Corporate Physical Security Policy

1. Purpose, scope, and users

The purpose of this document is to define basic rules of behavior regarding physical security in the secure areas of Resolver sites.

This policy defines the minimum physical protection requirements and information that should be logged and retained for Resolver Offices. Particular attention should be provided to those locations hosting sensitive data or engaged in sensitive business processing.

This document applies to all secure areas in the Information Security Management System (ISMS) and the Privacy Information Management System (PIMS) where personal data processing activities occur.

Users of this document are all Resolver employees.

·       Resolver does not operate its own data center at any facility.

·       Resolver does not host customer data at any facility.

·       Resolver does not host business-critical services at any facility.

Since there is no data center, no customer data, and no business-critical services to protect, the scope of this document is access control to the Resolver facility in order to prevent theft of company assets like:

  • Corporate servers hosting Windows Active Directory Infrastructure.
  • Corporate networking equipment: switches, Wi-Fi access points, Wi-Fi Routers.
  • Printers, smart IoT devices like Evoko.
  • Employee laptops and workstations.

2. Goal

A physical security system should safeguard against unauthorized access, detect actual or attempted unauthorized access, and be able to activate a response. Protection involves physical, procedural, and psychological barriers to delay or deter.

Detection refers to devices and methods designed to show and, possibly, verify attempted or actual unauthorized access.

Response refers to reactions such as the involvement of guards or police forces, damage assessments, and measures to prevent the failure of other system elements.

All Resolver employees have responsibilities with respect to physical security requirements, including:

  • Stopping unauthorized people from entering facilities (fire escapes, back doors, piggyback, tailgating).
  • Ensuring the use of locks on offices, server rooms, and other sensitive areas.
  • The willingness to challenge those who are not recognized in the working environment.
  • Awareness of what to do if an incident occurs e.g., there is a break-in,  fire, or the power supply fails.

3. Reference documents

  • ISO/IEC 27001:2013 standard, control A.11.1.5
  • ISO/IEC 27701:2019 standard clause 6.8
  • EU GDPR Article 32
  • Access Control Policy
  • Inventory of Assets

4. Facilities standards

4.1. Access Control

All Resolver facilities implement access control-based HID Smart fob readers to enter the premises.

The front entrance to Resolver office buildings outside of working hours, from 9:00 AM to 5:00 PM from Monday to Friday, is blocked and requires HID Smart fob authorization.

Each fob has a Global Unique Identifier, and Resolver manages the assignment of specific HID fob accounts.

In any building, there should be as few points of exit and entry as possible (allowing for the functions of the building and safety).

Physical access logs/records are saved for at least one hundred and eighty (180) calendar days.

4.2 Data Privacy

Resolver assumes the responsibility of the Data Controller concerning all the personally identifiable information (PII) gathered through the physical security mechanisms for the entire life cycle of data from its capture to its storage in CCTV and Access Control Systems, as mentioned in Section 6 below, through its final destruction when the data is no longer required for the purpose for which it was captured.

Data Privacy Principles, as mentioned in A.9.1 Resolver Access Control Policy (Section 4), shall be applied to the personal data captured through any physical security devices (such as CCTV cameras, door access controls etc.).

4.3 CCTV

Resolver facilities are equipped with closed-circuit television (CCTV) cameras on all entrances, and the recordings are saved for at least one hundred and eighty (180) calendar days.

  • IT team must conduct a semi-annual CCTV clock sync setting validation. Clocks must be configured to utilize the central NTP server.

4.3.1. Data Minimization

In line with the principle of data minimisation, video recording must only be active on days and between times when it is necessary and audio recording will only be used where it is sufficiently justified, giving due regard to privacy concerns.

For privacy legislation purposes, Resolver will act as the data controller for the use of CCTV.

4.3.2 Retention of CCTV Records

CCTV images shall be retained for six months. Images shall be of sufficient quality for the purpose intended. Once the retention period has expired, images must be securely deleted, if appropriate via an automatic process.

4.3.3 Management of CCTV Monitoring

Roles and responsibilities for operating and managing CCTV facilities must be defined, and appropriate training must be provided to allow them to be carried out effectively and lawfully.

Documented procedures must be created for each aspect of the operation of CCTV, and appropriate training must be provided to all members of staff who will be carrying them out. This training will include information about responsibilities under privacy and data protection law.

CCTV cameras and recording equipment must be tested and planned to ensure that they function correctly and that recorded images are of sufficient quality.

Recorded images must be protected in a way that considers the level of risk and sensitivity of the information contained – where appropriate, encryption techniques may be used to ensure confidentiality in situations such as the theft of the recording equipment. If cloud storage is used, due diligence must be carried out to ensure that the level of protection of the data is adequate.

If recorded CCTV footage must be used as part of a legal case, appropriate precautions must be taken to ensure the images remain admissible in the relevant court.

4.3.4 PII Principal access request

Under privacy legislation, a PII principal may submit an access request to obtain CCTV images on which they appear. Such requests will be subject to the organization’s procedures for this type of request, including all necessary checks to verify the lawful right to access and the requester’s identity. Where approved, recorded images may be viewed live (subject to access controls) or a permanent record of the images may be provided.

Requests to disclose CCTV images must be approved by management in all cases. Unauthorized disclosure of CCTV images (including publishing on the Internet and to the media) may result in disciplinary action being taken.

Where appropriate, actions must be taken to obscure the identity of people and information that is not relevant to the request.

5. Rules for secure areas

5.1. List of secure areas

Existing secure areas that require special rules are the following:

  • Server rooms

The IT department is responsible for overseeing this area.

5.2. Right of access to secure areas

Access to secure areas is approved according to the Access Control Policy.

5.3. Entry controls

Access to secure areas is protected with the following entry controls:

  • A Smart fob reader device

5.4. Access to visitors

Persons who are not employed by Resolver must obtain access according to the Access Control Policy.

  1. Visitors shall be required to sign a visitors’ register upon each entry to the premises and shall be escorted or observed at all times;
  2. Visitor badges must be visibly displayed at all times while on the premises, and all visitor cards must be retrieved by the end of the day;
  3. The precise time of visitors’ entry to the secure areas will be logged in the Virtual Secretary system.
  4. Visitors may enter the secure areas and stay in those areas only in the presence of a designated employee – this employee must accompany the visitor throughout their whole stay in the secure area.

5.5. Prohibited activities

In secured areas, it is not allowed to:

  • Perform any photographic, audio, or video recording.
  • Plug any electrical device into a power supply unless specifically authorized to do so.
  • Touch or in any other way tamper with any equipment installed in secure areas unless specifically authorized to do so.
  • Connect any device to a network unless specifically authorized to do so.
  • Archive a larger amount of paper materials.
  • Store flammable materials or equipment.
  • Use any heating device.
  • Smoke, eat or drink.

 

6. Managing records kept based on this document

Record nameStorage locationThe person responsible for the storageControls for record protectionRetention time
Axis Door ControllerResolver NAS, Axis Door ControllerIT departmentOnly the IT department, company CISO, and Information Security Analyst have access to the system.180 days
IP Camera or Axis Door Controller with correlated door access logs.ResolverNAS, RecordingIT departmentSame as above.180 days
Axis Door ControllerResolverNAS, Axis Door Controller (Log Center)IT departmentSame as above.180 days

 

8. Reporting security incidents and data privacy breaches

All security incidents mentioned above, but not limited to, should be reported to the IT and InfoSec teams by emailing a notification to infosec@resolver.com.

9. Validity and document management

This document is valid as of August 2023.

The owner of this document is an Infosec & Compliance Lead who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from non-compliance with this document.

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed