The purpose of this document is to define basic rules of behavior regarding physical security in the secure areas of Resolver sites.
This policy defines the minimum physical protection requirements and information that should be logged and retained for Resolver Offices. Particular attention should be provided to those locations hosting sensitive data or engaged in sensitive business processing.
This document applies to all secure areas in the Information Security Management System (ISMS) and the Privacy Information Management System (PIMS) where personal data processing activities occur.
Users of this document are all Resolver employees.
· Resolver does not operate its own data center at any facility. · Resolver does not host customer data at any facility. · Resolver does not host business-critical services at any facility. |
Since there is no data center, no customer data, and no business-critical services to protect, the scope of this document is access control to the Resolver facility in order to prevent theft of company assets like:
A physical security system should safeguard against unauthorized access, detect actual or attempted unauthorized access, and be able to activate a response. Protection involves physical, procedural, and psychological barriers to delay or deter.
Detection refers to devices and methods designed to show and, possibly, verify attempted or actual unauthorized access.
Response refers to reactions such as the involvement of guards or police forces, damage assessments, and measures to prevent the failure of other system elements.
All Resolver employees have responsibilities with respect to physical security requirements, including:
All Resolver facilities implement access control-based HID Smart fob readers to enter the premises.
The front entrance to Resolver office buildings outside of working hours, from 9:00 AM to 5:00 PM from Monday to Friday, is blocked and requires HID Smart fob authorization.
Each fob has a Global Unique Identifier, and Resolver manages the assignment of specific HID fob accounts.
In any building, there should be as few points of exit and entry as possible (allowing for the functions of the building and safety).
Physical access logs/records are saved for at least one hundred and eighty (180) calendar days.
Resolver assumes the responsibility of the Data Controller concerning all the personally identifiable information (PII) gathered through the physical security mechanisms for the entire life cycle of data from its capture to its storage in CCTV and Access Control Systems, as mentioned in Section 6 below, through its final destruction when the data is no longer required for the purpose for which it was captured.
Data Privacy Principles, as mentioned in A.9.1 Resolver Access Control Policy (Section 4), shall be applied to the personal data captured through any physical security devices (such as CCTV cameras, door access controls etc.).
Resolver facilities are equipped with closed-circuit television (CCTV) cameras on all entrances, and the recordings are saved for at least one hundred and eighty (180) calendar days.
In line with the principle of data minimisation, video recording must only be active on days and between times when it is necessary and audio recording will only be used where it is sufficiently justified, giving due regard to privacy concerns.
For privacy legislation purposes, Resolver will act as the data controller for the use of CCTV.
CCTV images shall be retained for six months. Images shall be of sufficient quality for the purpose intended. Once the retention period has expired, images must be securely deleted, if appropriate via an automatic process.
Roles and responsibilities for operating and managing CCTV facilities must be defined, and appropriate training must be provided to allow them to be carried out effectively and lawfully.
Documented procedures must be created for each aspect of the operation of CCTV, and appropriate training must be provided to all members of staff who will be carrying them out. This training will include information about responsibilities under privacy and data protection law.
CCTV cameras and recording equipment must be tested and planned to ensure that they function correctly and that recorded images are of sufficient quality.
Recorded images must be protected in a way that considers the level of risk and sensitivity of the information contained – where appropriate, encryption techniques may be used to ensure confidentiality in situations such as the theft of the recording equipment. If cloud storage is used, due diligence must be carried out to ensure that the level of protection of the data is adequate.
If recorded CCTV footage must be used as part of a legal case, appropriate precautions must be taken to ensure the images remain admissible in the relevant court.
Under privacy legislation, a PII principal may submit an access request to obtain CCTV images on which they appear. Such requests will be subject to the organization’s procedures for this type of request, including all necessary checks to verify the lawful right to access and the requester’s identity. Where approved, recorded images may be viewed live (subject to access controls) or a permanent record of the images may be provided.
Requests to disclose CCTV images must be approved by management in all cases. Unauthorized disclosure of CCTV images (including publishing on the Internet and to the media) may result in disciplinary action being taken.
Where appropriate, actions must be taken to obscure the identity of people and information that is not relevant to the request.
Existing secure areas that require special rules are the following:
The IT department is responsible for overseeing this area.
Access to secure areas is approved according to the Access Control Policy.
Access to secure areas is protected with the following entry controls:
Persons who are not employed by Resolver must obtain access according to the Access Control Policy.
In secured areas, it is not allowed to:
Record name | Storage location | The person responsible for the storage | Controls for record protection | Retention time |
Axis Door Controller | Resolver NAS, Axis Door Controller | IT department | Only the IT department, company CISO, and Information Security Analyst have access to the system. | 180 days |
IP Camera or Axis Door Controller with correlated door access logs. | ResolverNAS, Recording | IT department | Same as above. | 180 days |
Axis Door Controller | ResolverNAS, Axis Door Controller (Log Center) | IT department | Same as above. | 180 days |
All security incidents mentioned above, but not limited to, should be reported to the IT and InfoSec teams by emailing a notification to infosec@resolver.com.
This document is valid as of August 2023.
The owner of this document is an Infosec & Compliance Lead who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: August 2023
REVIEW CYCLE: Annual at least and as needed