundred and eighty (180) calendar days.
Existing secure areas that require special rules are the following:
The IT department is responsible for overseeing this area.
Access to secure areas is approved according to the Access Control Policy.
Access to secure areas is protected with the following entry controls:
Persons who are not employed by Resolver must obtain access according to the Access Control Policy.
In secured areas, it is not allowed to:
| Record name | Storage location | The person responsible for the storage | Controls for record protection | Retention time |
| Axis Door Controller | Resolver NAS, Axis Door Controller | IT department | Only the IT department, company CISO, and Information Security Analyst have access to the system. | 180 days |
| IP Camera or Axis Door Controller with correlated door access logs. | ResolverNAS, Recording | IT department | Same as above. | 180 days |
| Axis Door Controller | ResolverNAS, Axis Door Controller (Log Center) | IT department | Same as above. | 180 days |
All security incidents mentioned above but not limited to should be reported to the IT and InfoSec teams by emailing a notification to infosec@resolver.com.
This document is valid as of July 2020.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.