A.11 Resolver Corporate Physical Security Policy

1. Purpose, scope, and users

The purpose of this document is to define basic rules of behavior regarding physical security in the secure areas of Resolver sites.

This policy defines the minimum physical protection requirements and information that should be logged and retained for Resolver Offices. Particular attention should be provided to those locations hosting sensitive data or engaged in sensitive business processing.

This document is applied to all secure areas in the Information Security Management System (ISMS) and in which the personal data processing activities take place.

Users of this document are all Resolver employees.

  • Resolver does not operate its own data center at any facility.
  • Resolver does not host customer data at any facility.
  • Resolver does not host business-critical services at any facility.

Since there is no data center, no customer data, and no business-critical services to protect, the scope of this document is access control to Resolver facility in order to prevent theft of company assets like:

  • Corporate servers hosting Windows Active Directory Infrastructure.
  • Corporate networking equipment: switches, Wi-Fi access points, Wi-Fi Routers.
  • Printers, smart IoT devices like Evoko.
  • Employee laptops and workstations.

2. Goal

A physical security system should safeguard against unauthorized access, detect actual or attempted unauthorized access, and be able to activate a response. Protection involves physical, procedural, and psychological barriers to delay or deter.

Detection refers to devices and methods designed to show and, possibly, verify attempted or actual unauthorized access.

Response refers to reactions such as the involvement of guards or police forces, damage assessments, and measures to prevent the failure of other elements of the system.

All Resolver employees have responsibilities in respect of physical security requirements, including:

  • Stopping unauthorized people from entering facilities (fire escapes, back doors, piggyback, tailgating).
  • Ensuring the use of locks on offices, server rooms, and other sensitive areas.
  • The willingness to challenge those who are not recognized in the working environment.
  • Awareness of what to do if an incident were to occur e.g. there is a break-in,  fire or the power supply fails.

3. Reference documents

  • ISO/IEC 27001:2013 standard, control A.11.1.5
  • EU GDPR Article 32
  • Access Control Policy
  • Inventory of Assets

4. Facilities standards

4.1. Access Control

All Resolver facilities implement access control based HID Smart fob readers to enter the premises.

The front entrance to Resolver office buildings outside of working hours: from 9:00 AM to 5:00 PM from Monday to Friday is blocked and requires HID Smart fob authorization.

Each fob has a Global Unique Identifier and Resolver manages the assignment of specific HID fob accounts.

In any building, there should be as few points of exit and entry as possible (allowing for the functions of the building and safety).

Physical access logs/records are saved for at least one hundred and eighty (180) calendar days.

4.2. CCTV

Resolver facilities are equipped by closed-circuit televisions (CCTV) cameras on all entrances and the recordings are saved at least for one hundred and eighty (180) calendar days.

5. Rules for secure areas

5.1. List of secure areas

Existing secure areas that require special rules are the following:

  • Server rooms

The IT department is responsible for overseeing this area.

5.2. Right of access to secure areas

Access to secure areas is approved according to the Access Control Policy.

5.3. Entry controls

Access to secure areas is protected with the following entry controls:

  • A Smart fob reader device

5.4. Access to visitors

Persons who are not employed by Resolver must obtain access according to the Access Control Policy.

  1. Visitors shall be required to sign a visitors’ register upon each entry to the premises and shall be escorted or observed at all times;
  2. Visitor badge must be visibly displayed at all times while on the premises, and all visitor cards must be retrieved by the end of the day;
  3. The precise time of visitors’ entry to the secure areas will be logged in the Virtual Secretary system.
  4. Visitors may enter the secure areas and stay in those areas only in the presence of a designated employee – this employee must accompany the visitor throughout their whole stay in the secure area.

5.5. Prohibited activities

In secured areas, it is not allowed to:

  • Perform any kind of photographic, audio, or video recording.
  • Plug any electrical device into a power supply unless specifically authorized to do so.
  • Touch or in any other way tamper with any equipment installed in secure areas unless specifically authorized to do so.
  • Connect any device to a network unless specifically authorized to do so.
  • Archive a larger amount of paper materials.
  • Store flammable materials or equipment.
  • Use any kind of heating device.
  • Smoke, eat or drink.

6. Managing records kept based on this document

Record nameStorage locationThe person responsible for the storageControls for record protectionRetention time
Axis Door ControllerResolver NAS, Axis Door ControllerIT departmentOnly the IT department, company CISO, and Information Security Analyst have access to the system.180 days
IP Camera or Axis Door Controller with correlated door access logs.ResolverNAS, RecordingIT departmentSame as above.180 days
Axis Door ControllerResolverNAS, Axis Door Controller (Log Center)IT departmentSame as above.180 days

 

8. Reporting security incidents

All security incidents mentioned above but not limited to should be reported to the IT and InfoSec teams by emailing a notification to infosec@resolver.com.

9. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from non-compliance with this document.

 

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.